0

We've built a Java EE app in JBoss that exposes web services to external consumers. We want to secure these services so that we know who is making the web service invocations. We have a registration process that requires the consumers to upload their public key so that we can add it to our truststore. However it is currently a manual process of using the keytool from the command line to add them to the truststore.

This whole setup seems rather primitive. I don't like the idea of a truststore on the filesystem that is not part of the database. There must be an approach that lets you utilize the database to store the certs. Should I put the certs in a blob column, and roll my own custom TrustManager that pulls the public key out of the db and verifies the signature? Or is there some other generally implemented open-source solution to this problem?

Arjan Tijms
  • 37,782
  • 12
  • 108
  • 140
Kevin Pauli
  • 8,577
  • 15
  • 49
  • 70

1 Answers1

0

Why don't you just store the PEM file in database? It can be a BLOB or a text column.

Google's web app registration is a good example,

http://code.google.com/apis/accounts/docs/RegistrationForWebAppsAuto.html#register

Look at step 4: Upload a security certificate.

ZZ Coder
  • 74,484
  • 29
  • 137
  • 169
  • I think it's more than the pem though... I want the cert to be trusted even though it is self-signed. Currently we have to do this via the keytool, which modifies the truststore locally, but then if I redeploy the app to another box the truststore doesn't come along if I forget. It's a truststore issue. – Kevin Pauli Dec 17 '09 at 16:46
  • You have to trust all the certificate you store in your database. Your provisioning system should take care of that. It's not a scalable solution to store self-signed cert in truststore. If everyone uses self-signed cert, you end up having the whole DB in trust-store. – ZZ Coder Dec 17 '09 at 19:30