i have small security application server , client certificates running in tomcat 7. each client has own certificate.
in webapp want tab known trusted certificates aliases because each client have report x minutes. if client not report after x minutes server has mark client.
so idea trusted certificates truststorefile defined in server.xml of tomcat, because have know clients/certificates registered.
my problem not find api certificates, tomcat trust.
can help?
first, sure truststore (always) contain client certs? "official" (x.509/pkix) way of client authentication aka client certificate(s) have ca (or several cas) issue certs clients; server doesn't need trust client certs individually, ca(s). such ca public ca, enterprise one, or 1 (or group/division/whatever) runs server. selfsigned client certs necessary have them individually in server truststore.
second, doesn't appear possible webapp (servlet) code connector configuration, possibly security feature, see accessing ssl private key servlet .
but, if have certs in truststore file and can locate file (usually jks), then:
use
keystore.getinstance(string)obtain keystore object of correct type (jks)create
fileinputstreamfile, , feedks.load(and close it; try-resource can you). if don't know password usenull, can still access certs (but not privatekeys, , jks)use
.aliases()list of entries in storeif there can both trustedcerts , privatekeys in file (i.e. isn't just truststore file) check each alias
.iscertificateentry(alias)you have aliases, names specified when (or someone) imported each cert truststore, not same client's actual name in cert
if want (any of) name field(s) in each cert, call
.getcertificateentry(alias), castx509certificate, , call.getsubjectx500principal().tostring()or 1 of.getname()overloads , parse or examine results desired
finally, since want track requests using each cert by alias, each request certs used in read out incoming certificate in tomcat leaf cert i.e. chain[0] .getcertificatealias(certificate). keep track each alias time of last request , can identify "missing" ones.
javadoc keystore @ http://docs.oracle.com/javase/8/docs/api/java/security/keystore.html
Comments
Post a Comment