The SSL Keystore Configuration.

Scope: client and server, all versions.

A certificate may be needed for accessing another system. Examples are accessing a MyProxy from an OA4MP server or having an OA4MP client that has been issued a specific cert. A keystore is a single file that contains X509 certificates, possibly associated certificate chains and private keys. The two major formats supported are PKCS12 or JKS (Java KeyStore). OA4MP supports both. Java comes bundled with a set of certificates of common commercial certification authorities. This may be used or not. Just to make this a bit clearer, any time your browser goes to a site that requires you to accept their certificates before connecting, you have hit the case exactly for using this feature: Your browser has a clickable thingie for certificates, but your java virtual machine does not.

Supported Properties

Name Required Default
path N - The absolute path to the keystore.
type N - The type of the keystore, e.g. "pkcs12" or "jks".
password N - The password for the keystore
factory N - The name of the factory, e.g. SunX509, which will be used to create the key manager factory. This creates any key managers. You should generally not need to change this.
useJavaKeystore T true Use the default Java keystore (which normally resides at $JAVA_HOME/lib/security/cacerts) in addition to the one given in the path. If this element is omitted it is the same as setting this option to "true". Generally, if this is disabled then no commercial certificates will be recognized by SSL. This might be useful in certain cases, but should probably be enabled unless you have good reasons otherwise.

A client example.

In this case a developer must use an OA4MP server that has a self-signed (e.g. a test server, or an exceptionally well locked down one). Since the client will not be able to connect to such a server otherwise (a low-level SSL exception will be generated), a certificate must be specified.
   <client name="my-secure-client">
      <keystore path="/var/www/config/certs/2014-03-18/"
    <-- Bunch of other configuration stuff >


In this case the PKCS12 store is located at the given path. Since the default Java keystore is not used, this client cannot connect to any other server. Read configuring Myproxy with a client certificate if you looking for a server-side example of this.

Last modified 11/20/19.
©2000-2013 Board of Trustees of the University of Illinois.