<div class="docbook"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">7.12. Keystores</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Java-Broker-Management-Managing-Authentication-Providers.html">Prev</a> </td><th width="60%" align="center">Chapter 7. Managing Entities</th><td width="20%" align="right"> <a accesskey="n" href="Java-Broker-Management-Managing-Truststores.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Java-Broker-Management-Managing-Keystores"></a>7.12. Keystores</h2></div></div></div><p>A <a class="link" href="Java-Broker-Concepts-Other-Services.html#Java-Broker-Concepts-Keystores" title="4.10.4. Keystores">Keystore</a> is required by a Port in | |
order to use SSL for messaging and/or management.</p><p>The Broker supports a number of different keystore types. These are described | |
below.</p><p>The key material may be held by the Broker itself (held inline within the configuration) | |
or you may use references to files on the server's file system. Whichever mechanism is | |
chosen it is imperative to ensure that private key material remains confidential.</p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Management-Managing-Keystores-Types"></a>7.12.1. Types</h3></div></div></div><p>The following keystore types are supported. </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="emphasis"><em>File Key Store</em></span>. This type accepts the standard JKS | |
keystore format undertood by Java and Java tools such as <a class="link" href="http://docs.oracle.com/javase/7/docs/technotes/tools/solaris/keytool.html" target="_top">keytool</a>.</p><p>If the keystore contains multiple keys, it is possible to indicate which | |
certificate is to be used by specifying an alias. If no alias is specified | |
the first certificate found in the keystore will be used.</p></li><li class="listitem"><p><span class="emphasis"><em>Non Java Key Store</em></span>. A Non Java Keystore accepts key | |
material in PEM and DER file formats. With this store type it is necessary | |
to provide the private key, which must not be protected by password, | |
certificate and optionally a file containing intermediate | |
certificates.</p></li><li class="listitem"><p><span class="emphasis"><em>Auto Generated Self Signed</em></span> has the ability to | |
generate a self signed certificate and produce a truststore | |
suitable for use by an application using the Apache Qpid JMS and Apache Qpid JMS AMQP 0-x clients.</p><p>The use of self signed certficates is not recommended for production | |
use.</p></li></ul></div><p> | |
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Management-Managing-Keystores-Attributes"></a>7.12.2. Attributes</h3></div></div></div><p> | |
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="emphasis"><em>Name the keystore</em></span>. Used to identify the | |
keystore.</p></li></ul></div><p> | |
</p><p>The following attributes apply to <span class="emphasis"><em>File Key Stores</em></span> only.</p><p> | |
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="emphasis"><em>Keystore path</em></span>. File Key Stores only. Path to keystore | |
file</p></li><li class="listitem"><p><span class="emphasis"><em>Keystore password</em></span>. Password used to secure the keystore</p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p> The password of the certificate used by the Broker <span class="bold"><strong>must</strong></span> match the password of the keystore | |
itself. This is a restriction of the Broker implementation. If | |
using the <a class="link" href="http://docs.oracle.com/javase/7/docs/technotes/tools/solaris/keytool.html" target="_top">keytool</a> utility, note | |
that this means the argument to the <code class="option">-keypass</code> option | |
must match the <code class="option">-storepass</code> option. </p></div></li><li class="listitem"><p><span class="emphasis"><em>Certificate Alias</em></span>. An optional way of specifying | |
which certificate the broker should use if the keystore contains multiple | |
entries.</p></li><li class="listitem"><p><span class="emphasis"><em>Manager Factory Algorithm</em></span>.In keystores the have more | |
than one certificate, the alias identifies the certificate to be | |
used.</p></li><li class="listitem"><p><span class="emphasis"><em>Key Store Type</em></span>. Type of Keystore.</p></li><li class="listitem"><p><span class="emphasis"><em>Use SNI host name matching</em></span>. If selected, SNI server name from | |
an SSL handshake will be used to select the most appropriate certificate | |
by matching an indicated hostname with the certificate hostname specified in subject or | |
subject alternatives as CN or DC.</p></li></ul></div><p> | |
</p><p>The following attributes apply to <span class="emphasis"><em>Non Java Key Stores</em></span> | |
only.</p><p> | |
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="emphasis"><em>Private Key</em></span>. The private key in DER or PEM format. | |
This file must not be password protected.</p></li><li class="listitem"><p><span class="emphasis"><em>Certificate</em></span>. The cerificate in DER or PEM | |
format.</p></li><li class="listitem"><p><span class="emphasis"><em>Intermediates Certificates </em></span>. Optional. Intermediate | |
cerificates in PEM or DER format.</p></li></ul></div><p> | |
</p><p>The following attributes apply to <span class="emphasis"><em>Auto Generated Self Signed</em></span> | |
only.</p><p> | |
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="emphasis"><em>Algorithm</em></span>. Optional. Algorithm used to generate the | |
self-signed certificate.</p></li><li class="listitem"><p><span class="emphasis"><em>Signature Algorithm </em></span>. Optional. The name of signature | |
algorithm.</p></li><li class="listitem"><p><span class="emphasis"><em>Key Length</em></span>. Optional. Length of the key in | |
bits.</p></li><li class="listitem"><p><span class="emphasis"><em>Duration</em></span>. Optional. Validility period in | |
months.</p></li></ul></div><p> | |
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Management-Managing-Keystores-Children"></a>7.12.3. Children</h3></div></div></div><p>None</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Management-Managing-Keystores-Lifecycle"></a>7.12.4. Lifecycle</h3></div></div></div><p>Not supported</p></div></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Java-Broker-Management-Managing-Authentication-Providers.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Java-Broker-Management-Managing-Entities.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="Java-Broker-Management-Managing-Truststores.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">7.11. Authentication Providers </td><td width="20%" align="center"><a accesskey="h" href="Apache-Qpid-Broker-J-Book.html">Home</a></td><td width="40%" align="right" valign="top"> 7.13. Truststores</td></tr></table></div></div> |