Hitachi Vantara Pentaho Community Wiki
Child pages
  • Running Report Designer with Self-Signed Certificates

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

When using the keytool without an explicit location for the keystore-file, this file will be created as "$home/.keystore"

Creating a Keystore to Use with JSSE

Creating a Simple Keystore and Truststore

In this section, we'll use keytool to create a simple JKS keystore suitable for use with JSSE. We'll make a keyEntry(with public/private keys) in the keystore, then make a corresponding trustedCertEntry(public keys only) in a truststore. (For client authentication, you'll need to do a similar process for the client's certificates.) Note: Storing trust anchors in PKCS12 is not supported. Users should use JKS for storing trust anchors and PKCS12 for private keys. Note: It is beyond the scope of this example to explain each step in detail. If you need more information, please see the keytool documentation for Solaris or Microsoft Windows. User input is shown in boldface font.

...

  1. Examine the keystore. Notice the entry type is keyEntrywhich keyEntry, which means that this entry has a private key associated with it (shown in red).
    Code Block
    % keytool -list -v -keystore keystore
    Enter keystore password:  password
    
    Keystore type: jks
    Keystore provider: SUN
    
    Your keystore contains 1 entry
    
    Alias name: duke
    Creation date: Dec 20, 2001
    Entry type: keyEntry
    Certificate chain length: 1
    Certificate[1]:
    Owner: CN=Duke, OU=Java Software, O="Sun Microsystems, Inc.",
    L=Palo Alto, ST=CA, C=US
    Issuer: CN=Duke, OU=Java Software, O="Sun Microsystems, Inc.", L=Palo Alto, ST=CA, C=US
    Serial number: 3c22adc1
    Valid from: Thu Dec 20 19:34:25 PST 2001 until: Thu Dec 27 19:34:25 PST 2001
    Certificate fingerprints:
    MD5: F1:5B:9B:A1:F7:16:CF:25:CF:F4:FF:35:3F:4C:9C:F0
    SHA1: B2:00:50:DD:B6:CC:35:66:21:45:0F:96:AA:AF:6A:3D:E4:03:7C:74
    
  2. Export and examine the self-signed certificate.
    Code Block
    % keytool -export -alias duke -keystore keystore -rfc -file duke.cer
    Enter keystore password:  password
    Certificate stored in file <duke.cer>
    
    % cat duke.cer
    -----BEGIN CERTIFICATE-----
    MIICXjCCAccCBDwircEwDQYJKoZIhvcNAQEEBQAwdjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNB
    MRIwEAYDVQQHEwlQYWxvIEFsdG8xHzAdBgNVBAoTFlN1biBNaWNyb3N5c3RlbXMsIEluYy4xFjAU
    BgNVBAsTDUphdmEgU29mdHdhcmUxDTALBgNVBAMTBER1a2UwHhcNMDExMjIxMDMzNDI1WhcNMDEx
    MjI4MDMzNDI1WjB2MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVBhbG8gQWx0
    bzEfMB0GA1UEChMWU3VuIE1pY3Jvc3lzdGVtcywgSW5jLjEWMBQGA1UECxMNSmF2YSBTb2Z0d2Fy
    ZTENMAsGA1UEAxMERHVrZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1loObJzNXsi5aSr8
    N4XzDksD6GjTHFeqG9DUFXKEOQetfYXvA8F9uWtz8WInrqskLTNzwXgmNeWkoM7mrPpK6Rf5M3G1
    NXtYzvxyi473Gh1h9k7tjJvqSVKO7E1oFkQYeUPYifxmjbSMVirWZgvo2UmA1c76oNK+NhoHJ4qj
    eCUCAwEAATANBgkqhkiG9w0BAQQFAAOBgQCRPoQYw9rWWvfLPQuPXowvFmuebsTc28qI7iFWm6BJ
    TT/qdmzti7B5MHOt9BeVEft3mMeBU0CS2guaBjDpGlf+zsK/UUi1w9C4mnwGDZzqY/NKKWtLxabZ
    5M+4MAKLZ92ePPKGpobM2CPLfM8ap4IgAzCbBKd8+CMp8yFmifze9Q==
    -----END CERTIFICATE-----
    
  3. Code Block
    Alternatively, you could generate Certificate Signing Request (CSR) with -certreq and send that to a Certificate Authority (CA) for signing, but again, that's beyond the scope of this example.

...

Now run your applications with the appropriate key stores. This generic example assumes the default X509KeyManager and X509TrustManagerare used, thus we will select the keystores using the system properties described in Customization.

Code Block
% java -Djavax.net.ssl.keyStore=keystore -Djavax.net.ssl.keyStorePassword=password Server

% java -Djavax.net.ssl.trustStore=truststore -Djavax.net.ssl.trustStorePassword=trustword Client

Edit your "start-report-designer.bat" file to read

Code Block

@echo off
@REM
@REM WARNING: Pentaho Report Designer needs JDK 1.6 or newer to run.
@REM
setlocal
cd /D %~dp0
set PENTAHO_JAVA=javaw
call "%~dp0set-pentaho-env.bat"

start "Pentaho Report Designer" "%_PENTAHO_JAVA%" -XX:MaxPermSize=256m -Xmx512M -Djavax.net.ssl.trustStore=truststore -Djavax.net.ssl.trustStorePassword=trustword -jar "%~dp0launcher.jar" %*

If you are using Linux, edit your "start-report-designer.sh" file to read

Code Block

#!/bin/sh

#
#  WARNING: Pentaho Report Designer needs JDK 1.6 or newer to run.
#

DIR_REL=`dirname $0`
cd $DIR_REL
DIR=`pwd`
cd -

. "$DIR/set-pentaho-env.sh"
setPentahoEnv

"$_PENTAHO_JAVA" -XX:MaxPermSize=512m -Djavax.net.ssl.trustStore=truststore -Djavax.net.ssl.trustStorePassword=trustword -jar "$DIR/launcher.jar" $@

Source:
http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#CreateKeystore