Customization of Your JSSE Trust Material Managers
As you have seen, the KeyManager's main task is to select the correct authentication "package" and to send it to its peer, as a part of the "handshake" protocol. When the peer gets this "package" it must verify whether the information is trusted. This verification is based on trust material (certificates) and is accomplished by the trust material managers (TrustManager objects). The main task of trust material managers is to manage all the trust certificates. When a manager decides that the received authentication "package" is invalid, it will close the communication brutally.
A TrustManager can act only in the presence of a context. Our sample application's SSLContext uses a default TrustManager. This TrustManager can be redirected to a keystore that contains trust material by setting the javax.net.ssl.trustStore system property. If you don't set this system property, and you're using the default SSLContext, the J2SSE will search for trust material in the <java.home>/lib/security/jssecacerts and <java.home>/lib/security/cacerts files.
If you're using a customized SSLContext you have to initialize it by providing one or more TrustManagers. If you provide the null value, J2SSE automatically creates a TrustManager, but the idea is to create your own. There are several ways to do so.
The most common approach is to use the TrustManagerFactory class. This class is a factory for one ore more TrustManagers. When you generate a TrustManagerFactory you can specify a trust management algorithm. The default SunJSSE services provider contains two such algorithms: SunX509, which can be used to obtain trust managers for the X.509 certificates, and PKIX (this is an upgrade to SunX509 and is the default starting with J2SE Tiger). Set the correct algorithm using the ssl.TrustManagerFactory.algorithm property, which can be found in the <java.home>/lib/security/java.security file.
Figure 2. The java.security File: Setting the ssl.TrustManagerFactory.algorithm.
Besides the trust management algorithm, you can specify a different provider by using a String or a Provider object, as you can see from the below TrustManagerFactory.getInstance methods (these methods are used to generate TrustManagerFactory objects):
public static final TrustManagerFactory getInstance(String algorithm)throws
NoSuchAlgorithmException
public static final TrustManagerFactory getInstance(String algorithm, Provider provider)
throws NoSuchAlgorithmException
public static final TrustManagerFactory getInstance(String algorithm, String provider)
throws NoSuchAlgorithmException,NoSuchProviderException
Here's a simple example of creating a TrustManagerFactory:
…
TrustManagerFactory ClientTMF=null;
…
try{
ClientTMF=TrustManagerFactory.getInstance("SunX509","SunJSSE");
}catch(java.security.NoSuchAlgorithmException e)
{System.out.println(e.getMessage());
}catch(java.security.NoSuchProviderException e)
{System.out.println(e.getMessage());}
...
To initialize a TrustManagerFactory, call one of the following init methods:
public final void init(KeyStore KS,char[] KSpassword)throws
KeyStoreException,NoSuchAlgorithmException,UnrecoverableKeyException
Generally, when you initialize a TrustManagerFactory you have to provide only the name of your keystore:
When you have a special provider that requires more parameters in order to initialize a TrustManagerFactory, you'll need to use the following init method:
public final void init(ManagerFactoryParameters MFP)throws
InvalidAlgorithmParameterException
In this case, you must provide all the parameters by implementing the ManagerFactoryParameters interface in agreement with the provider requests.
Finally, to retrieve all the TrustManagers you must call the TrustManagerFactory.getTrustManagers method. This method returns one trust manager for each type of trust material:
public final KeyManager[] getKeyManagers()
Listing 4 shows another version of the SSLClientSide.java application in Listing 2. This version uses a customized context and the set of trust managers returned by the generated TrustManagerFactory for the SunX509 algorithm provided by the SunJSSE. This factory has been initialized with the SSLcert keystore, without using system properties.
Note: In most cases, only one TrustManager supports the authentication mechanism based on the public keys of the X.509 certificates, but this is not mandatory. J2SSE can handle more than one authentication mechanism (like the Kerberos authentication) simultaneously, but in this case, every mechanism is represented by a separate TrustManager.
New on the Java Boutique:
New Review:
Time Management Made Easy with the Quartz Enterprise Job Scheduler
Why not just use the Java timer API? This open source scheduling
API boasts simplicity, ease-of-integration, a well-rounded feature
set, and it's free!
New Applet:
Reverse Complement
Reverse Complement is a simple applet that converts DNA or RNA
sequences into three useful formats.
Elsewhere on internet.com:
WebDeveloper Java
Lots of Java information on webdeveloper.com
WDVL Java
Thorough Java resource at the Web Developer's Virtual Library.
ScriptSearch Java
Hundreds of free Java code files to download.
jGuru: Your View of the Java Universe
Customizable portal with online training, FAQs, regular news updates, and tutorials.
| 
