<div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">7.12. Truststores</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Management-Managing-Keystores.html">Prev</a> </td><th align="center" width="60%">Chapter 7. Managing Entities</th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Management-Managing-Group-Providers.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Java-Broker-Management-Managing-Truststores"></a>7.12. Truststores</h2></div></div></div><p> | |
<a class="link" href="Java-Broker-Concepts-Other-Services.html#Java-Broker-Concepts-Truststores" title="4.10.4. Truststores">Truststores</a> | |
have a number of roles within | |
the Broker. | |
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>A truststore is required by a Port in order to support SSL client authentication.</p></li><li class="listitem"><p>Truststores have a optional role in end to end message encryption. The Broker acts as a | |
<a class="link" href="https://en.wikipedia.org/wiki/Key_server_(cryptographic)" target="_top"> | |
Key Server | |
</a> | |
so that publishing applications have convenient access to recipient's public keys. | |
</p></li><li class="listitem"><p>Some authentication providers also use a truststore when connecting to authentication systems that | |
are protected by a private issuer | |
SSL certificate. | |
</p></li></ul></div><p> | |
</p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Management-Managing-Truststores-Types"></a>7.12.1. Types</h3></div></div></div><p>The following truststore types are supported. </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="emphasis"><em>File Trust Store</em></span>. This type accepts the standard JKS | |
truststore format understood by Java and Java tools such as <a class="link" href="http://docs.oracle.com/javase/7/docs/technotes/tools/solaris/keytool.html" target="_top">keytool</a>.</p></li><li class="listitem"><p><span class="emphasis"><em>Non Java Trust Store</em></span>. A non java trust store accepts key | |
material in PEM and DER file formats. Either a path to the certificate on the server can be specified using the file:// protocol or the certificate can be uploaded with the data:// protocol</p></li><li class="listitem"><p><span class="emphasis"><em>Managed Certificate Store</em></span>. This type accepts key | |
material in PEM and DER file formats. Contrary to the Non Java Trust Store this store allows the user to add multiple certificates and stores them in the broker configuration.</p></li><li class="listitem"><p><span class="emphasis"><em>Site Specific Trust Store</em></span>. This type will download a certificate from the provided SSL/TLS enabled URL. Note that you must specify both the protocol and the port. Example: https://example.com:443</p></li></ul></div><p> | |
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Management-Managing-Truststores-Attributes"></a>7.12.2. Attributes</h3></div></div></div><p> | |
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="emphasis"><em>Name the truststore</em></span>. Used to identify the | |
truststore.</p></li><li class="listitem"><p><span class="emphasis"><em>Exposed as Message Source</em></span>. If enabled, the Broker | |
will distribute certificates contained within the trustore to clients. | |
Used by the end to end message encryption feature.</p></li><li class="listitem"><p><span class="emphasis"><em>Trust Anchor Validity Enforced</em></span>. If enabled, authentications will | |
fail if the trust anchor's validity date has not yet been reached or already expired.</p></li></ul></div><p> | |
</p><p>The following attributes apply to <span class="emphasis"><em>File Trust Stores</em></span> only.</p><p> | |
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="emphasis"><em>Path</em></span>. Path to truststore file</p></li><li class="listitem"><p><span class="emphasis"><em>Truststore password</em></span>. Password used to secure the truststore</p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p> The password of the certificate used by the Broker <span class="bold"><strong>must</strong></span> match the password of the keystore | |
itself. </p></div></li><li class="listitem"><p><span class="emphasis"><em>Certificate Alias</em></span>. An optional way of specifying | |
which certificate the broker should use if the keystore contains multiple | |
entries.</p></li><li class="listitem"><p><span class="emphasis"><em>Manager Factory Algorithm</em></span>. In keystores the have more | |
than one certificate, the alias identifies the certificate to be | |
used.</p></li><li class="listitem"><p><span class="emphasis"><em>Key Store Type</em></span>. Type of Keystore.</p></li><li class="listitem"><p><span class="emphasis"><em>Peers only</em></span>. When "Peers Only" option is selected for | |
the Truststore it will allow authenticate only those clients that present a | |
certificate exactly matching a certificate contained within the Truststore | |
database.</p></li></ul></div><p> | |
</p><p>The following attributes apply to <span class="emphasis"><em>Non Java Trust Stores</em></span> | |
only.</p><p> | |
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="emphasis"><em>Certificates</em></span>. The cerificate(s) in DER or PEM | |
format.</p></li></ul></div><p> | |
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Management-Managing-Truststores-Children"></a>7.12.3. Children</h3></div></div></div><p>None</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Management-Managing-Truststores-Lifecycle"></a>7.12.4. Lifecycle</h3></div></div></div><p>Not supported</p></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Management-Managing-Keystores.html">Prev</a> </td><td align="center" width="20%"><a accesskey="u" href="Java-Broker-Management-Managing-Entities.html">Up</a></td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Management-Managing-Group-Providers.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">7.11. Keystores </td><td align="center" width="20%"><a accesskey="h" href="Apache-Qpid-Broker-J-Book.html">Home</a></td><td align="right" valign="top" width="40%"> 7.13. Group Providers</td></tr></table></div></div> |