Keytool problem

Hello,
I have a keystore and its instance is ("JCEKS","SunJCE"). I am creating secret keys and privatekeys and store them inside my keystore.
When I try to reach this keystore by using "keytool" application, I get the following error:
java.io.IOException: Invalid keystore format
So, what instances does keytool support and which tool can I use to reach my keystore?
regards

I found the solution. As follows:
keytool -list -keytool keytoolfile -storetype jceks

Similar Messages

Signature and keytool problem ?

Hello,
It is possible to use KeyPairGenerator to generate Public Key and Private Key for signature and verify the signature.
But how can I use keytool.exe(that deployed with JDK) to generate key pair for signature and verify signature in Java program?
Would you please to show me a simple program to do that?
And please show me the step in using keytoo.
I just know how to use keytool to genkey and export cert.
Best regards,
Eric

Hello ,
I saw in the java card forum that you were asking about accessing a smart card through the internet....I have the same problem with my work.I want to have a webpage(eg the webpage of an e-shop) to access the smart card on a remote pc (the byer's pc) and get some data(eg the byer's shipping address)...can you please help me on how this could be done?thanks a lot

Using keytool to import a certificate

I'm trying to import in the samplecacerts file a seft signed certificate generated for test purposes on my test web server.
The command I issued was:
keytool -import -alias mycert -file mycert.cer -keystore samplecacerts -trustcacert -storepass changeitand the answer was:
keytool error: Signature not availableIf I accept this certificate using my class that implements the interface X509TrustManager and getting data using HttpsURLConnection all works fine.
I used two methods to export the certificate:
1. I exported it after accepting it in Ienternet Explorer
2. I wrote it from the method isServerTrusted as suggested by Aseem in his sample code (http://forum.java.sun.com/thread.jsp?forum=9&thread=14884&start=25&range=1&hilite=false&q=)
The two generated files are identical.
Anyone can help me?
Thank
Aldo

I am having the same problem - and I don't understand the one reply you got.
So here goes. WHY can I easily import a self-signed certificate as a "trusted root" in IE, but I cannot import the same certificate into my cacerts file using keytool.exe? Keytool always gives the error, "Signature not available".
Can someone please tell me what the heck I am supposed to do? All I want to do is be able to connect to an https URL in my Java code and read the contents. I "trust" the darn server, but the keytool utility doesn't seem to "trust" me....
BTW, yes I am using JSSE, it's not a code problem it's a keytool problem.

Serious problem. keytool won't work?!

Hi everyone!
I have a problem with keytool that I really don't know how to solve.
When I try to create a new keystore my keytool program hangs. It doesn't consume any cpu or something.
I don't know what's wrong and I've tried to solve it in many many ways. I have the newest version of the java sdk (1.4.1_02).
It works if I run the program at my desktopbox (the problem only appears on our server).
Both the client and server runs on Mandrake Linux 9.0 (installed using same cd:s so it shouldn't be any difference).
I type the line and then follow the instructions:
# keytool -genkey -keyalg rsa -alias tomcat
Enter keystore password: changeit
What is your first and last name?
[Unknown]: test.com
What is the name of your organizational unit?
[Unknown]: test
What is the name of your organization?
[Unknown]: test
What is the name of your City or Locality?
[Unknown]: test
What is the name of your State or Province?
[Unknown]: test
What is the two-letter country code for this unit?
[Unknown]: SE
Is CN=test.com, OU=test, O=test, L=test, ST=test, C=SE correct?
[no]: yes
Generating 1,024 bit RSA key pair and self-signed certificate (MD5WithRSA)
for: CN=test.com, OU=test, O=test, L=test, ST=test, C=SE
--- Here the program totally hangs!!!
What should I do?
If none of you can help me do you have any suggestions who I should ask?
Thanks in advance
Erik

I am also having this problem.
I noticed that it only happens on our compaq machines
They are supposed to be configured the same as all others,
but these are the only ones that hang.
Any help?
Mark

Problem in installation of free SSL certificate on Weblogic using keytool

We tried to install SSL certificate on weblogic certificate using Keystore ..but it is giving error in console at startup and server shutdowns automatically...
Steps followed:-
1) To generate keystore and private key and digital cerficate:-
keytool -genkey -alias mykey2 -keyalg RSA -keystore webconkeystore.jks -storepass webconkeystorepassword
2) To generate CSR
keytool -certreq -alias mykey2 -file webconcsr1.csr -keyalg RSA -storetype jks -keystore webconkeystore.jks -storepass webconkeystorepassword
3) CSR is uploaded on verisign site to generate free ssl certificate.All certificate text received is paste into file (cacert.pem)
4) Same certificate is put into same keystore using following command
keytool -import -alias mykey2 -keystore webconkeystore.jks -trustcacerts -file cacert.pem
5) Before step 4), we have also installed root /intermediate certificate to include chain using following command.
(intermediateCa.cer file is downloaded from verisign site)
keytool -import -alias intermediateca -keystore webconkeystore.jks -trustcacerts -file intermediateCa.cer
6) After this configuration we used weblogic admin module to configure Keystore and SSL.
7) For KeyStore tab in weblogic admin module, we have select option Custom Identity And Custom Trust provided following details under Identity and Trust columns:-
Private key alias: mykey2
PassKeyphrase: webconkeystorepassword
Location of keystore: location of webconkeystore.jks file on server
8) For SSL tab in weblogic admin module, we have select option KeyStores for Identity and Trust locations.
Error on console:
<Nov 3, 2009 3:00:17 PM IST> <Emergency> <Security> <BEA-090034> <Not listening for SSL, java.io.IOException: Failed to retrieve identity key/certificate from keystore /home/cedera/bea9.0/weblogic90/server/lib/webconkeystore.jks under alias mykey2 on server AdminServer.>
<Nov 3, 2009 3:00:17 PM IST> <Emergency> <Security> <BEA-090087> <Server failed to bind to the configured Admin port. The port may already be used by another process.>
<Nov 3, 2009 3:00:17 PM IST> <Critical> <WebLogicServer> <BEA-000362> <Server failed. Reason: Server failed to bind to any usable port. See preceeding log message for details.>
<Nov 3, 2009 3:00:17 PM IST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
<Nov 3, 2009 3:00:17 PM IST> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
<Nov 3, 2009 3:00:17 PM IST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
If anyone knows the solution ,please help us out.Thanx in advance.
I was really happy to get reply yesterday from "mv".I was not expecting such instant response.

Thanx all guys for your interest and support.
I have solved this issue.
We have weblogic 9 on unix env.
Following steps which I followed:
#generate private key
keytool -genkey -v -alias uinbrdcsap01_apac_nsroot_net -keyalg RSA -keysize 1024 -dname "CN=linuxbox042, OU=ASIA, O=Citigroup, L=CALC, S=MH, C=IN" -validity 1068 -keypass "webconkeystorepassword" -keystore "cwebconkeystore"
#generate csr
keytool -certreq -v -alias uinbrdcsap01_apac_nsroot_net -file linuxbox042.csr -keypass "webconkeystorepassword" -keystore "cwebconkeystore" -storepass webconkeystorepassword
Then we uploaded this csr on verisigns free ssl certificate to generate and receive certificate text.
We copied that text file in "ert4nov2009.crt" rt file used below.
Apart from that , mail which we received from verisign also contains links to download root ca certificate and intermediate ca certificate.We downloaded them.
roo ca in "root4nov2009.cer" file.
intermediate ca in "intermediateca4nov2009.cer"
both these files used in
#import root certificate
keytool -import -alias rootca -keystore "cwebconkeystore" -storepass "webconkeystorepassword" -trustcacerts -file "root4nov2009.cer"
#import intermediate ca certificate
keytool -import -alias intermediateca -keystore "cwebconkeystore" -storepass "webconkeystorepassword" -trustcacerts -file "intermediateca4nov2009.cer"
#install free ssl certifiate
keytool -import -alias uinbrdcsap01_apac_nsroot_net -file "cert4nov2009.crt" -trustcacerts -keypass "webconkeystorepassword" -keystore "cwebconkeystore" -storepass "webconkeystorepassword"
#after this admin configuration
In weblogic admin console module, we did following settings:-
1. under Configuration tab
a. Under KeyStore tab
For keystore , we selected "Custom identity and Custom Trust"
Under Identity,
Custom Identity Keystore:location of keystore "webconkeystore" on weblogic server
Custom Identity Keystore Type: JKS
Custom Identity Keystore Passphrase:password for keystore mentioend above.In our case, webconkeystorepassword
Same we copied Under "Trust", as we have not created separate keystore for trust.
Save setting.
b. Under SSL tab
Identity and Trust Locations: select "Keystores"
Private Key Alias: alias used while creating private keyi.e. in our case "uinbrdcsap01_apac_nsroot_net"
Save setting.
c. Under General tab
Check checkbox "SSL Listen Port Enabled"
and mention ssl port "SSL Listen Port"
Save setting.
After this activate changes.You might see error on admin module.
Using command prompt, stop the server and again restart and then try to access using https and port ...
you will definately get output...
in our case issue might be due to key size..we used 1024 key size ..it solve problem.
for your further reference plz find link below..it is also helpful.
http://download.oracle.com/docs/cd/E13222_01/wls/docs81/plugins/nsapi.html#112674

Problem generating Key with keytool command

Hi Everyone;
I'm having problems generating a key.
Here's my output.
C:\>keytool -genkey -alias learningIdeas -keysize 1024 -validity 365 -keyalg RSA
Enter keystore password: changeit
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
note i already did something with the keystore such that i have generated a key and placed this in server.xml
<Connector className="org.apache.tomcat.service.PoolTcpConnector">
<Parameter name="handler" value="org.apache.tomcat.service.http.HttpConnectionHandler"/>
<Parameter name="port" value="8443"/>
<Parameter name="socketFactory" value="org.apache.tomcat.net.SSLSocketFactory" />
     <Parameter name="keystore" value="C:/stephen" />
     <Parameter name="keypass" value="changeit"/>
     <Parameter name="clientAuth" value="false"/>
</Connector>
any ideas on what I can do to generate this key?
stephen

I have almost resolved this problem. I'm at the last step and getting an error message when trying to import the certificate that I received from verisign into my keystore.
here's my error.
C:\>keytool -import -alias mycompanyname123 -keystore STEPHEN4 -file mycompanyname.cer
Enter keystore password: changeit
keytool error: java.security.cert.CertificateException: Unsupported encoding
but when I double click on this file mycompanyname.cer (which is exactly what I received from verisign, up comes the appropriate certificate
i was able to succesfully able to install it into the microsoft browser and i see it correctly represented and displayed in the certificates section for OTHER PEOPLE.
But I think i have to successfully import it into the keystore for it to work properly right when I start up the tomcaat app is that correct?
any ideas?
Stephen

Problem import certificate keytool

Hi,
I've a problem to import a certificate into cecerts. The following command:
keytool -import -alias test -file c:\bbfhb.p7b -trustcacerts -keystore %JAVA_HOME%\jre\lib\security\cacerts
give me the error:
java.lang.Exception: input isn't a X.509 certificate
So, where is the problem? Must I specify the storetype of certificate? How?
Thanks a lot
Andrea

As far as I can tell, keystores created by keytool from version 1.4.2 on have required at least a 6 character password to provide integrity checking. Any time you modify the keystore, including when creating it, you must supply this password.
However, you can programmatically create a keystore with an empty password via the [KeyStore |http://java.sun.com/javase/6/docs/api/java/security/KeyStore.html] class.
By now you can probably see the value of getting one of the CAs listed in jre/lib/security/cacerts to sign your certificates.
Edited by: ghstark on Apr 24, 2008 4:07 PM

Problems in keytool in jarsigning

Please help, i've installed JDK 1.5.0_04 on my windows xp... i created an account and password in the keytool.
Weeks passed and i forgot my keystore password. After a week later again, i remember it, but the keytool said that
the password was either tampered or incorrect. I uninstalled it and reinstalled the JDK, but still the recent account was still active, and i can't create a new account and keystore password. When i uninstall, i also delete the JDK folder. What can I do, is there a registry or something. Thanks for your help...

You can try deleting the keystore file:
C:\Documents and Settings\<username>\.keystore

Problems with Keytool

Hi all,
I'm trying to connect to a postgres database and have to download a certficate from my teaching site (odl-qmul-ac-uk.der).
I was told to download the certificate to C:\temp>.
I've done that bit.
I was then told to point the certificate to security folder in java folder.
So in DOS I have:-
C:\temp>keytool -keystore c:\Program Files\Java\jdk1.5.0_01\jre\lib\security -alias postgres -import -file students-odl-qmul-ac-uk.der
When I try to run this I get 'keytool' is not recognised as an internal or external command, operable program or batch file.
I've tried to extend the above path to ........\security\cacerts..................
and I have changed the certificate name to "certificate.der" but all to no avail.
Does anyone have an idea as to what the hell is going on?
Kind regards,
Chris

My fault. Realised that having installed v5.0 today that the path was j2sdk1.5.0_01 instead of jdk1.5.0_01.

Problem with Configuring Tomcat for running jsp web applications..Plz HELP

I am using Tomcat 5.5 and Jdk 1.5.0_12 and Oracle 10g. I am using jdbc-odbc bridge connection
to connect to the database. I have placed my project folder called
tdm under the webapps folder in Tomcat. This 'tdm' folder consists of
a collection of html pages,jsp pages and images of my project. Also I created a
WEB-INF folderand in that I have lib folder which contains catalina-root.jar
, classes12.jar and nls_charset.jar files. And also in the WEB-INF folder I have the web.xml
file which looks like this
<?xml version="1.0" encoding="ISO-8859-1"?>

<web-app>
<resource-ref>
<description>Oracle Datasource example</description>
<res-ref-name>jdbc/gdn</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>
</web-app>
My Server.xml file in Tomcat\conf folder is as follows



<Server port="8005" shutdown="SHUTDOWN">

<Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />

<GlobalNamingResources>

<Environment name="simpleValue" type="java.lang.Integer" value="30"/>

<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
<Resource name="jdbc/gdn" auth="Container"
type="javax.sql.DataSource" driverClassName="sun.jdbc.odbc.JdbcOdbcDriver"
url="jdbc:odbc:gdn"
username="system" password="tiger" maxActive="20" maxIdle="10"
maxWait="-1"/>
</GlobalNamingResources>


<Service name="Catalina">


<Connector
port="5050" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" />

     



<Connector port="8009"
enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />






<Engine name="Catalina" defaultHost="localhost">




<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>







<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">









<Context path="/tdm" docBase="tdm" debug="0" reloadable="true" />
</Host>
</Engine>
</Service>
</Server>
I have set the context path to /tdm in the server.xml file. Should this be placed in context.xml?
My first page in the project is called Homepage.html. To start my project I give http://localhost:5050/tdm/homepage.html
in a browser. Here I accept a username and password from the user and then do the validation in
a valid.jsp file, where I connect to the database and check and use jsp:forward to go to next pages
accordingly. However when I enter the username and password and click Go in the homepage, nothing is
displayed on the next page. The URL in the browser says valid.jsp but a blank screen appears.
WHY DOES IT HAPPEN SO? DOES IT MEAN THAT TOMCAT IS NOT RECOGNIZING JAVA IN MY SYSTEM OR IS IT A PROBLEM
WITH THE DATABASE CONNECTION OR SOMETHING ELSE? I FEEL THAT TOMCAT IS NOT EXECUTING JSP COMMANDS?
IS IT POSSIBLE?WHY WILL THIS HAPPEN?
I set the JAVA_HOME and CATALINA_HOME environment to the jdk and tomcat folders resp.
Is there any other thing that I need to set in classpath? Should I have my project as a
WAR file in the webapps of TOMCAT or just a folder i.e. directory structure will fine?

I am using Tomcat 5.5 and Jdk 1.5.0_12 and Oracle 10g. I am using jdbc-odbc bridge connection
to connect to the database. I have placed my project folder called
tdm under the webapps folder in Tomcat. This 'tdm' folder consists of
a collection of html pages,jsp pages and images of my project. Also I created a
WEB-INF folderand in that I have lib folder which contains catalina-root.jar
, classes12.jar and nls_charset.jar files. And also in the WEB-INF folder I have the web.xml
file which looks like this
<?xml version="1.0" encoding="ISO-8859-1"?>

<web-app>
<resource-ref>
<description>Oracle Datasource example</description>
<res-ref-name>jdbc/gdn</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>
</web-app>
My Server.xml file in Tomcat\conf folder is as follows



<Server port="8005" shutdown="SHUTDOWN">

<Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />

<GlobalNamingResources>

<Environment name="simpleValue" type="java.lang.Integer" value="30"/>

<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
<Resource name="jdbc/gdn" auth="Container"
type="javax.sql.DataSource" driverClassName="sun.jdbc.odbc.JdbcOdbcDriver"
url="jdbc:odbc:gdn"
username="system" password="tiger" maxActive="20" maxIdle="10"
maxWait="-1"/>
</GlobalNamingResources>


<Service name="Catalina">


<Connector
port="5050" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" />

     



<Connector port="8009"
enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />






<Engine name="Catalina" defaultHost="localhost">




<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>







<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">









<Context path="/tdm" docBase="tdm" debug="0" reloadable="true" />
</Host>
</Engine>
</Service>
</Server>
I have set the context path to /tdm in the server.xml file. Should this be placed in context.xml?
My first page in the project is called Homepage.html. To start my project I give http://localhost:5050/tdm/homepage.html
in a browser. Here I accept a username and password from the user and then do the validation in
a valid.jsp file, where I connect to the database and check and use jsp:forward to go to next pages
accordingly. However when I enter the username and password and click Go in the homepage, nothing is
displayed on the next page. The URL in the browser says valid.jsp but a blank screen appears.
WHY DOES IT HAPPEN SO? DOES IT MEAN THAT TOMCAT IS NOT RECOGNIZING JAVA IN MY SYSTEM OR IS IT A PROBLEM
WITH THE DATABASE CONNECTION OR SOMETHING ELSE? I FEEL THAT TOMCAT IS NOT EXECUTING JSP COMMANDS?
IS IT POSSIBLE?WHY WILL THIS HAPPEN?
I set the JAVA_HOME and CATALINA_HOME environment to the jdk and tomcat folders resp.
Is there any other thing that I need to set in classpath? Should I have my project as a
WAR file in the webapps of TOMCAT or just a folder i.e. directory structure will fine?

Active Directory Server Problem

Hi All,
This mail Seeks to get help from people who have worked with Active Directory Server.
The following is our Current scenario.
We are in the process of establishing an SSL connection to Active Directory Server from java environment(a standalone class) in Windows 2000.
1.Active Directory Server is installed in an independent Win 2k machine.
2.SSL is enabled in the Active Directory Server Machine by installing the Enterprise Root Certificate.
3.Microsoft High Encryption pack is installed in both the client and the Server(AD)
4.The .cer file from the AD machine is imported in to the Client's keystore(cacerts) using the keytool utility.
5.The AD m/c is part of a domain named "rsa" and client m/c is part of the domain named "cts"
With the above setup,The following code tries to Establish an SSL context to the AD through JNDI.
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL,"ldap://blr03srv1.rsa.com:636");
env.put(Context.SECURITY_PROTOCOL, "ssl");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL,"CN=Administrator,CN=Users,DC=rsa,DC=com");
env.put(Context.SECURITY_CREDENTIALS,"password");
try{
     DirContext ctx = new InitialDirContext(env);
     ctx.close();
}catch (Exception e){
     e.printStackTrace();
When we try to run this Client we are facing a SSLHandShakeException with a message saying "No trusted certificate found".
As far as we know the .cer file is successfully imported in to the cacerts which is used by the J2SE as the default keystore.
Hence we ran out of ideas,as we think that there could be some other issue which is causing this problem.
We are looking forward to get inputs from AD enlightened people to Solve this issue
Thanks in Advance,
Manivannan.A

I had problem the same and still I did not obtain to decide it, if for perhaps obtaining he passes me the solution.
thank's
Fernando Queiroz Fonseca
Graduando em Engenharia El�trica
Universidade Federal de Uberl�ndia
http://www.fernandoqueiroz.com.br
email : [email protected]

Problem with socket permissions!

Hi All!
I'm developing an applet that displays an image after downlading it from a server; this server is different from the server I download the applet from, so I have problems with security. In fact I get the following exception:
java.security.AccessControlException: access denied (java.net.SocketPermission 172.16.1.22:8080 connect,resolve)
I'm using:
- Java Plugin 1.3;
- Netscape 7.0;
- IE 6;
I've tried to self-sign the applet but with no results (maybe I cannot use selfsigned certificate with java plugin 1.3);
After that I've created a new policy file ("MyPolicy" file)and mentioned it into:
C:\Program Files\JavaSoft\JRE\1.3.1_03\lib\security\java.policy
but it didn't resolve my problem (maybe I'm doing something wrong in creating my policy file??!!).
Which steps do I have to follow in order to make my applet connect to images server without security problems?
Thanks so much in advance,
Carlo

1.     Compile the applet
2.     Create a JAR file
3.     Generate Keys
4.     Sign the JAR file
5.     Export the Public Key Certificate
6.     Import the Certificate as a Trusted Certificate
7.     Create the policy file
8.     Run the applet
Susan
Susan bundles the applet executable in a JAR file, signs the JAR file, and exports the public key certificate.
1.     Compile the Applet
In her working directory, Susan uses the javac command to compile the SignedAppletDemo.java class. The output from the javac command is the SignedAppletDemo.class.
javac SignedAppletDemo.java
2.     Make a JAR File
Susan then makes the compiled SignedAppletDemo.class file into a JAR file. The -cvf option to the jar command creates a new archive (c), using verbose mode (v), and specifies the archive file name (f). The archive file name is SignedApplet.jar.
jar cvf SignedApplet.jar SignedAppletDemo.class
3.     Generate Keys
Susan creates a keystore database named susanstore that has an entry for a newly generated public and private key pair with the public key in a certificate. A JAR file is signed with the private key of the creator of the JAR file and the signature is verified by the recipient of the JAR file with the public key in the pair. The certificate is a statement from the owner of the private key that the public key in the pair has a particular value so the person using the public key can be assured the public key is authentic. Public and private keys must already exist in the keystore database before jarsigner can be used to sign or verify the signature on a JAR file.
In her working directory, Susan creates a keystore database and generates the keys:
keytool -genkey -alias signFiles -keystore susanstore -keypass kpi135 -dname "cn=jones" -storepass ab987c
This keytool -genkey command invocation generates a key pair that is identified by the alias signFiles. Subsequent keytool command invocations use this alias and the key password (-keypass kpi135) to access the private key in the generated pair.
The generated key pair is stored in a keystore database called susanstore (-keystore susanstore) in the current directory, and accessed with the susanstore password (-storepass ab987c).
The -dname "cn=jones" option specifies an X.500 Distinguished Name with a commonName (cn) value. X.500 Distinguished Names identify entities for X.509 certificates.
You can view all keytool options and parameters by typing:
keytool -help
4.     Sign the JAR File
JAR Signer is a command line tool for signing and verifying the signature on JAR files. In her working directory, Susan uses jarsigner to make a signed copy of the SignedApplet.jar file.
jarsigner -keystore susanstore -storepass ab987c -keypass kpi135 -signedjar SSignedApplet.jar SignedApplet.jar signFiles
The -storepass ab987c and -keystore susanstore options specify the keystore database and password where the private key for signing the JAR file is stored. The -keypass kpi135 option is the password to the private key, SSignedApplet.jar is the name of the signed JAR file, and signFiles is the alias to the private key. jarsigner extracts the certificate from the keystore whose entry is signFiles and attaches it to the generated signature of the signed JAR file.
5.     Export the Public Key Certificate
The public key certificate is sent with the JAR file to the whoever is going to use the applet. That person uses the certificate to authenticate the signature on the JAR file. To send a certificate, you have to first export it.
The -storepass ab987c and -keystore susanstore options specify the keystore database and password where the private key for signing the JAR file is stored. The -keypass kpi135 option is the password to the private key, SSignedApplet.jar is the name of the signed JAR file, and signFiles is the alias to the private key. jarsigner extracts the certificate from the keystore whose entry is signFiles and attaches it to the generated signature of the signed JAR file.
5: Export the Public Key Certificate
The public key certificate is sent with the JAR file to the whoever is going to use the applet. That person uses the certificate to authenticate the signature on the JAR file. To send a certificate, you have to first export it.
In her working directory, Susan uses keytool to copy the certificate from susanstore to a file named SusanJones.cer as follows:
keytool -export -keystore susanstore -storepass ab987c -alias signFiles -file SusanJones.cer
Ray
Ray receives the JAR file from Susan, imports the certificate, creates a policy file granting the applet access, and runs the applet.
6.     Import Certificate as a Trusted Certificate
Ray has received SSignedApplet.jar and SusanJones.cer from Susan. He puts them in his home directory. Ray must now create a keystore database (raystore) and import the certificate into it. Ray uses keytool in his home directory /home/ray to import the certificate:
keytool -import -alias susan -file SusanJones.cer -keystore raystore -storepass abcdefgh
7.     Create the Policy File
The policy file grants the SSignedApplet.jar file signed by the alias susan permission to create newfile (and no other file) in the user's home directory.
Ray creates the policy file in his home directory using either policytool or an ASCII editor.
keystore "/home/ray/raystore";
// A sample policy file that lets a JavaTM program
// create newfile in user's home directory
// Satya N Dodda
grant SignedBy "susan"
     permission java.security.AllPermission;
8.     Run the Applet in Applet Viewer
Applet Viewer connects to the HTML documents and resources specified in the call to appletviewer, and displays the applet in its own window. To run the example, Ray copies the signed JAR file and HTML file to /home/aURL/public_html and invokes Applet viewer from his home directory as follows:
Html code :
</body>
</html>
<OBJECT classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93"
width="600" height="400" align="middle"
codebase="http://java.sun.com/products/plugin/1.3/jinstall-13-win32.cab#Version=1,3,1,2">
<PARAM NAME="code" VALUE="SignedAppletDemo.class">
<PARAM NAME="archive" VALUE="SSignedApplet.jar">
<PARAM NAME="type" VALUE="application/x-java-applet;version=1.3">
</OBJECT>
</body>
</html>
appletviewer -J-Djava.security.policy=Write.jp
http://aURL.com/SignedApplet.html
Note: Type everything on one line and put a space after Write.jp
The -J-Djava.security.policy=Write.jp option tells Applet Viewer to run the applet referenced in the SignedApplet.html file with the Write.jp policy file.
Note: The Policy file can be stored on a server and specified in the appletviewer invocation as a URL.
9.     Run the Applet in Browser
Download JRE 1.3 from Javasoft

Problem with cfhttp in a loop

Hi,
I am reading an xml file that contains emails with attachments (one email per item/node, but may contain multiple attachments). I am trying to save the attachments to our server. So I'm looping over the multiple attachments of a single email and using cfhttp to GET the attachments from another server and save them with the same filename on our server.
The problem is that it works for the first attachment - it's saved to the server, status code is 200 OK - awesome! But for any attachments after that, it does not save them and throws a Conection Failure error. No matter what attachments they are.
In trouble shooting I tried several things. First, inside of my loop of attachments, I can hardcode the cfhttp calls with the url and filename of the attachments - one right after the other - and all is perfect everytime!! But it obviously needs to be dynamic. I also tried to save a list of the attachment urls from the loop, and then call a separate cfhttp tag for each attachment in the list (so again, was in a loop) and it works for the first attachment in the list and not for the others (same errors as above).
Here's a simplified version of the code. I can't put in the real xml url, and when I set the "attachmentFilename" I left out that code because it works and is too much code. Also, the XML works fine. Please let me know if you have any suggestions, and of course, if you need more info from me!!
Thanks so much,
Kirsten
<cfoutput>
<cfhttp url="https://www.myxml.com/example.xml" method="get" resolveurl="no" />
<cfset myXML = trim(cfhttp.FileContent)>
<cfset myXML = xmlParse(myXML)>
<cfset theRoot = myXML.XmlRoot>
<cfset numChildren = arrayLen(theRoot.XMLChildren[1].XmlChildren)>
<cfloop index="i" from="6" to="#numChildren#">
    <cfset attachments = theRoot.XMLChildren[1].XMLChildren[i]["attachments"].XmlText>
    <cfif ListLen(attachments, "|^|") gt 2>
        <cfset loop_unid = theRoot.XMLChildren[1].XMLChildren[i]["unid"].XmlText>
        <cfset counter = 0>
        <cfset attachmentArray = ListToArray(attachments, "|^|")>
        <cfloop from="1" to="#ArrayLen(attachmentArray)#" index="k">
            <cfset counter = counter + 1>
            <cfset attachmentURL = attachmentArray[k]>
            <cfset attachmentFilename = Replace(attachmentArray[k],"strip the url from the filename in the url","")>
            <cfhttp url="#attachmentURL#" method="get" resolveurl="no" timeout="120" path="D:\my_servers_path\attachmentFolder\" file="#attachmentFilename#">
            attachment counter: #counter#<BR />
            cfhttp.statusCode: #cfhttp.statusCode#<BR />
            cfhttp.errorDetail: #cfhttp.errorDetail#<BR />
        </cfloop>
    </cfif>
</cfloop>
</cfoutput>
Output Results:
attachment counter: 1
cfhttp.statusCode: 200 OK
cfhttp.errorDetail:
attachment counter: 2
cfhttp.statusCode: Connection Failure. Status code unavailable.
cfhttp.errorDetail: I/O Exception: peer not authenticated
attachment counter: 3
cfhttp.statusCode: Connection Failure. Status code unavailable.
cfhttp.errorDetail: I/O Exception: peer not authenticated

We've seen the peer not authenticated error quite a bit on our CFHTTP calls - are you trying to access the URLs via HTTPS? It seems the SSL certificate keystore that CF ships with does not contain all the vendor SSL certificates out there - when CF can't authenticate a cert, it throws that "Connection Failure / Peer not authenticated Error". In order to fix the issue, you have to import the SSL certificate of the site you are trying to access into the CF cert store on your server(s). If you are using multiple servers, you will have to import the cert on each server.
I'm sure a google search will turn up a step by step guide on how to do this, but the basic steps are:
Go to a page on the SSL server.
Double-click the lock icon.
Click the Details tab.
Click Copy To File.
Select the base64 option and save the file.
Copy the CER file into ColdfusionDir\runtime\jre\lib\security
Run the following command from the same directory (keytool.exe is located in ColdfusionDir\runtime\jre\bin) ..\..\bin\keytool.exe -import -keystore cacerts -alias UniqueName -file filename.cer
Restart Coldfusion
Hope that helps!
- Michael

Robohelp decompile problem

Greetings:
I haven't been on the forum for a while, but I have a real
problem. I inadvertently deleted some components of my original
Robohelp data directory, so I followed the (excellent) instructions
posted here regarding the use of the Keytools.exe pgm to decompile
the chm file. This has worked for me in the past.
Today, however, I find that, although the decompile works
fine, the next steps fail -
Open Robohelp HTML from the selection of pgms within Robohelp
X5.
Select New Project
Click the Import tab
Select MS-HTML Help project; OK
Select the HHP file that keytools created; Open it.
when I attempt to open the Helpfile.hhp file, a msg appears -
'unable to create database - check that the directory is not
read-only'
the file folder is indeed marked 'read-only', but every time
I uncheck it, the change is 'ignored'.
I have never seen an instance in Windows XP where this
happened before.
Needless to say, I can't successfully recreate my Robohelp
data files, at this point.
Has anyone else seen this?
thanx for your help!
Robert Gross
Budgetext Inc.
Technical Documentation and Training

Peter: Thanks for the excellent reference material - each
method seems to successfully retrieve the data topics, but
unfortunately I get the same error msg upon opening the HHP file:
'unable to create database - check that the directory is not
read-only'
I have searched the forum, and one possible answer seemed to
be, 'reinstall Robohelp', but I don't have access to the original
install disks, so I really wanted to avoid that if possible.
Any other suggestions would be appreciated.
In the meantime, I will continue looking for those install
disks....
Robere 144

Using keytool to generate self signed cert. for Microsft Certificate Mrg.

Hi All,
I want to be able to generate a self signed certificate that I can Import into
Microsoft's Certificate Manager, to enable an HTTPS Listener for
Microsoft's WinRM and WinRS.
The certificate would only be for internal use, not used externally.
Here's the problem. I can create a certificate using this (path obscured):
"C:\Program Files\.....\jre\bin\keytool" -genkey -al
ias dMobX -keyalg RSA -keysize 1024 -sigalg SHA1withRSA -dname "CN=your-f5c57803
53" -keypass changeit -validity 90 -storetype pkcs12 -keystore "C:\Program Files
\......\jre\lib\keystore\.keystore" -storepass changeit
"C:\Program Files\......\jre\bin\keytool" -export -alias dMob
X -file "C:\Program Files\......\jre\lib\keystore\dMobX.cer" -stor
etype pkcs12 -keystore "C:\Program Files\.......\jre\lib\keystore\.
keystore" -storepass changeit -v
Microsoft's Certificate Manager will accept it, the .cer, using "Import", into
Trusted Root Certification Authorities, but when I run the command to create the HTTPS Listener, I get this error message:
The WS-Management service cannot find the certificate that was requested.
If I use another tool, like selfssl, I can generate a self signed certificate using:
selfssl /N:CN=your-f5c5780353 /K:1024 /V:90 /P:443 /T
This will populate a certificate in Trusted Root Certification Authorities,
and when I run the command to create the HTTPS Listener, it succeeds with
no problem.
So my question is, am I doing something wrong with keytool, or are there
extra steps that I need to take, or is it even capable of generating a "self signed
certificate" that will work in the above case?
There are some concepts involved, certificate wise, that I'm not sure about.
Do I need to create a CSR and use a tool like openssl, as a CA, and
use the resulting certificate?
I just want to be able to programmatically create the needed certificate using keytool, or
using an API.
Thanks,

Download the latest JDK on http://download.java.net/jdk7/binaries/.
Run "keytool -genkeypair -ext KU=? -ext EKU=? ...". Substitute the "?" with the usages you see in the other cert (for example, "digitalSignature" or "codeSigning". If there are multiple ones, separate with comma).

Keytool problem

Similar Messages

Maybe you are looking for