Sample 3: Setting up a JDBC Client and InterBase Server for Verifying the Client

From InterBase

Go Up to Sample OTW Configurations


These instructions are only needed if you need your JDBC client connection verified by the server. Use the Sun provided keytool.

You can use the "keytool -genkey" to generate a new self signed private key and public key pair. This password is to be used when making a connection via JDBC (clientPassPhrase).

Examples:

[C:/ib_svn_build/certificates] keytool -genkey -keystore smclient.jks
Enter keystore password:  client
What is your first and last name?
  [Unknown]:  Shaunak Mistry
What is the name of your organizational unit?
  [Unknown]:  InterBase
What is the name of your organization?
  [Unknown]:  Embarcadero
What is the name of your City or Locality?
  [Unknown]:  Scotts Valley
What is the name of your State or Province?
  [Unknown]:  CA
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=Shaunak Mistry, OU=InterBase, O=Embarcadero, L=Scotts Valley, ST=CA, C=US
correct?
  [no]:  yes

Enter key password for <mykey>

RETURN if same as keystore password):

These commands created a new keystore called smclient.jks. It contains your private and public key and a self signed certificate.

If you follow this example then the following values need to be appended to your JDBC connection URL to make a JDBC connection using client side verification.

?clientPrivateFile=c:/smistry/smclient.jks?clientPassPhrase=client

Next you can use the keytool -export -rfc to export you public key. This public key must be added to the server, and pointed to by the server using the IBSSL_SERVER_CAFILE option in the ibss_config file.

[C:/ib_svn_build/certificates] keytool -export -rfc -keystore smclient.jks

Enter keystore password: client

-----BEGIN CERTIFICATE----- MIIDHzCCAtwCBEpt7k4wCwYHKoZIzjgEAwUAMHUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEW MBQGA1UEBxMNU2NvdHRzIFZhbGxleTEUMBIGA1UEChMLRW1iYXJjYWRlcm8xEjAQBgNVBAsTCUlu dGVyQmFzZTEXMBUGA1UEAxMOU2hhdW5hayBNaXN0cnkwHhcNMDkwNzI3MTgxMzM0WhcNMDkxMDI1 ..... utRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6 ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoDgYQAAoGAOOavhpQAOLHr/Yw59LrA SOflcsA15BaAy1NUEl65cqb1/TO/jWroKjlG8dv1uNdsc2kZ4ptmM0L2RjksLxcrqUBm9qjedan9 X8cjEnTeU2hOrmARoZeFhlvtw4CfiuXwnFeagF2IxrETyVLEXMV1A5ATRzrdTqQcfnwPCua0F3Ew-----END CERTIFICATE----- CwYHKoZIzjgEAwUAAzAAMC0CFQCJtK/qpIw0ahuIYqYP5d1D90UbdAIUEeU4nXvZAUxZv5SPcFFP uowm7bI= -----END CERTIFICATE-----

or use the command

[C:/ib_svn_build/certificates] keytool -export -rfc -keystore smclient.jks -file mycert.pem

Enter keystore password: client

Certificate stored in file <mycert.pem>

Now the file mycert.pem contains your public certificate. Move this to the server and make sure this is included in the file pointed to by the IBSSL_SERVER_CAFILE.

If you want to get your private key validated by a certification authority, the client need to use the "keytool -certreq" command to generate a certificate signing request for a Certificate signing authority. Once this request is validated you would add this certificate reply to your keystore via a "keytool -import" command. This is followed by a "keytool -export" command to get the certificate to authenticate your public key. This exported certificate will then be moved to the InterBase server, so the InterBase server can "trust" and verify the client private key.

Advance To: