1 2 Previous Next 26 Replies Latest reply: Oct 10, 2012 9:31 PM by EJP Go to original post RSS
      • 15. Re: PKCS11 & javax.net.ssl.keyStoreAlias
        843811
        Hmm, well, no luck =(

        I tried to do it statically, so I commented out the provider references in the "readKeyStoreFromSmartCard" class.
        And have the following in the java.security file on my local machine (I decided to put the pkcs11.cfg file in same directory as java.security) :
        security.provider.10=sun.security.pkcs11.SunPKCS11 pkcs11.cfg
        The cfg file has this:
        name=ActiveClientProvider
        library=C:\WINDOWS\system32\acpkcs211.dll
        So the "readKeyStoreFromSmartCard" reads like this now:
        public static void readIt() throws
                Exception {
                      String alias = null;
                      KeyStore lks = KeyStore.getInstance("SunPKCS11"); //WHAT TO PUT HERE?
                      lks.load(null,null);
                      //Provider p = lks.getProvider();
                      
                      //String configName = "C:/Program Files/Java/jre1.6.0_05/lib/security/pkcs11.cfg";
                       //Provider p = new sun.security.pkcs11.SunPKCS11(configName);
                       //Security.addProvider(p);
                      System.out.println("--------------------------------------------------------");
                      //System.out.println("Provider   : " + p.getName());
                      //System.out.println("Prov.Vers. : " + p.getVersion());
                      System.out.println("KS Type    : " + lks.getType());
                      System.out.println("KS DefType : " + lks.getDefaultType());
                  
                      Enumeration <String> al = lks.aliases();
                      while (al.hasMoreElements()) {
                          alias = al.nextElement();
        ...
        Notice my comment "what to put here?". I only ask because that is where the "PKCS11 Not found error occurs".
        It throws a KeyStoreException, which from the API states will happen when:
        "the requested keystore type is not available in the default provider package or any of the other provider packages that were searched."

        So I tried to put the following:
        KeyStore lks = KeyStore.getInstance("PKCS11"); 
        KeyStore lks = KeyStore.getInstance("SunPKCS11"); 
        KeyStore lks = KeyStore.getInstance("ActiveClientProvider"); 
        KeyStore lks = KeyStore.getInstance("SunPKCS11-ActiveClientProvider");
        All give the same KeyStoreException on that line saying either "PKCS11 not found" or "SunPKCS11 not found", etc.

        Good note though, I did get the System Properties to run with no worries.
        Java Home was this:
        'java.home' = 'C:\Program Files\Java\jre1.6.0_03'

        and for Java Library:
        'java.library.path' = 'C:\Program Files\Java\jre1.6.0_03\bin;.;C:\WINDOWS\Sun\Java\bin;C:\WINDOWS\system32;...(much more).


        Very strange though about the KeyStoreException being thrown. For whatever reason, it cannot find the provider.

        Any other ideas, I'm a bit lost as where to go from here.

        thanks again,

        SK

        Edited by: scryptkiddy on Apr 14, 2008 12:04 PM
        • 16. Re: PKCS11 & javax.net.ssl.keyStoreAlias
          843811
          Boy oh boy,

          what the heck is this. But we're going together through this.

          1. This and only this the keystore type !
          System.setProperty("javax.net.ssl.keyStoreType", "PKCS11");
          But you don't need to set it as system property if your running the readIt() method.

          2. This and only this is your provider name !
          System.setProperty("javax.net.ssl.keyStoreProvider", "SunPKCS11-ActiveClientProvider");
          But you don't need to set it as system property if your running the readIt() method.

          If it finally would run one day, you could let the provider name display with
          Provider p = lks.getProvider();
          System.out.println("Provider   : " + p.getName());
          System.out.println("Prov.Vers. : " + p.getVersion());
          But this is only step 2.

          We're getting lost in configuration twisting.
          There are really only a few lines needed to get this thing fly.
          And we've alle the parts: java.security, pkcs11.cfg, and one line of code!
          import java.security.KeyStore;
          import java.security.*;
          
          public class TestPKCS11 {
              public static void main(String[] args) {
                  try {
                      KeyStore lks = KeyStore.getInstance("PKCS11");
                      System.out.printf("KS Type    : " + lks.getType());
                  } catch (KeyStoreException ex) {
                      ex.toString();
                  }
              }
          }
          Questions

          1.) Which OS are you using (XP, Vista?)
          2.) In a previous posting you talked about this exception.
          java.security.ProviderException: slotListIndex is 0 *but token only has 0 slots*
          I would assume that you got the right configuration at least once, otherwise you wouldn't got this error, or?

          (desperately) NX-01
          • 17. Re: PKCS11 & javax.net.ssl.keyStoreAlias
            843811
            Appreciate the patient help here NX!

            Seems like I'm really close, but something is VERY fundamentally wrong somewhere.
            Just wish I had more experience with reading certificates from smart cards =)

            And I'm definitely stretching here with my guessing on the keystore Type and Provider Name,
            thanks for making it clear, sometimes I need that =) Because I agree, I am getting lost in the configuration setup for this.

            As far as OS, my local machine here is XP Pro, the server I'm running is Windows Server 2003.


            Now on the progress report, haha.
            I'll split the rest of this post into 2 parts. First part deals with running readKeyStoreFromSmartCard and its results / issues.
            The second part will be about what configuration I used to get that error about the slotIndex. I kept that class file seperate
            so I could reference it later.



            Part 1*

            The readKeyStoreFromSmartCard now has the correct keystore type and provider name =)
            Below is the current entire source I'm running / testing and its result, (but with some good news as well after).
            It is loading the provider dynamically, so I have the java.security line commented out where this provider / cfg file
            entry would go.

            Source:
            import java.security.KeyStore;
            import java.security.Provider;
            import java.security.Security;
            import java.util.*;
            import java.security.cert.X509Certificate;
            
            public class readKeyStoreFromSmartCard {
            
                 /**
                  * @param args
                  */
                 public static void main(String[] args) {
                      // TODO Auto-generated method stub
                      
                      try {
                           readIt();
                      }
                      catch (Exception e) {
                           e.printStackTrace();
                      }
            
                 }     
                      public static void readIt() throws
                    Exception {
                          String alias = null;
                          KeyStore lks = KeyStore.getInstance("PKCS11");
                          lks.load(null,null);
                          //Provider p = lks.getProvider();
                          
                          String configName = "C:/Program Files/Java/jre1.6.0_05/lib/security/pkcs11.cfg";
                                      Provider p = new sun.security.pkcs11.SunPKCS11(configName);
                           Security.addProvider(p);
                          System.out.println("--------------------------------------------------------");
                          System.out.println("Provider   : " + p.getName());
                          System.out.println("Prov.Vers. : " + p.getVersion());
                          System.out.println("KS Type    : " + lks.getType());
                          System.out.println("KS DefType : " + lks.getDefaultType());
                      
                          Enumeration <String> al = lks.aliases();
                          while (al.hasMoreElements()) {
                              alias = al.nextElement();
                              System.out.println("alias:" + alias);
                              System.out.println("--------------------------------------------------------");
                              if (lks.containsAlias(alias)) {
                                  System.out.println("Alias exists : '" + alias + "'");
                                  X509Certificate cert = (X509Certificate) lks.getCertificate(alias);
                                  System.out.println("Certificate  : '" + cert.toString() + "'");
                                  System.out.println("Version      : '" + cert.getVersion() + "'");
                                  System.out.println("SerialNumber : '" + cert.getSerialNumber() + "'");
                                  System.out.println("SigAlgName   : '" + cert.getSigAlgName() + "'");
                                  System.out.println("NotBefore    : '" + cert.getNotBefore().toString() + "'");
                                  System.out.println("NotAfter     : '" + cert.getNotAfter().toString() + "'");
                                  System.out.println("TBS          : '" + cert.getTBSCertificate().toString() + "'");
                              } else {
                                  System.out.println("Alias doesn't exists : '" + alias + "'");
                              }
                          }
                      }
            
            
            }
            Here is the cfg file:
            name=ActiveClientProvider
            library=C:\WINDOWS\system32\acpkcs211.dll
            Now the result is the same... "java.security.KeyStoreException: PKCS11 not found" but I have some good news....
            well, we'll just call it news for now =)

            If I change this line
            KeyStore lks = KeyStore.getInstance("PKCS11");
            to this:
            KeyStore lks = KeyStore.getInstance("JKS");
            It outputs this:
            Provider : SunPKCS11-ActiveClientProvider
            Prov.Vers. : 1.6
            KS Type : JKS
            KS DefType : jks

            It never enters the Enumeration loop, but at least no errors. This is all being run on my local workstation.
            So it can find the JKS Provider but not PKCS11? AARRGG! =)


            Part 2*
            Going back to when I had the slotIndex error. This is the Class code and the servlet that called it:
            Class:
            import java.util.Hashtable;
            import java.io.*;
            import javax.naming.*;
            import javax.naming.ldap.*;
            import javax.naming.directory.*;
            
            import java.security.cert.*;
            import java.security.*;
            import java.security.KeyStore.Builder.*;
            import java.security.KeyStore.*;
            import java.security.cert.Certificate;
            import sun.security.pkcs11.*;
            import java.security.Provider;
            
             /* TEST FILE -- NOT NEEDED */
            
            public class searchexternals 
            {
                 public String returnStuff (X509Certificate certs, String adminName)
                 {
                      String ldapURL = "ldaps://my.company.com:636";
                      String upn = "4321650987@mil"; 
                      String returnValue = "";
                      Hashtable env = new Hashtable();
                      
                      
                      try {
                           System.out.println("1a");
                           //Dynamic Provider
                           String configName = "C:/Program Files/Java/jre1.6.0_03/lib/security/pkcs11.cfg";
                           Provider p = new sun.security.pkcs11.SunPKCS11(configName);
                           Security.addProvider(p);
                           
                           //LDAP
                           env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
                           env.put(Context.PROVIDER_URL,ldapURL);
                           env.put(Context.SECURITY_PROTOCOL, "ssl");
                           env.put("java.naming.ldap.version", "3");
                           env.put("java.naming.ldap.factory.socket", "javax.net.ssl.SSLSocketFactory");
                           env.put(Context.SECURITY_AUTHENTICATION, "EXTERNAL");
                           
                           //SMARTCARD / Provider
                           System.setProperty("javax.net.ssl.keyStoreURL", "NONE");
                           System.setProperty("javax.net.ssl.keyStoreType", "PKCS11");
                           System.setProperty("javax.net.ssl.keyStoreProvider", "SunPKCS11-ActiveClientProvider");
                           
                           //TRUST STORE / ROOT CERTIFICATES
                           String trustStore = "C:/Program Files/Apache Software Foundation/Tomcat 5.5/webapps/ako/security/cacerts";
                           System.setProperty("javax.net.ssl.trustStore",trustStore);
            
            
            
                           //Create the initial directory context
                           InitialLdapContext ctx = new InitialLdapContext(env, null);
                           
                           ....more code
            the servlet that calls it:
            <%@ page import="java.security.cert.*" %>
            <%@ page import="javax.net.ssl.*" %>
            <%@ page import="java.security.*" %>
            <%@ page import="java.util.Hashtable" %>
            <%@ page import="java.io.*" %>
            <%@ page import="javax.naming.*" %>
            <%@ page import="javax.naming.ldap.*" %>
            <%@ page import="javax.naming.directory.*" %>
            <%@ page import="tnosc.*" %>
            <%@ page import="java.security.cert.Certificate" %>
            
            
            <% 
                            //User certificate 
                 X509Certificate[] certChain = (X509Certificate[])request.getAttribute("javax.servlet.request.X509Certificate");
                 X509Certificate cert = certChain[0];
                 
                 searchexternals se = new searchexternals();
                 
                 String stuff = "";
                 stuff = se.returnStuff(cert, "myName");
                                         
                 
            %>
            <table >
                 <tr><td>Stuff<%= stuff %></td></tr>
            </table>
              </body>
            </html>
            I was basically trying to get a certificate from the users browser (via request.getAttribute) then somehow
            pass it into the class which would bind with that certificate and run a query as that person.

            This is running on the Win 2003 Server. I'm loading the provider dynamically, so the java.security file is untouched
            and the pkcs11.cfg file reads like this:
            name=ActiveClientProvider
            library=C:\WINDOWS\system32\acpkcs211.dll
            Sooooo..... looks like I can get JKS to run, but not PKCS11. And as far as the code above... it works (I guess), but gives
            me a slotIndex error....Grrrrrr

            Thanks again for all the help NX, you are da bomb =)

            SK
            • 18. Re: PKCS11 & javax.net.ssl.keyStoreAlias
              843811
              NX, IT WORKS!!!

              I was looking for other examples of how to simply "List out the certificates from SmartCard". One hit that came up was
              [this one|http://forum.java.sun.com/thread.jspa?forumID=9&threadID=5285121].

              Then looking at my code, it looked pretty much the same, except...

              The call to getInstance method for the Keystore was AFTER the Provider had been instantiated.

              So I went from this:
              ....
                   public static void readIt() throws
                      Exception {
                            String alias = null;
                            KeyStore lks = KeyStore.getInstance("PKCS11");
                            lks.load(null,null);
                            
                            String configName = "C:/Program Files/Java/jre1.6.0_03/lib/security/pkcs11.cfg";
                             Provider p = new sun.security.pkcs11.SunPKCS11(configName);
                             Security.addProvider(p);
                             
              ....
              getting "PKCS11 not found"

              to this:
              ....
                   public static void readIt() throws
                      Exception {
                            String alias = null;
                            
                            String configName = "C:/Program Files/Java/jre1.6.0_03/lib/security/pkcs11.cfg";
                             Provider p = new sun.security.pkcs11.SunPKCS11(configName);
                             Security.addProvider(p);
                             
                            KeyStore lks = KeyStore.getInstance("PKCS11");
                            lks.load(null,null);     
              ....
              and it spits out everything about the certs (I have 3 on my smartcard) and all the information inside that enumeration loop.
              So it WAS something fundamentally wrong, I basically was instantiating a KeyStore Object BEFORE loading the provider.
              This probably would not have happened had I loaded the provider statically in the java.security file.... not sure though.

              THANKS again for the assistance NX!


              Last part now, if you have any patience left =) . Since this was kinda step1for me, "read the certificates from smartcard".
              The second step for me is "read the certificates of a smartcard from the users browser" (using clientauth=true). Because I need this on my server now (.jsp)
              The third and final step "use the certificate (from step 2) to run a query / modify command" (using JNDI).

              Refer to my last post.

              So now I can do step 1 (thanks again!)
              Step 2 is confusing because the test we ran lets me read the card that is LOCALLY attached. I need to reference a certificate from the browser
              to the users workstation.
              Step 3 is also a bit confusing, assuming I can read the certificate from the client's browser, how do I use it to do a bind for create / modify command in JNDI?

              thanks a million again for getting me this far!
              hopefully step 2 and 3 are not impossible =(

              SK
              • 19. Re: PKCS11 & javax.net.ssl.keyStoreAlias
                EJP
                This probably would not have happened had I loaded the provider statically in the java.security file
                It definitely would not have happened.
                • 20. Re: PKCS11 & javax.net.ssl.keyStoreAlias
                  843811
                  Thanks for the clarification ejp, I was a bit nervous to actually test it now that I'm 1/3rd of the way through
                  this hairpulling project =)

                  Any insight to my other 2/3rd's of this project?

                  thanks in advance,

                  SK
                  • 21. Re: PKCS11 & javax.net.ssl.keyStoreAlias
                    EJP
                    System.setProperty("javax.net.ssl.keyStoreURL", "NONE");
                    You seem to have made this system property up. It doesn't exist. Check what it says at http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#ConfigSmartcard again. You may also need to check the next section http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#MultiDynamicKeystores.
                    • 22. Re: PKCS11 & javax.net.ssl.keyStoreAlias
                      843811
                      What shall I say.
                      Welcome aboard on the starship!

                      At least my assuming was right, that the provider declaration was somehow not available.
                      I'm not a friend of dynamically elements, at the time of learning how to start.
                      If I would have tried it dynamically, I would have maybe seen the wrong order.
                      But my focus was on getting it to work as simple as possible.
                      Anyway.

                      So, let's go west!

                      Step 2
                      This exactly what I try to figure out right now.
                      I'm using the GlassFish AppServer 9.1.

                      At the moment we share the same confusion about locally SCR an remote Server.
                      Don't want to get funny, but my first attempt is to use a statically approach ;-).
                      Means the clients JRE(java.security) contains all the provider information.
                      But this is still in progress. Propably I can return to this step next week.

                      Step 3
                      see above.

                      In the meantime maybe you do some progress in step 2 and 3.
                      I'm longing for information on that.

                      But what you can try now to keep the first attempt simple.
                      Use my simple JNDI code or your searchexternals class in a simple console app.
                      Just to get sure that it can work.
                      Or is it already working in a simple console app?

                      regards NX
                      • 23. Re: PKCS11 & javax.net.ssl.keyStoreAlias
                        843811
                        First to ejp:

                        I actually got that line entry from here: http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html#JAAS
                        under the PKCS11 Guide. Not sure how far off that is from where I need to be, but the terminology, and my
                        knowledge of working with smartcards is very little (but growing) =)

                        The other links you sent look very good, hopefully they have a working example. The one thing that caught my
                        attention on both links is that it states its for "Java Applications" and "J2SE" specifically. Only reason I ask is because
                        after skimming through it, there did not seem to be any indication of a web based TrustStore / KeyStore. I'm working with
                        servers and servlet containers (Tomcat) in J2EE. Does that mean that the guide is only for locally (client based)
                        applications? Just curious before I delve into too deep.


                        NX,

                        Definitely glad to finally be on board, lets hope I'm on the right flight =)
                        I've never heard of GlassFish AppServer, is that a servlet container like Tomcat, or something else?

                        As far as step 2, I am lucky enough to have a baseline installed on all the workstations, meaning ALL of the clients have
                        the SCR manufacturers library (dll) available. So any client hitting my web page will have a smartCard reader in their workstation
                        with libraries on their local machine.


                        As far as step 3, making an ldap bind with a certificate, I've never seen an example. I can do simple binds using username / password like:
                         
                        ...
                        Hashtable env = new Hashtable();
                        String ldapURL = "my.company.com:636";
                                                      
                                                      env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
                        
                                                      //connect to my domain controller
                                                      env.put(Context.PROVIDER_URL,ldapURL);
                                                      
                                                      env.put(Context.SECURITY_AUTHENTICATION,"simple");
                                                      env.put(Context.SECURITY_PRINCIPAL,userName);
                                                      env.put(Context.SECURITY_CREDENTIALS,userPwd);
                                                      
                                                      //specify the use of SSL
                                                          env.put(Context.SECURITY_PROTOCOL,"ssl");                             
                          
                                                          //Access the truststore 
                                                          String truststore = "C:/security/cacerts";
                                                          System.setProperty("javax.net.ssl.trustStore",truststore);
                                                
                                                      try {
                                       
                                                         //Create the initial directory context
                                                         LdapContext ctx = new InitialLdapContext(env,null);
                        
                        ....
                        But I'm trying to bind now with (simple / psuedo) the users cert...something like:
                        ...
                        Hashtable env = new Hashtable();
                        String ldapURL = "my.company.com:636";
                                                      
                                                      env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
                        
                                                      //connect to my domain controller
                                                      env.put(Context.PROVIDER_URL,ldapURL);
                                                      
                                                      env.put(Context.SECURITY_AUTHENTICATION,"EXTERNAL");
                                                      env.put(Context.SECURITY_CREDENTIALS, X509CertificateObject);
                                                      
                                                      //specify the use of SSL
                                                      env.put(Context.SECURITY_PROTOCOL,"ssl");                             
                          
                                                          //Access the truststore 
                                                          String truststore = "C:/security/cacerts";
                                                          System.setProperty("javax.net.ssl.trustStore",truststore);
                                                
                                                      try {
                                       
                                                         //Create the initial directory context
                                                         LdapContext ctx = new InitialLdapContext(env,null);
                        
                        ....
                        So the short answer is no, nothing working on the local console to bind to ldap server with certificate.


                        I also thought of something as I was looking at my previous posts. In my searchexternals class and the test.jsp
                        servlet that calls it, I am actually reading the users X509certificate from the web... I have a trustStore that is used to
                        determine if the users are trusted (see searchexternals TRUST STORE section). I also have my server.xml set to
                        "clientauth=true" which prompts them for a certificate and pin (they select the one on the smartcard)...

                        Hmm... I think I already have step 2 then, whattya think? Which means I can use that cert to bind now.

                        If only there was an example of how to bind with a certificate!! (I just searched, haha).

                        (Aboard starship but with no return ticket) =)

                        SK
                        • 24. Re: PKCS11 & javax.net.ssl.keyStoreAlias
                          843811
                          Hi SK,

                          the GlassFish AppServer is THE (free) Java/J2EE Applicationserver from Sun.
                          Also called 'Open Source Application Server for Java EE 5'

                          [https://glassfish.dev.java.net/|https://glassfish.dev.java.net/]

                          It's the OpenSource SpinOff of the former SUN AppServers 7/8/9 versions or much earlier iPlanet AppServer 6.

                          [http://www.sun.com/software/products/appsrvr/index.jsp|http://www.sun.com/software/products/appsrvr/index.jsp]

                          The comercial version ist the 'Sun Java System Application Server 9.1 U1'

                          The SJSAS9.1 contains GF with contains the Tomcat engine.

                          So far about the historically background.

                          The principal approach for web frontends are identical,
                          because we're talking about a java based web engine,
                          or to be more preciously, about the same java based web engine, called Tomcat.

                          For the first tests I'm using the java tutorial examples.
                          [http://java.sun.com/docs/books/tutorial/|http://java.sun.com/docs/books/tutorial/]
                          There are some 'hello world' examples for web based authen.
                          And there I also say :
                          <auth-method>CLIENT-CERT</auth-method>
                          or at least I try it.

                          We both have windows clients with SCRs, users that log in with their SC and (web)apps that need a cert based authentication
                          So you see, we're are somehow on the same ship
                          But there are of course some differences in the background.
                          W23K/Tomcat vs. Solaris/GF.

                          I split my search&destroy in 3 steps.
                          1. cert based ldap authen with JNDI (a console hello world app). This Thread!
                          2. web conf to make use of locally docked SCRs. Theoratically already done.

                          After both is working I start the merge.
                          3. cert based ldap authen with JNDI in the web environment

                          A question you should consider and maybe give me glance of your environmentally approach is this.

                          Out of the box Tomcat/GF can only use a internal keystore for cert verfications.
                          May the community correct this assumption.

                          And if you're doing all this not only for your private purposes, we're talking propably about more then 10 users.
                          Maybe hundreds or even thousands.
                          And I also assume that all the certs and all the user information are stored in your company LDAP.
                          How do you or someone want to manage all this certs in 2 locations (LDAP/Tomcat keystore).
                          I would say impossible.
                          So we're talking about a own JAAS implementation (for web).

                          This leads me now to the point that we're drifting now out of the topic of this huge thread.
                          Which was about Java&PKCS11 access.
                          I think we should close this thread and continue in a new thread called somehow like
                          +'JAAS implementation for cert based authentication in a web container'+.

                          In the new thread we can try to authenticate against a local keystore or immediately work on the JAAS implementation.

                          But first we should get sure that you have a working 'hello world' console app
                          that does not only user/pwd authentication, but also does a cert based authen against LDAP.

                          But even this could be or should be a new thread called +'cert based ldap authentication'+.

                          What do think about that?

                          Best regards
                          NX
                          • 25. Re: PKCS11 & javax.net.ssl.keyStoreAlias
                            843811
                            NX,

                            Very interesting on the history, thanks for the information.
                            Hmm, same river / path, different boats? W2K3/Tomcat vs Solaris/GF. =)

                            I clicked on that tutorial, I did not find any links for "web based authen", did a few searches, no luck there, not sure
                            where you found that
                            <auth-method>CLIENT-CERT</auth-method>
                            example, unless I'm overanalyzing and its just psuedo =)


                            As far as the step 2 "web conf to make use of the locally docked SCRs", do you mean server.xml where the Connector is set
                            to use certificates: clientAuth=true, trustore=...keystore=...etc?
                            If so, I would agree that it is already done as well.

                            --Yes, definitely for hundreds / thousands of people =)

                            And I agree, we've exhausted this thread, and are a bit off topic, I'll start a new thread: "'cert based ldap authentication'"

                            thanks,

                            SK

                            Edited by: scryptkiddy on Apr 17, 2008 11:37 AM
                            • 26. Re: PKCS11 & javax.net.ssl.keyStoreAlias
                              EJP
                              First to ejp:

                              I actually got that line entry from here: http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html#JAAS
                              under the PKCS11 Guide.
                              You made it up. There is a keyStoreURL parameter to a PKCS11 KeystoreLoginManager JAAS config file. The system property you invented is imaginary, as is java.net.ssl.keyStoreAlias.

                              Ancient thread but important correction.
                              1 2 Previous Next