input/releases/qpid-broker-j-7.1.9/book/Java-Broker-Management-Managing-Truststores.html.in - qpid-site - Git at Google

 <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">7.12.&#160;Truststores</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Management-Managing-Keystores.html">Prev</a>&#160;</td><th align="center" width="60%">Chapter&#160;7.&#160;Managing Entities</th><td align="right" width="20%">&#160;<a accesskey="n" href="Java-Broker-Management-Managing-Group-Providers.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Java-Broker-Management-Managing-Truststores"></a>7.12.&#160;Truststores</h2></div></div></div><p>
         <a class="link" href="Java-Broker-Concepts-Other-Services.html#Java-Broker-Concepts-Truststores" title="4.10.4.&#160;Truststores">Truststores</a>
         have a number of roles within
         the Broker.
         </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>A truststore is required by a Port in order to support SSL client authentication.</p></li><li class="listitem"><p>Truststores have a optional role in end to end message encryption. The Broker acts as a
                     <a class="link" href="https://en.wikipedia.org/wiki/Key_server_(cryptographic)" target="_top">
                         Key Server
                     </a>
                     so that publishing applications have convenient access to recipient's public keys.
                 </p></li><li class="listitem"><p>Some authentication providers also use a truststore when connecting to authentication systems that
                     are protected by a private issuer
                     SSL certificate.
                 </p></li></ul></div><p>
     </p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Management-Managing-Truststores-Types"></a>7.12.1.&#160;Types</h3></div></div></div><p>The following truststore types are supported. </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="emphasis"><em>File Trust Store</em></span>. This type accepts the standard JKS
                         truststore format understood by Java and Java tools such as <a class="link" href="http://docs.oracle.com/javase/7/docs/technotes/tools/solaris/keytool.html" target="_top">keytool</a>.</p></li><li class="listitem"><p><span class="emphasis"><em>Non Java Trust Store</em></span>. A non java trust store accepts key
                         material in PEM and DER file formats. Either a path to the certificate on the server can be specified using the file:// protocol or the certificate can be uploaded with the data:// protocol</p></li><li class="listitem"><p><span class="emphasis"><em>Managed Certificate Store</em></span>. This type accepts key
                         material in PEM and DER file formats. Contrary to the Non Java Trust Store this store allows the user to add multiple certificates and stores them in the broker configuration.</p></li><li class="listitem"><p><span class="emphasis"><em>Site Specific Trust Store</em></span>. This type will download a certificate from the provided SSL/TLS enabled URL. Note that you must specify both the protocol and the port. Example: https://example.com:443</p></li></ul></div><p>
         </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Management-Managing-Truststores-Attributes"></a>7.12.2.&#160;Attributes</h3></div></div></div><p>
             </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="emphasis"><em>Name the truststore</em></span>. Used to identify the
                         truststore.</p></li><li class="listitem"><p><span class="emphasis"><em>Exposed as Message Source</em></span>. If enabled, the Broker
                         will distribute certificates contained within the trustore to clients.
                         Used by the end to end message encryption feature.</p></li><li class="listitem"><p><span class="emphasis"><em>Trust Anchor Validity Enforced</em></span>. If enabled, authentications will
                         fail if the trust anchor's validity date has not yet been reached or already expired.</p></li></ul></div><p>
         </p><p>The following attributes apply to <span class="emphasis"><em>File Trust Stores</em></span> only.</p><p>
             </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="emphasis"><em>Path</em></span>. Path to truststore file</p></li><li class="listitem"><p><span class="emphasis"><em>Truststore password</em></span>. Password used to secure the truststore</p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p> The password of the certificate used by the Broker <span class="bold"><strong>must</strong></span> match the password of the keystore
                                 itself. </p></div></li><li class="listitem"><p><span class="emphasis"><em>Certificate Alias</em></span>. An optional way of specifying
                         which certificate the broker should use if the keystore contains multiple
                         entries.</p></li><li class="listitem"><p><span class="emphasis"><em>Manager Factory Algorithm</em></span>. In keystores the have more
                         than one certificate, the alias identifies the certificate to be
                         used.</p></li><li class="listitem"><p><span class="emphasis"><em>Key Store Type</em></span>. Type of Keystore.</p></li><li class="listitem"><p><span class="emphasis"><em>Peers only</em></span>. When "Peers Only" option is selected for
                         the Truststore it will allow authenticate only those clients that present a
                         certificate exactly matching a certificate contained within the Truststore
                         database.</p></li></ul></div><p>
         </p><p>The following attributes apply to <span class="emphasis"><em>Non Java Trust Stores</em></span>
             only.</p><p>
             </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="emphasis"><em>Certificates</em></span>. The cerificate(s) in DER or PEM
                         format.</p></li></ul></div><p>
         </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Management-Managing-Truststores-Children"></a>7.12.3.&#160;Children</h3></div></div></div><p>None</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Management-Managing-Truststores-Lifecycle"></a>7.12.4.&#160;Lifecycle</h3></div></div></div><p>Not supported</p></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Management-Managing-Keystores.html">Prev</a>&#160;</td><td align="center" width="20%"><a accesskey="u" href="Java-Broker-Management-Managing-Entities.html">Up</a></td><td align="right" width="40%">&#160;<a accesskey="n" href="Java-Broker-Management-Managing-Group-Providers.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">7.11.&#160;Keystores&#160;</td><td align="center" width="20%"><a accesskey="h" href="Apache-Qpid-Broker-J-Book.html">Home</a></td><td align="right" valign="top" width="40%">&#160;7.13.&#160;Group Providers</td></tr></table></div></div>
	<div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">7.12. Truststores</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Management-Managing-Keystores.html">Prev</a> </td><th align="center" width="60%">Chapter 7. Managing Entities</th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Management-Managing-Group-Providers.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Java-Broker-Management-Managing-Truststores"></a>7.12. Truststores</h2></div></div></div><p>
	<a class="link" href="Java-Broker-Concepts-Other-Services.html#Java-Broker-Concepts-Truststores" title="4.10.4. Truststores">Truststores</a>
	have a number of roles within
	the Broker.
	</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>A truststore is required by a Port in order to support SSL client authentication.</p></li><li class="listitem"><p>Truststores have a optional role in end to end message encryption. The Broker acts as a
	<a class="link" href="https://en.wikipedia.org/wiki/Key_server_(cryptographic)" target="_top">
	Key Server
	</a>
	so that publishing applications have convenient access to recipient's public keys.
	</p></li><li class="listitem"><p>Some authentication providers also use a truststore when connecting to authentication systems that
	are protected by a private issuer
	SSL certificate.
	</p></li></ul></div><p>
	</p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Management-Managing-Truststores-Types"></a>7.12.1. Types</h3></div></div></div><p>The following truststore types are supported. </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="emphasis"><em>File Trust Store</em></span>. This type accepts the standard JKS
	truststore format understood by Java and Java tools such as <a class="link" href="http://docs.oracle.com/javase/7/docs/technotes/tools/solaris/keytool.html" target="_top">keytool</a>.</p></li><li class="listitem"><p><span class="emphasis"><em>Non Java Trust Store</em></span>. A non java trust store accepts key
	material in PEM and DER file formats. Either a path to the certificate on the server can be specified using the file:// protocol or the certificate can be uploaded with the data:// protocol</p></li><li class="listitem"><p><span class="emphasis"><em>Managed Certificate Store</em></span>. This type accepts key
	material in PEM and DER file formats. Contrary to the Non Java Trust Store this store allows the user to add multiple certificates and stores them in the broker configuration.</p></li><li class="listitem"><p><span class="emphasis"><em>Site Specific Trust Store</em></span>. This type will download a certificate from the provided SSL/TLS enabled URL. Note that you must specify both the protocol and the port. Example: https://example.com:443</p></li></ul></div><p>
	</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Management-Managing-Truststores-Attributes"></a>7.12.2. Attributes</h3></div></div></div><p>
	</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="emphasis"><em>Name the truststore</em></span>. Used to identify the
	truststore.</p></li><li class="listitem"><p><span class="emphasis"><em>Exposed as Message Source</em></span>. If enabled, the Broker
	will distribute certificates contained within the trustore to clients.
	Used by the end to end message encryption feature.</p></li><li class="listitem"><p><span class="emphasis"><em>Trust Anchor Validity Enforced</em></span>. If enabled, authentications will
	fail if the trust anchor's validity date has not yet been reached or already expired.</p></li></ul></div><p>
	</p><p>The following attributes apply to <span class="emphasis"><em>File Trust Stores</em></span> only.</p><p>
	</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="emphasis"><em>Path</em></span>. Path to truststore file</p></li><li class="listitem"><p><span class="emphasis"><em>Truststore password</em></span>. Password used to secure the truststore</p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p> The password of the certificate used by the Broker <span class="bold"><strong>must</strong></span> match the password of the keystore
	itself. </p></div></li><li class="listitem"><p><span class="emphasis"><em>Certificate Alias</em></span>. An optional way of specifying
	which certificate the broker should use if the keystore contains multiple
	entries.</p></li><li class="listitem"><p><span class="emphasis"><em>Manager Factory Algorithm</em></span>. In keystores the have more
	than one certificate, the alias identifies the certificate to be
	used.</p></li><li class="listitem"><p><span class="emphasis"><em>Key Store Type</em></span>. Type of Keystore.</p></li><li class="listitem"><p><span class="emphasis"><em>Peers only</em></span>. When "Peers Only" option is selected for
	the Truststore it will allow authenticate only those clients that present a
	certificate exactly matching a certificate contained within the Truststore
	database.</p></li></ul></div><p>
	</p><p>The following attributes apply to <span class="emphasis"><em>Non Java Trust Stores</em></span>
	only.</p><p>
	</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="emphasis"><em>Certificates</em></span>. The cerificate(s) in DER or PEM
	format.</p></li></ul></div><p>
	</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Management-Managing-Truststores-Children"></a>7.12.3. Children</h3></div></div></div><p>None</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Management-Managing-Truststores-Lifecycle"></a>7.12.4. Lifecycle</h3></div></div></div><p>Not supported</p></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Management-Managing-Keystores.html">Prev</a> </td><td align="center" width="20%"><a accesskey="u" href="Java-Broker-Management-Managing-Entities.html">Up</a></td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Management-Managing-Group-Providers.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">7.11. Keystores </td><td align="center" width="20%"><a accesskey="h" href="Apache-Qpid-Broker-J-Book.html">Home</a></td><td align="right" valign="top" width="40%"> 7.13. Group Providers</td></tr></table></div></div>