<div class="docbook"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">7.13. Truststores</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Java-Broker-Management-Managing-Keystores.html">Prev</a> </td><th width="60%" align="center">Chapter 7. Managing Entities</th><td width="20%" align="right"> <a accesskey="n" href="Java-Broker-Management-Managing-Group-Providers.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Java-Broker-Management-Managing-Truststores"></a>7.13. Truststores</h2></div></div></div><p> | |
<a class="link" href="Java-Broker-Concepts-Other-Services.html#Java-Broker-Concepts-Truststores" title="4.10.5. Truststores">Truststores</a> | |
have a number of roles within | |
the Broker. | |
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>A truststore is required by a Port in order to support SSL client authentication.</p></li><li class="listitem"><p>Truststores have a optional role in end to end message encryption. The Broker acts as a | |
<a class="link" href="https://en.wikipedia.org/wiki/Key_server_(cryptographic)" target="_top"> | |
Key Server | |
</a> | |
so that publishing applications have convenient access to recipient's public keys. | |
</p></li><li class="listitem"><p>Some authentication providers also use a truststore when connecting to authentication systems that | |
are protected by a private issuer | |
SSL certificate. | |
</p></li></ul></div><p> | |
</p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Management-Managing-Truststores-Types"></a>7.13.1. Types</h3></div></div></div><p>The following truststore types are supported. </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="emphasis"><em>File Trust Store</em></span>. This type accepts the standard JKS | |
truststore format understood by Java and Java tools such as <a class="link" href="http://docs.oracle.com/javase/7/docs/technotes/tools/solaris/keytool.html" target="_top">keytool</a>.</p></li><li class="listitem"><p><span class="emphasis"><em>Non Java Trust Store</em></span>. A non java trust store accepts key | |
material in PEM and DER file formats. Either a path to the certificate on the server can be specified using the file:// protocol or the certificate can be uploaded with the data:// protocol</p></li><li class="listitem"><p><span class="emphasis"><em>Managed Certificate Store</em></span>. This type accepts key | |
material in PEM and DER file formats. Contrary to the Non Java Trust Store this store allows the user to add multiple certificates and stores them in the broker configuration.</p></li><li class="listitem"><p><span class="emphasis"><em>Site Specific Trust Store</em></span>. This type will download a certificate from the provided SSL/TLS enabled URL. Note that you must specify both the protocol and the port. Example: https://example.com:443</p></li></ul></div><p> | |
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Management-Managing-Truststores-Attributes"></a>7.13.2. Attributes</h3></div></div></div><p> | |
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="emphasis"><em>Name the truststore</em></span>. Used to identify the | |
truststore.</p></li><li class="listitem"><p><span class="emphasis"><em>Exposed as Message Source</em></span>. If enabled, the Broker | |
will distribute certificates contained within the truststore to clients. | |
Used by the end to end message encryption feature.</p></li><li class="listitem"><p><span class="emphasis"><em>Trust Anchor Validity Enforced</em></span>. If enabled, authentications will | |
fail if the trust anchor's validity date has not yet been reached or already expired.</p></li></ul></div><p> | |
</p><p>Revocation attributes.</p><p> | |
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="emphasis"><em>Enabled</em></span>. If set to true certificate revocation check is performed when | |
client tries to connect.</p></li><li class="listitem"><p><span class="emphasis"><em>Only End Entity</em></span>. If enabled, check only the revocation status of | |
end-entity certificates.</p></li><li class="listitem"><p><span class="emphasis"><em>Prefer CRLs</em></span>. If enabled, prefer CRL (specified in certificate | |
distribution points) to OCSP, if disabled prefer OCSP to CRL.</p></li><li class="listitem"><p><span class="emphasis"><em>No Fallback</em></span>. If enabled, disable fallback to CRL/OCSP (if | |
<span class="emphasis"><em>Prefer CRLs</em></span> set to true, disable fallback to OCSP, | |
otherwise disable fallback to CRL in certificate distribution points).</p></li><li class="listitem"><p><span class="emphasis"><em>Ignore Soft Failures</em></span>. If enabled, revocation check will succeed | |
if CRL/OCSP response cannot be obtained because of network error or OCSP responder returns | |
internalError or tryLater.</p></li><li class="listitem"><p><span class="emphasis"><em>Server CRL Path Or Upload</em></span>. Path to Certificate Revocation List file. | |
If set, certificate revocation check uses only set CRL file and ignores CRL Distribution Points | |
in certificate.</p></li></ul></div><p> | |
</p><p>The following attributes apply to <span class="emphasis"><em>File Trust Stores</em></span> only.</p><p> | |
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="emphasis"><em>Path</em></span>. Path to truststore file</p></li><li class="listitem"><p><span class="emphasis"><em>Truststore password</em></span>. Password used to secure the truststore</p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p> The password of the certificate used by the Broker <span class="bold"><strong>must</strong></span> match the password of the keystore | |
itself. </p></div></li><li class="listitem"><p><span class="emphasis"><em>Certificate Alias</em></span>. An optional way of specifying | |
which certificate the broker should use if the keystore contains multiple | |
entries.</p></li><li class="listitem"><p><span class="emphasis"><em>Manager Factory Algorithm</em></span>. In keystores the have more | |
than one certificate, the alias identifies the certificate to be | |
used.</p></li><li class="listitem"><p><span class="emphasis"><em>Key Store Type</em></span>. Type of Keystore.</p></li><li class="listitem"><p><span class="emphasis"><em>Peers only</em></span>. When "Peers Only" option is selected for | |
the Truststore it will allow authenticate only those clients that present a | |
certificate exactly matching a certificate contained within the Truststore | |
database.</p></li></ul></div><p> | |
</p><p>The following attributes apply to <span class="emphasis"><em>Non Java Trust Stores</em></span> | |
only.</p><p> | |
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="emphasis"><em>Certificates</em></span>. The cerificate(s) in DER or PEM | |
format.</p></li></ul></div><p> | |
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Management-Managing-Truststores-Children"></a>7.13.3. Children</h3></div></div></div><p>None</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Management-Managing-Truststores-Lifecycle"></a>7.13.4. Lifecycle</h3></div></div></div><p>Not supported</p></div></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Java-Broker-Management-Managing-Keystores.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Java-Broker-Management-Managing-Entities.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="Java-Broker-Management-Managing-Group-Providers.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">7.12. Keystores </td><td width="20%" align="center"><a accesskey="h" href="Apache-Qpid-Broker-J-Book.html">Home</a></td><td width="40%" align="right" valign="top"> 7.14. Group Providers</td></tr></table></div></div> |