jConnect has built-in support to connect to SAP ASE using SSL sockets in jConnect. To establish an SSL client connection, use either the ENABLE_SSL or SSL_TRUST_ALL_CERTS property.
Using the ENABLE_SSL Property
Setting the ENABLE_SSL property to TRUE enables jConnect to use the default JDBC Secure Sockets Layer (SSL) implemented under the com.sybase.jdbc.jdbc4.SybaseSSLSocketFactory.java jConnect extension interface.
Before you can set the ENABLE_SSL property to true, the Java Virtual Machine key store needs an authorized certificate for the client JVM.
To add an authorized certificate to the JVM key store, follow these steps:
- Copy the trusted roots certificate files to the client.
The trusted roots certificate file contains certificates for other servers that the local server treats as trusted when added to the system. Share the certificate file (servername.txt) with the client by copying the files to the client's shared location. The trusted roots certificate files are located here:
Linux: $SYBASE/$SYBASE_ASE/certificates/servername.txt
Windows: %SYBASE%\%SYBASE_ASE%\certificates\servername.txt Use either the command line or programmatic method of the Java keytool utility to import the roots certificate into the JVM key store. See the "Importing the Roots Certificate."
- Once your have imported the root certificate into the JVM key store, enable the SSL session-based security on the client by setting the ENABLE_SSL to true. For example:
ENABLE_SSL=TRUE
Importing the Roots Certificate
Using the Command Prompt
a) Execute the command:
%JAVA_HOME%\jre\bin\keytool -import -trustcacerts -file <absolute path of servername.txt> -alias root -keystore %JAVA_HOME%\jre\lib\security\cacerts
b) Enter the keystore password. The default password is changeit.
c) When prompted for confirmation to trust the certificate, enter Yes to complete the operation.
Using the Programmatic Method
Use the following function to import the roots certificate into the JVM trust store programically:
private static final String CACERTS_PATH = "/lib/security/cacerts";
private static final File CACERTS_FILE = new File(System.getProperty("java.home") + CACERTS_PATH);
private static final String CACERTS_PASSWORD = "changeit";
private static final String CERTIFICATE_ALIAS = "root";
// certificateFileLocation: will be absolute path of servername.txt
private void loadCertificate(String certificateFileLocation)
throws ClassNotFoundException, KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException
{
System.out.println("\tJava CACerts path: " + CACERTS_FILE.getAbsolutePath());
// load cacerts keystore
FileInputStream cacertsInputStream = new FileInputStream(CACERTS_FILE);
final KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(cacertsInputStream, CACERTS_PASSWORD.toCharArray());
cacertsInputStream.close(); System.out.println("\tCA Certificate loaded");
// load certificate from input stream
FileInputStream certInputStream = new FileInputStream(new File(certificateFileLocation));
final CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
final Certificate certificate = certFactory.generateCertificate(certInputStream);
certInputStream.close();
System.out.println("\tCertificate generated");
// check if cacerts contains the certificate
if (keyStore.getCertificateAlias(certificate) == null)
{
//cacerts doesn't contain the certificate, add it
keyStore.setCertificateEntry(CERTIFICATE_ALIAS, certificate);
//write the updated cacerts keystore
FileOutputStream cacertsOutputStream = new FileOutputStream(CACERTS_FILE);
keyStore.store(cacertsOutputStream, CACERTS_PASSWORD.toCharArray());
cacertsOutputStream.close();
System.out.println("\tCertificate added in cacerts");
}
else
{
System.out.println("\tCertificate already present in KeyStore");
}
}
Using the SSL_TRUST_ALL_CERTS Property
Setting the SSL_TRUST_ALL_CERTS property to true allows jConnect to trust any certificate that is not in the client trust list, or in the trusted list under the client’s specification. With SSL_TRUST_ALL_CERTS set to TRUE, you need not provide trust store information.