mcclintoc@gmx.net schrieb:

We have done something similiar with Client-Cert-Authentication for
Web-Services using Axis.

The solution was to merge all keystores together into one big keystore.
This is not quite easy, because keytool does not support merging private
keys. Have a look at http://www.comu.de/docs/tomcat_ssl.htm .
The ImportKey application has to be adapted to be nondestructive.
If this is relevant for you I can give you the modified src.

But this was not sufficient, because we had to decide which client-cert
to use based on some rules.
So we implemented our own JSSESocketFactory which has methods like
getKeyManagers() and getTrustManagers().
This was done setting the system-property "axis.socketSecureFactory".

I know this is axis specific, but there must be some standard-properties
for normal SSL-Factory (perhaps "ssl.SocketFactory.provider"?).

Best regards,

   feri

Hint: you can use "-Djavax.net.debug=ssl,handshake" to trace the ssl
handshake

Hi,

you may implement your own X509KeyManager and X509TrustManager (see the
JSSE javadocs) and plug it in using SSLContext#init(). Inside the
keymanager you can load your key/certificates from whereever you want.
The trustmanager can be used to decide to trust a peer certificate chain
or not.

Ronny

All you have to do is create and initialize your own SSLContext with
your own KeyManagers etc. The Javadoc/Guide to Features/Security/JSSE
gives examples.

I'm curious about acquiring the keystores from a central place - I
wonder about the security, or the point, of this, and I have grave
reservations about RMI over SSL in the first place. Very grave.