Configuring the JRE for JSSE

Secure sockets may be employed between a client and a server or in a peer application which has deployed remotely accessible foundation services.

Note that the SSL examples presented on this page pertain to JSSE used to secure RMI communication for Java remote objects as opposed to SSL capabilities provided by web servers.

Example 1: Server Authentication

The most common usage scenario is for a client to authenticate the server offering remote Java objects. In this scenario, a key store has been defined on the server and its public certificate has been exported from the server's key store and imported into the client's trust store. Java provides a standard trust store cacerts located in the <java-home>\lib\security\ directory. A jssecacerts trust store may also be defined in this same directory if one wishes to override the standard trust store. Use of jssecacerts is recommended by the JSSE API.

Client authenticates server

The server’s public certificate, stored in the client’s trust store, is authenticated against the private certificate stored in the server’s key store.

The trust store is typically one of the following files: <java-home>\lib\security\jssecacerts <java-home>\lib\security\cacerts The JSSE API recommends jssecacerts as the default trust store.

JRE Setup for Server Authentication

To provide the capability to ensure that the server is authenticated, one needs to create a server key store, export the server's public certificate, and then import the server's public certificate into your clients' trust stores.

Follow these procedures to setup server authentication:

  1. Create server key store
  2. Export self-signed certificate from server's key store
  3. Import server's self-signed certificate into client's trust store
  4. Create an SSL configuration properties file
  5. Optionally, specify the classes requiring security in a properties file
  6. Configure Java application to use SSL

Example 2: Mutual Authentication

To provide the capability to ensure that the server is authenticated, one needs to create a server key store, export the server's public certificate, and then import the server's public certificate into your clients' trust stores. Refer to the procedure defined in JRE Setup for Server Authentication.

In addition to the server's public certificate being imported into the clients' trust stores, the client's public certificate must be imported into the server's trust store.

Mutual server and client authentication

The server’s public certificate, stored in the client’s trust store, is authenticated against the private certificate stored in the server’s key store.

The client’s public certificate, stored in the server’s trust store, is authenticated against the private certificate stored in the client’s key store.

The trust store is typically one of the following files: <java-home>\lib\security\jssecacerts <java-home>\lib\security\cacerts The JSSE API recommends jssecacerts as the default trust store.

JRE Setup for Mutual Authentication

To provide the capability to ensure that the client is authenticated, one needs to create a client key store, export the client's public certificate, and then import the client's public certificate into your server's trust store.

Follow these procedures to setup client authentication:

  1. Create server key store
  2. Export self-signed certificate from client's key store
  3. Import client's self-signed certificate into server's trust store

Related Information