Starting the server with SSL/TLS
Derby Server and Administration Guide
49
keytool
will prompt for needed information like identity details and passwords.
Consult the JDK documentation for more information on
keytool
.
Certificate generation
Certificates are generated with
keytool -export
as follows:
keytool -export -alias <alias> -keystore <keystore> \
-rfc -file <certificate file>
The certificate file may then be distributed to the relevant parties.
Certificate installation
Installation of a certificate in a trust store is done with
keytool -import
as follows:
keytool -import -alias <alias> -file <certificate file> \
-keystore <trust store>
Examples
Generate the server key pair:
keytool -genkey -alias myDerbyServer -keystore serverKeyStore.key
Generate a server certificate:
keytool -export -alias myDerbyServer -keystore serverKeyStore.key \
-rfc -file myServer.cert
Generate a client key pair:
keytool -genkey -alias aDerbyClient -keystore clientKeyStore.key
Generate a client certficate:
keytool -export -alias aDerbyClient -keystore clientKeyStore.key \
-rfc -file aClient.cert
Install a client certificate in the server's trust store:
keytool -import -alias aDerbyClient -file aClient.cert
-keystore serverTrustStore.key
Install the server certificate in a client's trust store:
keytool -import -alias myDerbyServer -file myServer.cert
-keystore clientTrustStore.key
Starting the server with SSL/TLS
For server SSL/TLS, a server key pair needs to be generated. If the server is going to do
client authentication, the client sertificates need to be installed in the trust store. These
operations are described in
.
SSL at the server side is activated with the property
derby.drda.sslMode
(default off)
or the
-ssl
option for the server start command.
Starting the server with basic SSL encryption
When the SSL mode is set to
basic
, the server will only accept SSL encrypted
connections.
The properties
javax.net.ssl.keyStore
and
javax.net.ssl.keyStorePassword
need to be set with the proper values.
Example
