Sun ONE logo     Previous      Contents      Index      Next     
Sun ONE Integration Server, Secure Trading Agent 1.0 User's Guide



Appendix A      Creating Certificates for Use with Secure Trading Agent

This appendix describes the procedure for using keytool to acquire certificates from a third party certificate authority (CA) such as Verisign or Thawte. keytool is a security tool available with the Java™ 2 Software Development Kit (Java 2 SDK), Standard Edition that is used with this release.

Keytool Documentation

Keytool documentation is available in the docs directory of your Java 2 SDK installation. You may have to download the Java 2 SDK documentation separately. This documentation is also available online at the following URL:

http://java.sun.com/j2se/1.4/docs/tooldocs/solaris/keytool.html


Note

This appendix provides summary instructions only for using keytool. For detailed instructions, refer to the keytool documentation.

Managing Keystores with Keytool

The basic steps for managing a keystore with keytool are:

  1. Create a keystore

    2. Use the -genkey option with keytool to generate a keystore (private key). Typically, a keystore file has a .jks extension.

    When generating the keystore you specify an alias and a name.

    The alias you specify is the keyname you use when referencing the keystore in the Communications Center. This keyname is also used to reference the signing certificate you specify in the Agreement Editor to sign messages.

    The name is an X.500 distinguished name and has the following format:

    CN=cName, OU=orgUnit, O=org, L=city, S=state, C=countryCode

    The CN you specify should be a fully qualified domain name of the server you are using for a Secure Trading Agent secure endpoint, as specified in your ebXML agreement (for example, raggs.ebay.sun.com). The CN can also be an IP address. Check with the CA you are using to determine their requirements for CN names.


    Caution

    Make sure your keystore file, which is your private key, is kept within a secure location on your system

  2. Issue certificate requests (which you send to the appropriate Certification Authority).

    3. Use the -certreq option with keytool to generate a Certificate Signing Request (CSR) file, which you send to a CA. The CA authenticates the certificate requestor and replies with a public certificate and one or more certificates that are trusted.

    Typically, a certificate request file has a .csr extension. The CA returns certificate files with a .cer extension. One of the returned certificates is the public key that matches the private key created in Step 1 above. The other certificate files are trusted certificates that verify your public key.

  3. (Optional) Import the trusted certificates obtained from the CA in Step 2 above.

    4. Perform this step if the trusted certificates obtained from the CA have not previously been imported into the truststore supplied with your Java 2 SDK (cacerts file).

    Use the -import option to import the trusted certificates returned by the CA into the cacerts file.

  4. Designate public keys belonging to other parties as trusted.

    5. Use the -trustcacerts option with the -import option to provide a chain of trust to your keystore file. You must specify your keystore alias and keystore password when doing this step.

  5. Verify that your public/private key pair match.

    6. Use the -printcert option to keytool to print information in your public certificate. Then use the -list option to print information in your private key. You can then compare the certificate fingerprints in the listings, as shown in Code Example A-1.


    Code Example A-1    Listing of Public and Private Key Files  
    % keytool -printcert -file raggs.cer
    Owner: CN=raggs.ebay.sun.com, OU=SQA, O=Sun, L=Oakland, ST=California, C=US
    Issuer: OU=For VeriSign authorized testing only. No assurances (C)VS1997,
    OU=www.verisign.com/repository/TestCPS Incorp.
    By Ref. Liab. LTD., O="VeriSign, Inc"
    Serial number: 29415e9496b158ad7d040f6d45b0aac4
    Valid from: Thu Dec 05 16:00:00 PST 2002 until: Fri Dec 20 15:59:59 PST 2002
    Certificate fingerprints:
             MD5:  CC:2A:56:62:FF:8A:1A:87:7E:D0:D1:D8:28:54:E4:F2
             SHA1: 27:C6:BF:AE:18:B3:D9:2A:91:2B:7E:F2:3F:64:88:DF:00:A1:3E:28

    % keytool -list -keystore raggs.jks -storepass cosmo

    Keystore type: jks
    Keystore provider: SUN

    Your keystore contains 1 entry

    raggs.sun.com, Dec 6, 2002, keyEntry,
    Certificate fingerprint (MD5): CC:2A:56:62:FF:8A:1A:87:7E:D0:D1:D8:28:54:E4:F2

  6. Update your Tomcat web server configuration so it can access your private key.

    7. Edit the server.xml file for the Tomcat web server configuration used by Secure Trading Agent to use your private key for digital signing. The default locations for server.xml are:

    /opt/SUNWebXML/ebXML/tomcat/conf/server.xml (Solaris platforms)
    c:\Sun\ebXML\tomcat\conf\server.xml (Windows platforms)

    In server.xml, there is a Connector element that defines an SSL HTTP/1.1 connector on port 8444. This Connector element is configured to use the default keystore created by Secure Trading Agent, and is useful for testing purposes. Edit the keystoreFile and keystorePass attributes of this element to reference your own keystore file and its password. Shut down the message handler (ebmsh) before editing the server.xml file.

    Refer to your Tomcat documentation for more information on editing the server.xml file.

Previous      Contents      Index      Next     
Copyright 2003 Sun Microsystems, Inc. All rights reserved.