问题
I did the following things:
+ generate keystore.jks with keytool
+ exported keystore.cer file with keytool
+ imported keystore.cer file into truststore.jks
+ copied keystore.jks and keystore.cer to the client
Then I call my server with
-Djavax.net.ssl.trustStore=truststore.jks -Djavax.net.ssl.trustStorePassword=*
and my client with
-Djavax.net.ssl.keyStore=forclient.jks -Djavax.net.ssl.keyStorePassword=*
The server exposes its interface with the super() call of UnicastRemoteObject
super(PORT,
new SslRMIClientSocketFactory(),
new SslRMIServerSocketFactory(null, null, true));
The Registry stuff does not use any SSL. Why is that not working out? It DOES work out if I add the keystore VM arguments in the server run config and the trustore VM arguments in the clien. But I really want to know why?
回答1:
Please understand the aim of keystore and truststore first. Look at the POST . It says
A keystore contains private keys, and the certificates with their corresponding public keys.
A truststore contains certificates from other parties that you expect to communicate with, or from Certificate Authorities that you trust to identify other parties.
So the client SHOULD have truststore so that it trusts the server its interacting with uses server's public key to encrypt the data. Server SHOULD have keystore which stores the private keys which is used to decrypt the data encrypted by corresponding private key by client.
I hope now you got why your application works when you switch keystore and trustore in client-server.
来源:https://stackoverflow.com/questions/6707986/why-is-my-rmi-ssl-client-authentication-not-working