Reputation: 41
JBoss reload certificate truststore without restart
Is there a way to "reload" the certificate truststore in JBoss 4.2 without restart?
I am trying to have an EJB call a web service on a remote server with ssl and am seeing a similar problem with SSLHandshakeException as in the article below. What we are attmepting to do is the following and involves three machines, A the JBoss server acting as a web service client to servers B and C.
1) On A, user enters in hostname for B. The machine on A obtains the self-signed certificate of B and installs it in the trust store (via an external shell script).
2) The SSL socket connection is made to B at which it point it seems the certificate store is loaded on this first attempt. The connection is successful and everything works.
3) Again on A, user does the same thing as in 2, the shell script obtains C's certificate and installs it to the trusstore. However, on the attmepted connection to C, it appears (by enabling javax.net.debug=ssl) that the truststore is not "reloaded" and it doesn't find C's certificate and we get SSLHandshakeException.
After restarting JBoss the "updated" truststore is loaded, and the connection to both B and C work.
Would like to do this without restarting JBoss and gather the above scheme isn't correct. If someone could point me to documentation for the correct way to dynamically update truststore it would be very much appreciated.
Problem calling web service from within JBOSS EJB Service
Upvotes: 4
Views: 5798
Answers (2)
Reputation: 42710
Having one EJB add self-signed certificates (on user interaction) to the Jboss-wide used trust store is not a good idea from a security perspective.
A cleaner solution would be to let your Webservice client use a custom X509TrustManager implementation or alternatively a custom SSLSocketFactory. In both cases you can decide on your own which certificate to trust. This would allow you to manage your own trust-store that is only valid for that EJB and the respective WS-call.
See also: http://www.howardism.org/Technical/Java/SelfSignedCerts.html
Upvotes: 0
Related Questions
- How do I force tomcat to reload trusted certificates?
- Disabling Client-Initiated SSL Renegotiation in Jboss 7.1.1
- Certificate/Keystore Configuration Issue - JBoss AS 7
- Setting the right truststore in JBoss 7
- Updating-Renewing self-signed CA certificate in java truststore
- Accepting a self signed certificate in Java
- javax.net.ssl.trustStore not getting updated
- Reloading an SSLServerSocket after a keystore change without closing and creating a new socket
- SSL session resumption in JBoss
- Can I add a new certificate to the keystore without restarting the JVM?