Discussion:
javax.net.ssl.keyStore = None ? Can we have no client keystore
(too old to reply)
J***@decipherworks.com.au
2017-10-08 23:37:46 UTC
Permalink
Hello

Normally, you would define your client keystore as follows

# client authentication
javax.net.ssl.keyStore=D:\test\clientStore.jks
javax.net.ssl.keyStorePassword=password123
javax.net.ssl.keyStoreType=jks


Is it possible to tell Directory Integrator to not use any client keystore for authentication?

Thank you
J***@decipherworks.com.au
2017-10-09 01:13:46 UTC
Permalink
I should add that I would like this behavior for the HTTP Client Connector (using TDI 7.1.1)
yn2000
2017-10-09 15:28:25 UTC
Permalink
I am not sure I understand the question, because it sounds like: You want to make an HTTPS connection without the 'S'? Does it mean that you just want to have an HTTP connection?

Having said, when I comment out those lines, the TDI is not barking. That means that the TDI is not reading that keystore anymore.

Having said, you know that you can have an empty keystore, right? Also, on your other post it seems that you are mentioning a condition where TDI was sending a certificate request, which is most likely because of the 'certificate request' key in your key store.

Having said, there is a link to a Key Manager in TDI console, where you can check the contents of the keystore, which probably you already knew.

Having said, I guess I am not helping, but hopefully point out something that you might have missed.

Rgds, YN.
Eddie Hartman
2017-10-09 18:29:43 UTC
Permalink
Post by J***@decipherworks.com.au
I should add that I would like this behavior for the HTTP Client Connector (using TDI 7.1.1)
If you do not enable SSL then no client cert is required.
J***@decipherworks.com.au
2017-10-10 00:53:12 UTC
Permalink
Post by Eddie Hartman
Post by J***@decipherworks.com.au
I should add that I would like this behavior for the HTTP Client Connector (using TDI 7.1.1)
If you do not enable SSL then no client cert is required.
Thanks Eddie

Is there a way to do it *with* SSL (i.e. https://webserver ) ?

I have no way to update the webserver to not request a client certificate when doing the SSL handshake.
J***@decipherworks.com.au
2017-10-10 04:32:07 UTC
Permalink
I found my answer. removed the personal certificate from the jks keystore - that way there is no client certificate that can be sent!
Eddie Hartman
2017-10-10 19:38:22 UTC
Permalink
Post by J***@decipherworks.com.au
I found my answer. removed the personal certificate from the jks keystore - that way there is no client certificate that can be sent!
Glad to hear it, Jason, and thanks for sharing!

-Ed

Loading...