The previous three topics covered the first two setup steps described in
, creating client certificates and creating a server
certificate, then importing the certificates. This topic describes the remaining
two steps, server startup and client startup.
Every time that we bring up the server, we must remember to turn on network
encryption. We must set four VM properties that declare the locations
and passwords for the server's key store and trust store:
- javax.net.ssl.keyStore
- javax.net.ssl.keyStorePassword
- javax.net.ssl.trustStore
- javax.net.ssl.trustStorePassword
In addition, we specify the -ssl peerAuthentication startup
option. The command to start the server, therefore, looks something like
this:
java -Djavax.net.ssl.keyStore=/Users/me/vault/ServerKeyStore \
-Djavax.net.ssl.keyStorePassword=secretServerPassword \
-Djavax.net.ssl.trustStore=/Users/me/vault/ServerTrustStore \
-Djavax.net.ssl.trustStorePassword=secretServerTrustStorePassword \
org.apache.derby.drda.NetworkServerControl start -p 8246 \
-ssl peerAuthentication
The -p 8246 option starts the server on a nondefault port
(rather than the default port of 1527).
The final step is to bring up a client. As with server startup, we must tell
the VM the locations and passwords of the local key store and trust store. This
example is a simple ij script. Notice the extra
ssl attribute on the connection URL. That attribute tells the
client to authenticate the server's identity using a certificate, and it tells
the client that the network traffic must be encrypted:
java -Djavax.net.ssl.trustStore=/Users/me/vault/ClientTrustStore \
-Djavax.net.ssl.trustStorePassword=secretClientTrustStorePassword \
-Djavax.net.ssl.keyStore=/Users/me/vault/ClientKeyStore \
-Djavax.net.ssl.keyStorePassword=secretClientPassword \
org.apache.derby.tools.ij
ij version 10.11
ij> connect 'jdbc:derby://localhost:8246/testdb;create=true;ssl=peerAuthentication';
ij> select schemaName, authorizationID from sys.sysschemas;
You will get errors from ij if you do not specify the extra
VM properties and/or if you do not specify the ssl attribute on
the connection URL. Here, for instance, is the output from running
ij without the VM properties and ssl
attribute:
java org.apache.derby.tools.ij
ij version 10.11
ij> connect 'jdbc:derby://localhost:8246/testdb;create=true';
ERROR 08006: A network protocol error was encountered and the connection has been
terminated: A PROTOCOL Data Stream Syntax Error was detected. Reason: 0x3.
Plaintext connection attempt to an SSL enabled server?
When you want to administer the server (for instance, to bring it down), you
will need to specify the locations and passwords of a valid key store and trust
store as well as the extra ssl option on the server command
line:
java -Djavax.net.ssl.trustStore=/Users/me/vault/ClientTrustStore \
-Djavax.net.ssl.trustStorePassword=secretClientTrustStorePassword \
-Djavax.net.ssl.keyStore=/Users/me/vault/ClientKeyStore \
-Djavax.net.ssl.keyStorePassword=secretClientPassword \
org.apache.derby.drda.NetworkServerControl shutdown -p 8246 \
-ssl peerAuthentication