15.2.2. Configure a client to accept a self-signed server certificate

To make remote method invocations over SSL, a client needs to trust the certificate of the server. The certificate we generated is self-signed and does not have a chain of trust to a known certificate authority. With a self-signed certificate the client must be explicitly configured to trust the certificate; otherwise the connection fails. To configure a client to trust a self-signed certificate, import the self-signed server certificate to a trust store on the client.
A trust store is a key store that contains trusted certificates. Certificates that are in the local trust store are accepted as valid. If your server uses a self-signed certificate then any client that makes remote method calls over SSL requires that certificate in its trust store. Export your public key as a certificate, and then import that certificate to the trust store on those clients.
The certificate created in Section, “Export a self-signed certificate” must be copied to the client in order to perform the steps detailed in Procedure 15.3, “Import the certificate to the trust store "localhost.truststore"” .

Procedure 15.3. Import the certificate to the trust store "localhost.truststore"

This procedure imports a certificate that was previously exported on a server to the trust store on a client.
  1. Issue the following command on the client:
    keytool -import -alias ejb-ssl -file mycert.cer -keystore localhost.truststore
  2. Enter the password for this trust store if it already exists; otherwise enter and re-enter the password for a new trust store.
  3. Verify the details of the certificate. If it is the correct one, type 'yes' to import it to the trust store.

    The certificate is imported to the trust store, and a secure connection can now be established with a server that uses this certificate.

As with the key store, if the trust store specified does not already exist, it is created. However, in contrast with the key store, there is no default trust store and the command fails if one is not specified.
Configure Client to use localhost.truststore

Now that you have imported the self-signed server certificate to a trust store on the client, you must instruct the client to use this trust store. Do this by passing the localhost.truststore location to the application using the javax.net.ssl.trustStore property, and the trust store password using the javax.net.ssl.trustStorePassword property. Example 15.1, “Invoking the com.acme.Runclient application with a specific trust store” is an example command that invokes the application com.acme.RunClient , a hypothetical application that makes remote method calls to an EJB on a JBoss Application Server. This command is run from the root of the application's package directory (the directory containing com directory in the file path com/acme/RunClient.class ).

Example 15.1. Invoking the com.acme.Runclient application with a specific trust store

java -cp $JBOSS_HOME/client/jbossall-client.jar:. -Djavax.net.ssl.trustStore=${resources}/localhost.truststore \
    -Djavax.net.ssl.trustStorePassword=TRUSTSTORE_PASSWORD com.acme.RunClient