SSL: how to use Multiple Private key/Certificate pair for authentication.

Hi all,
i am implementing SSL in java using X509 Certificate/private key combination.
i have two set of private key/certificate pair.
one is factory default and another is generated at run time.
my problem is to try ssl connection with both pairs on same tcp/ip connection.
e.g. on server side: first try ssl connection with factory default certificate, if it fails try connecting with generated certificate on same tcp/ip connection.
on client side: if generated certificate(this certificate was generated at server side) is present first perform server authentication using this certificate otherwise authenticate server with factory default certificate.
can someone please help and let me know how do i need to configure both ends(client and server) for achieving the same.
Thanks In Advance
Saurabh Ahuja

Client code does not contain any default truststore and needs a certificate for authentication.Of course it does. OpenSSL has a way of doing that: some kind of equivalent for the truststore. None of the stuff you've posted here about generating certificates at runtime has any bearing on that problem.
It's like this. The idea of PKI with SSL is as follows:
- the server has a private key and a signed certificate. Preferably it's signed by a CA that the client already trusts, otherwise if it's self-signed it has to be exported from the server's keystore and imported into the truststores of all the clients.
- the client has a truststore that trusts the server, one way or the other, see above.
- the server's private key is private to it. Nobody else has it. Nobody else can ever get it. If it ever leaks, the server is compromised, and server authentication via that private key now means absolutely nothing. You have lost security.
- the server sends its cert to the client along with a digital signature signed by its private key.
- the client (a) decides whether it trusts the cert, via its truststore, and (b) verifies the digital signature, which establishes that the server owns the certificate.
At this point the server is authenticated to the client and the SSL connection is open. It can now be used as an ordinary socket connection.
If you want client authentication too, you need all the above in reverse as well, i.e. reading server for client and client for server throughout. Note particularly that each client must have its own private key. Otherwise the private key isn't private, so signing something with it doesn't establish ownership, so client authentication isn't valid.
You need to understand all this stuff and relate it to the apparently broken security design of your application. Generating a private key and a certificate at runtime is complete nonsense within the context of PKI and SSL. It proves nothing, establishes nothing, authenticates nothing; it just wastes time.

Similar Messages

  • SSL: How to use the same key pair for ABAP & JAVA?

    Hello,
    I want to setup an XI (3.0 on Netweaver04)installation in the way, that ABAP AS and JAVA AS use the same key pair for SSL. My problem is to define the same private key on ABAP and JAVA. With the JAVA Administrator I am able to define or import a private key. But I could not find a possibility in ABAP to manage private keys in order to use the same on as in JAVA. What is the procedure for this?
    Thanks and Regards,
    Frank Tottleben

    Hello,
    I want to setup an XI (3.0 on Netweaver04)installation in the way, that ABAP AS and JAVA AS use the same key pair for SSL. My problem is to define the same private key on ABAP and JAVA. With the JAVA Administrator I am able to define or import a private key. But I could not find a possibility in ABAP to manage private keys in order to use the same on as in JAVA. What is the procedure for this?
    Thanks and Regards,
    Frank Tottleben

  • How to use Multiple Homes on Windows Box for patching

    Reading an Article by Arup Nanda 04.23.2007 talks about using multiple oracle homes for patching. We've installed oracle again and now have 2 Oracle Homes (db_1 and db_2). If I look at my service startup for the database I see this:
    c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE TestDB.
    If I try and start my database out of the db_2 install I'l receive errors about the init file not being located in the db_2 location. Should I copy all my files from db_1 over to db_2?
    thanks.

    I'l receive errors about the init file not being located in the db_2 locationYes, of course. Otherwise the Oracle Home will never know the location of the init.ora at the old location.

  • How to  use Shared secret key(diffie hellman) for encryption n decryption

    In my client server program i wanted to encrypt a random key using shared secret key for encryption and decryption with DES. but i'm unable to encrypt it as init() is not takin the shared secret key for encryption. somebody please help. my mail id - [email protected]

    You need to post some code because it works for everyone else.

  • How to use multiple languages in unity connection for greetings

    Hi All,
    I have unity connection 7.5 Version. i want to use multiple languages for greetings. i mean i have different users from different geographical location. so i want to use engilsh, french and spanish. can i customize my setup like that.
    Regards
    Pardha

    Are you talking about the user greeting? Then have them record the greeting anywhere they want in whatever language they want.  If you install multiple locales you can have each user record greeting in different language as well and then the appropriate language greeting will be played on who addresses this user by using "inherit language" feature. Though this will only work when addressing messages from withn voicemail, not by dialing from phone as that will simply use the default routing rule, unless you create custom rules.
    HTH,
    Chris

  • Help Please!: How to use multiple Transmit keys in WEP??

    I am a new Mac user with a MacBook Pro..
    I am able to use the wireless connection when at home, however I am having issues when at work...I think this is due to the fact that my work puts out 2 wep keys and then tells us which of the two keys are the transmit key....I believe the other key must be used for encryption/decryption purposes...It may work once the transmit key is #1, but its not always #1 (currently it is not)...
    Using the wireless setup interface in the os, I only have the ability to add one WEP key..this means it is only transmitting key #1.....
    Is there some sort of advanced setting which would allow me to add multiple keys and then select the key which should be used as the transmit key? This is common on Windows systems...I would assume Mac could do it also...
    Without the ability to add more than one key and select the transmit one, I will be unable to get into my corporate wrieless setup...
    Thanks for your help!!
    MacBook Pro   Mac OS X (10.4.5)  

    Basically..is there a way to set a WEP key and have it negotiate as transmit key #2 ??????

  • How to use a function key on keyboard for executing a non SAP program

    Hello Gurus.
    My client want to run a non SAP program selecting the specific function key on keyboard during the entering data on SAP.
    i knew that it is possible to execute a non sap program after adding special program each by SAP program.  but, it is huge jobs.
    client wants to run a non sap program wherever he is on SAP program.  Is it possible ?

    Hi,
    1. Create a ".exe" file for the .NET application.
    2. Create a PF-STATUS and assign the Function Code for the desired Function Key in the SAP program.
    3. In the USER COMMAND code inside program, when the respective function code is triggered, write the below code with the path to the .NET exe file.
    CALL METHOD cl_gui_frontend_services=>execute
      EXPORTING
        document = '.NET exe file path'
      EXCEPTIONS
        OTHERS   = 1.

  • How to use a self-signed certificate

    Hello,
    I am having some troubles understanding how to use a self-signed certificate. I have created one using Keychain Access -> Create Certificate but it never asked me for the private key and it never told me where the certificate is stored. How am I supposed to use it?
    Typically I would like to do two things:
    1) use the certificate to for example sign an email or other document so that the recipient can verify that it was really me. I understand the concept that they have to have my public key and use it to somehow decrypt something that I have encrypted with my private key. But where is my private key? As mentioned, the certificate creation process never at any point asked me to provide a private key.  An example using this process to sign an email would be really appreciated.
    2) I want to be able to decrypt a message that someone sends to me after encrypting it with my public key. Again, I need my private key, where is it? I was never asked to choose one!
    Please note that i am familiar with the whole process using openSSL ssh via command line, I just need to understand how to achieve the same thing using the certificate creation procedure provided via Keychain Access.
    In short, now thta I have created my certificate, how do I use it? Examples for dummies would be really appreciated
    Thanks  in advance
    /Andrea

    Can you import the CA cert under “Your Certificates.”, delete the CA cert, switched to “Authorities”, re-imported the CA cert, and restarted Firefox.

  • How does a public/private key encrypt and decrypt each other?

    I understand the logic that when a communication takes place both parties pass their public keys to each other which is used to encrypt all messages. Once the party receives the messages the private key is used to decrypt them however I'm wondering how a private key is generated from a public key. If the private key is based on an algorithm wouldn't each party be able to generate what the other person's private key would be based on the public? Wouldn't a third party?

    How the public and private keys are generated depends on what public key cryptosystem is being used, but in general the private key cannot be derived from the public with a computationally feasable algorithm, while the public key can be derived from the private key very quickly. Two examples:
    RSA: private keys are 2 primes, p and q, and an encryption exponent d. Public key is the product p*q, and an encryption exponent e. How does the attacker get p and q, or d, from n and e? The best attack known against this (for properly chosen p, q, and d) is factoring. Factoring can be made infeasable by choosing the primes to be large enough.
    Diffie-Hellman: a prime modulus p and a base g < p is known by everyone (including the attacker). The private key is an integer x chosen randomly, 2 <= x < p-1 (there are better ways to choose x). The public key is g^x mod p. How does the attacker get x from g^x mod p? Again, the best known attack is one that is computationally roughly equal to factoring a composite number of about the size of p.

  • How to use multiple classes for each form

    Hi,
    I have created two forms using screen painter and now i want to use different classes for these two forms .
    I have declared the Sbo Connection in main class i.e. Set Application ,Connection Context() but while connecting to other classes
    for executing the code for that form SAP is not connected to that class.How to use multiple classes functionality i don't able to
    do that.Please provide some sample codes for that as it will be more helpful for me to understand.
    Thanks & Regards,
    Amit

    Hi Amit,
    In fact, its more advisable to use separate classes for every form that you use.  Have one common class, say, for eg., clsMain.cs which has all the connection and connectivity to other classes, wherein, the menu event and item event of this main class, will just be calling the menu / item event of other classes.
    The individual functionality of the child classes will be called from the item / menu event of the respective classes.
    Item event in clsMain.cs will be as below.
    private void oApplication_ItemEvent(string FormUID, ref SAPbouiCOM.ItemEvent pVal, out bool BubbleEvent)
                SAPbouiCOM.Form oForm;
                BubbleEvent = true;
                try
                    if ((pVal.FormTypeEx == "My_Form1Type") && (pVal.EventType != SAPbouiCOM.BoEventTypes.et_FORM_UNLOAD))
                        oForm = oApplication.Forms.GetForm("My_FormType", pVal.FormTypeCount);
                        NameSpace.Repots.ClsForm1.ClsForm1_ItemEvent(oApplication, oCompany, oForm, ref pVal, ref BubbleEvent);
                    if ((pVal.FormTypeEx == "My_Form2Type") && (pVal.EventType != SAPbouiCOM.BoEventTypes.et_FORM_UNLOAD))
                        oForm = oApplication.Forms.GetForm("My_FormType", pVal.FormTypeCount);
                        NameSpace.Repots.ClsForm1.ClsForm2_ItemEvent(oApplication, oCompany, oForm, ref pVal, ref BubbleEvent);
    Now, in the individual classes, you can have their respective item events, which will be called from the main class, and the respective functionalities will occur.
    Hope this helps.
    Regards,
    Satish.

  • Use multiple primary keys to create DB constraint

    Hi,
    Is it possible to have multiple primary keys within one EJB to create a DB including the constraints, if so how? Is there an example of this or any example which uses multiple primary keys to create a DB?
    Thanks,
    Maarten

    "Is it possible to have multiple primary keys within one EJB..."
    If you mean a composite key, yes. Your PrimaryKeyObject would have one attribute for each column that makes up your composite key. If that's not what you meant, please clarify.
    "...to create a DB including the constraints"
    Not sure what you mean here. Constraints are enforced by the DB, and you don't create databases with EntityBeans.

  • How to use multiple ipods on one account

    I have an Ipod classic and just bought my sons two nano's how do I use these on the same account without changing my account info?

    Take a look here:
    How to use multiple iPods with one computer
    Forum Tip: Since you're new here, you've probably not discovered the Search feature available on every Discussions page, but next time, it might save you time (and everyone else from having to answer the same question multiple times) if you search a couple of ways for a topic, both in the relevant forums, in the User Tips Library and in the Apple Knowledge Base before you post a question.
    Regards.

  • How to use multiple JREs (1.5.0_20 and 1.6.0_07) with Internet Explorer 8?

    Hi!
    Question about the problem mentioned in subject.
    I have configured that JNLP opens with 1.5 version, both versions are enabled in Java Control Panel Runtime Settings but when I try to start a desktop java console says:
    Java Web Start 1.5.0_22
    Using JRE version 1.6.0_07 Java HotSpot(TM) Client VM
    And the opening of the desktop creates an exception:
    Java Web Start - Invalid Argument Error
    TooManyArgumentsException[ Too many arguments supplied: {C:\WINDOWS\Temporary, Internet, Files\Content.IE5\....
    I'm trying to open my desktop with 1.5 version and other programs with 1.6 version. What is it that I still need to do? I'm kind of confused with this. Some of my collagues have succeeded with this and some doesn't, with the same configuration.
    So the question is, how to use multiple JREs with IE8 so that one application uses 1.5 version and others 1.6 version?
    Br,
    Katri
    Edited by: ka**** on 09-Mar-2011 01:16
    Edited by: ka**** on 09-Mar-2011 03:16

    ka**** wrote:
    ..Question about the problem mentioned in subject.No "Using multiple JREs (1.5.0_20 and 1.6.0_07) with Internet Explorer 8" is a statement. To transform it to a question would be something like "How to use multiple JREs (1.5.0_20 and 1.6.0_07) with Internet Explorer 8?".
    Once you can come up with an actual question, I might look at this more closely.

  • How to use multiple VCI strings for lap 1300 and 1200 (option 60) in one pool?

    Hi All,
    Hope to you a very happy new year,
    I have two differnt LAP 1300 and 1200 in my network and I need to add theme to the WLC,
    I successed to add one of theme by the option 60 in the DHCP pool at the Core SW,
    So my quetion is below:
    How to use multiple VCI strings for lap 1300 and 1200 (option 60) in one pool?
    Thanks in Advanced,
    Ahmed,

    To add to Scott's post.  Option 60 would be useful if you needed to put certain types of AP on specific controllers.  Otherwise, no real need to use it for the most part.
    Though, I do recall an issue a few years ago that some windows machines had issues getting DHCP if option 43 is being returned.
    Now, on an IOS switch, you can only configure one option 60 per DHCP scope
    HTH,
    Steve
    Please remember to rate useful posts, and mark questions as answered

  • How to use multiple table in single control file?

    Hi,
    How to use multiple table and data file in sigle control file? I have a four table and four csv file i mean data file for that. I am running concurrent program to load the data from csv file to custom table. based on my input data file name, it has to take automatically from one control file.
    Can anyone share with me how can i acheive this?
    Thanks

    Hi,
    Can't we acehive like below. I don't this exactly corrcect.
    OPTIONS (SKIP=1)
    LOAD DATA
    INFILE << file name 1 >>
    APPEND INTO TABLE XXCZ_VA_SAMPLE1
    FIELDS TERMINATED BY "," OPTIONALLY ENCLOSED BY '"' TRAILING NULLCOLS
         PARENT_ITEM               "TRIM(BOTH FROM :PARENT_ITEM)"
    LOAD DATA
    INFILE << file name 2 >>
    APPEND INTO TABLE XXCZ_VA_SAMPLE2
    FIELDS TERMINATED BY "," OPTIONALLY ENCLOSED BY '"' TRAILING NULLCOLS
         ITEM_NUMBER               "TRIM(BOTH FROM :ITEM_NUMBER)"
    )Edited by: orasuriya on Sep 14, 2009 3:03 AM

Maybe you are looking for