Prev | Next

TOC | Index

J2EETM Developer's Guide
Security

Setting Up a Server Certificate

Certificates are used with the HTTPS protocol to authenticate Web browser clients. (For more information on certificates, see the Security in JDK 1.2 chapter of the JavaTM Tutorial.) Unless a server certificate is installed, the HTTPS service of the J2EE server will not run. To set up a J2EE server certificate, follow these steps:

1. Generate a key pair and a self-signed certificate.

The keytool utility enables you to create the certificate. The keytool that ships with the J2EE SDK has the same syntax as the one shipped with the Java 2TM Standard Edition. However, the J2EE SDK version programatically adds a JavaTM Cryptographic Extension provider that has impementations of RSA algorithms. This provider enables you to import RSA signed certificates.
To generate the certificate you run keytool as follows: 
keytool -genkey -keyalg RSA -alias <certificate-alias>



In the previous command, substitute <certificate-alias> with the alias of your certificate.





The keytool utility prompts you for the following information:





keystore password - The default value of this password is changeit. You may change the password by editing the config/auth.properties file.





first and last name - Enter the fully-qualified name of your server. (This fully-qualified name includes the host name and the domain name.)





organizational unit - Enter the appropriate value.





organization - Enter the appropriate value.





city or locality - Enter the appropriate value.





state or province - Enter the unabbreviated name.





two-letter country code - For the USA, the two-letter country code is US.





key password for alias - Do not enter a password. Press Return.
2. Import the certificate.

If your certificate will be signed by a Certification Authority (CA) other than Verisign, then you must import the CA certificate. Otherwise, you may skip this step. (Even if your certificate will be signed by verisign Test CA, you must import it.) To import the certificate, perform these tasks:
a. Request the CA certificate from your CA. Store the certificate in a file.
b. To install the CA certificate in the Java 2 Standard Edition, run keytool as follows. (You must have the required permissions to modify the $JAVA_HOME/jre/lib/security/cacerts file.) 
keytool -import -trustcacerts -alis <ca-cert-alias> -file <ca-cert-file-name>
3. Generate a Certificate Signing Request (CSR). 

keytool -certreq -sigalg MD5withRSA -alias <cert-alias> -file <csr-filename>
4. Send the contents of the <csr-filename> for signing.

If you are using Verisign CA, go to http://digitalid.verisign.com/. Verisign will send the signed certificate in email. Store this certificate in a file.
5. Import the signed certificate that you recieved in email into the server. 

keytool -import -alias <cert-alias> -file <signed-cert-file>



Prev | Next

TOC | Index

Copyright © 2000 Sun Microsystems, Inc. All rights reserved.