RMI ssl certs

> Hi All
>
> I was wondering if anybody who knows how to do it, would mind updating
> the ssl certs for the rmi server?  I've been staring at the files for
> most of the day but i really have no idea about ssl, and what was going
> to be a quick browse through rmi is turning into a long browse through
> ssl.  Any help would be appreciated.
>
> Thanks
> Scott
>

> there was a discussion last few days in the user mailing list about RMI
> Brett palmer gave some details.
>
>
> Scott Gray sent the following on 7/8/2006 8:19 PM:
>> Hi All
>>
>> I was wondering if anybody who knows how to do it, would mind
>> updating the ssl certs for the rmi server?  I've been staring at the
>> files for most of the day but i really have no idea about ssl, and
>> what was going to be a quick browse through rmi is turning into a
>> long browse through ssl.  Any help would be appreciated.
>>
>> Thanks
>> Scott
>>
>

> Hi BJ
>
> I saw the thread when it came through, that's what made me want to take
> a look at rmi.  The thread didn't seem to have anything to do with
> expired certificates though, and that's what i was hoping someone who
> knows how could do, replace the expired rmi server certificate.
> I also saw Andrew's discussion with David and Andy on the old list from
> a year or two ago, but that didn't help me much either.
>
> Regards
> Scott
>
> BJ Freeman wrote:
>> there was a discussion last few days in the user mailing list about RMI
>> Brett palmer gave some details.
>>
>>
>> Scott Gray sent the following on 7/8/2006 8:19 PM:
>>> Hi All
>>>
>>> I was wondering if anybody who knows how to do it, would mind
>>> updating the ssl certs for the rmi server?  I've been staring at the
>>> files for most of the day but i really have no idea about ssl, and
>>> what was going to be a quick browse through rmi is turning into a
>>> long browse through ssl.  Any help would be appreciated.
>>>
>>> Thanks
>>> Scott
>>>
>>
>

> Hi All
>
> I was wondering if anybody who knows how to do it, would mind updating
> the ssl certs for the rmi server?  I've been staring at the files for
> most of the day but i really have no idea about ssl, and what was going
> to be a quick browse through rmi is turning into a long browse through
> ssl.  Any help would be appreciated.
>
> Thanks
> Scott
>

> at what level.
> how to replace the JKS or how to create the JKS
> if you look in the base/config you will see all the jks file including
> the rmi.
>
>
> Scott Gray sent the following on 7/8/2006 8:54 PM:
>> Hi BJ
>>
>> I saw the thread when it came through, that's what made me want to
>> take a look at rmi.  The thread didn't seem to have anything to do
>> with expired certificates though, and that's what i was hoping
>> someone who knows how could do, replace the expired rmi server
>> certificate.
>> I also saw Andrew's discussion with David and Andy on the old list
>> from a year or two ago, but that didn't help me much either.
>>
>> Regards
>> Scott
>>
>> BJ Freeman wrote:
>>> there was a discussion last few days in the user mailing list about RMI
>>> Brett palmer gave some details.
>>>
>>>
>>> Scott Gray sent the following on 7/8/2006 8:19 PM:
>>>> Hi All
>>>>
>>>> I was wondering if anybody who knows how to do it, would mind
>>>> updating the ssl certs for the rmi server?  I've been staring at
>>>> the files for most of the day but i really have no idea about ssl,
>>>> and what was going to be a quick browse through rmi is turning into
>>>> a long browse through ssl.  Any help would be appreciated.
>>>>
>>>> Thanks
>>>> Scott
>>>>
>>>
>>
>

> Scott,
>
> I've generated my own certificates a handful of times and each time I
> have to look up how to do it.  This is why I stopped using the SSL RMI
> component because I got tired of copying the certificates around
> whenever I go a new download of ofbiz.  Here are some basic
> instructions on how to generate your own certificates:
>
> http://ofbizwiki.go-integral.com/Wiki.jsp?page=ConfiguringSSL
>
> and here some good notes on the ofbiz RMI stuff:
>
> http://ofbizwiki.go-integral.com/Wiki.jsp?page=RMIDispatcher
>
>
> Hope that helps.
>
>
> Brett
>
> On 7/8/06, Scott Gray <[hidden email]> wrote:
>> Hi All
>>
>> I was wondering if anybody who knows how to do it, would mind updating
>> the ssl certs for the rmi server?  I've been staring at the files for
>> most of the day but i really have no idea about ssl, and what was going
>> to be a quick browse through rmi is turning into a long browse through
>> ssl.  Any help would be appreciated.
>>
>> Thanks
>> Scott
>>
>

> I'm trying to use the ExampleRemoteClient in
> framework/service/src/org/ofbiz/service/rmi but the client won't connect
> because the rmi server certificate has expired and i dont know how to
> replace it.  I was hoping someone who knew how could replace it in the svn.
>
> BJ Freeman wrote:
> > at what level.
> > how to replace the JKS or how to create the JKS
> > if you look in the base/config you will see all the jks file including
> > the rmi.
> >
> >
> > Scott Gray sent the following on 7/8/2006 8:54 PM:
> >> Hi BJ
> >>
> >> I saw the thread when it came through, that's what made me want to
> >> take a look at rmi.  The thread didn't seem to have anything to do
> >> with expired certificates though, and that's what i was hoping
> >> someone who knows how could do, replace the expired rmi server
> >> certificate.
> >> I also saw Andrew's discussion with David and Andy on the old list
> >> from a year or two ago, but that didn't help me much either.
> >>
> >> Regards
> >> Scott
> >>
> >> BJ Freeman wrote:
> >>> there was a discussion last few days in the user mailing list about RMI
> >>> Brett palmer gave some details.
> >>>
> >>>
> >>> Scott Gray sent the following on 7/8/2006 8:19 PM:
> >>>> Hi All
> >>>>
> >>>> I was wondering if anybody who knows how to do it, would mind
> >>>> updating the ssl certs for the rmi server?  I've been staring at
> >>>> the files for most of the day but i really have no idea about ssl,
> >>>> and what was going to be a quick browse through rmi is turning into
> >>>> a long browse through ssl.  Any help would be appreciated.
> >>>>
> >>>> Thanks
> >>>> Scott
> >>>>
> >>>
> >>
> >
>

> Scott,
>
> If you want to test out the RMI client try using it without SSL.  Here
> are my notes on how to get this to work.
>
> http://ofbizwiki.go-integral.com/Wiki.jsp?page=UsingNonSSLRMI
>
>
> Brett
>
> On 7/8/06, Scott Gray <[hidden email]> wrote:
>> I'm trying to use the ExampleRemoteClient in
>> framework/service/src/org/ofbiz/service/rmi but the client won't connect
>> because the rmi server certificate has expired and i dont know how to
>> replace it.  I was hoping someone who knew how could replace it in
>> the svn.
>>
>> BJ Freeman wrote:
>> > at what level.
>> > how to replace the JKS or how to create the JKS
>> > if you look in the base/config you will see all the jks file including
>> > the rmi.
>> >
>> >
>> > Scott Gray sent the following on 7/8/2006 8:54 PM:
>> >> Hi BJ
>> >>
>> >> I saw the thread when it came through, that's what made me want to
>> >> take a look at rmi.  The thread didn't seem to have anything to do
>> >> with expired certificates though, and that's what i was hoping
>> >> someone who knows how could do, replace the expired rmi server
>> >> certificate.
>> >> I also saw Andrew's discussion with David and Andy on the old list
>> >> from a year or two ago, but that didn't help me much either.
>> >>
>> >> Regards
>> >> Scott
>> >>
>> >> BJ Freeman wrote:
>> >>> there was a discussion last few days in the user mailing list
>> about RMI
>> >>> Brett palmer gave some details.
>> >>>
>> >>>
>> >>> Scott Gray sent the following on 7/8/2006 8:19 PM:
>> >>>> Hi All
>> >>>>
>> >>>> I was wondering if anybody who knows how to do it, would mind
>> >>>> updating the ssl certs for the rmi server?  I've been staring at
>> >>>> the files for most of the day but i really have no idea about ssl,
>> >>>> and what was going to be a quick browse through rmi is turning into
>> >>>> a long browse through ssl.  Any help would be appreciated.
>> >>>>
>> >>>> Thanks
>> >>>> Scott
>> >>>>
>> >>>
>> >>
>> >
>>
>

> I'm trying to use the ExampleRemoteClient in
> framework/service/src/org/ofbiz/service/rmi but the client won't connect
> because the rmi server certificate has expired and i dont know how to
> replace it.  I was hoping someone who knew how could replace it in the svn.
>
> BJ Freeman wrote:
> > at what level.
> > how to replace the JKS or how to create the JKS
> > if you look in the base/config you will see all the jks file including
> > the rmi.
> >
> >
> > Scott Gray sent the following on 7/8/2006 8:54 PM:
> >> Hi BJ
> >>
> >> I saw the thread when it came through, that's what made me want to
> >> take a look at rmi.  The thread didn't seem to have anything to do
> >> with expired certificates though, and that's what i was hoping
> >> someone who knows how could do, replace the expired rmi server
> >> certificate.
> >> I also saw Andrew's discussion with David and Andy on the old list
> >> from a year or two ago, but that didn't help me much either.
> >>
> >> Regards
> >> Scott
> >>
> >> BJ Freeman wrote:
> >>> there was a discussion last few days in the user mailing list about RMI
> >>> Brett palmer gave some details.
> >>>
> >>>
> >>> Scott Gray sent the following on 7/8/2006 8:19 PM:
> >>>> Hi All
> >>>>
> >>>> I was wondering if anybody who knows how to do it, would mind
> >>>> updating the ssl certs for the rmi server?  I've been staring at
> >>>> the files for most of the day but i really have no idea about ssl,
> >>>> and what was going to be a quick browse through rmi is turning into
> >>>> a long browse through ssl.  Any help would be appreciated.
> >>>>
> >>>> Thanks
> >>>> Scott
> >>>>
> >>>
> >>
> >

> Scott,
>
> You really don't want to use the SSL cert straight out of SVN, as this
> would allow anyone else with a default cert to connect to your server.
>
> It's we'll worth looking at the instructions to make sure you can
> generate certs for yourself.
>
> One hint though, you need to have the ofbizrmi.jks and ofbiztrust.jks
> setup at both ends.
>
> For testing, the easiest way is to create a certificate export it  
> to the
> trust store and then just copy both these files to the other instance.
>
> For production, remember that the truststore of the "client" would  
> hold
> the public key exported from the keystore of the "server". Conversely
> the truststore of the "server" would hold the public key exported from
> the keystore of the "client".
>
> Making the keystore and truststore identical on both sides makes  
> life a
> bit easier for testing, but make sure you toughen things up before you
> go into production!!!
>
> - Andrew
>
> On Sun, 2006-07-09 at 16:18 +1200, Scott Gray wrote:
>> I'm trying to use the ExampleRemoteClient in
>> framework/service/src/org/ofbiz/service/rmi but the client won't  
>> connect
>> because the rmi server certificate has expired and i dont know how to
>> replace it.  I was hoping someone who knew how could replace it in  
>> the svn.
>>
>> BJ Freeman wrote:
>>> at what level.
>>> how to replace the JKS or how to create the JKS
>>> if you look in the base/config you will see all the jks file  
>>> including
>>> the rmi.
>>>
>>>
>>> Scott Gray sent the following on 7/8/2006 8:54 PM:
>>>> Hi BJ
>>>>
>>>> I saw the thread when it came through, that's what made me want to
>>>> take a look at rmi.  The thread didn't seem to have anything to do
>>>> with expired certificates though, and that's what i was hoping
>>>> someone who knows how could do, replace the expired rmi server
>>>> certificate.
>>>> I also saw Andrew's discussion with David and Andy on the old list
>>>> from a year or two ago, but that didn't help me much either.
>>>>
>>>> Regards
>>>> Scott
>>>>
>>>> BJ Freeman wrote:
>>>>> there was a discussion last few days in the user mailing list  
>>>>> about RMI
>>>>> Brett palmer gave some details.
>>>>>
>>>>>
>>>>> Scott Gray sent the following on 7/8/2006 8:19 PM:
>>>>>> Hi All
>>>>>>
>>>>>> I was wondering if anybody who knows how to do it, would mind
>>>>>> updating the ssl certs for the rmi server?  I've been staring at
>>>>>> the files for most of the day but i really have no idea about  
>>>>>> ssl,
>>>>>> and what was going to be a quick browse through rmi is turning  
>>>>>> into
>>>>>> a long browse through ssl.  Any help would be appreciated.
>>>>>>
>>>>>> Thanks
>>>>>> Scott
>>>>>>
>>>>>
>>>>
>>>
> --
> Kind Regards
> Andrew Sykes <[hidden email]>
> Sykes Development Ltd
> http://www.sykesdevelopment.com
>

> Scott,
>
> You really don't want to use the SSL cert straight out of SVN, as this
> would allow anyone else with a default cert to connect to your server.
>
> It's we'll worth looking at the instructions to make sure you can
> generate certs for yourself.
>
> One hint though, you need to have the ofbizrmi.jks and ofbiztrust.jks
> setup at both ends.
>
> For testing, the easiest way is to create a certificate export it to the
> trust store and then just copy both these files to the other instance.
>
> For production, remember that the truststore of the "client" would hold
> the public key exported from the keystore of the "server". Conversely
> the truststore of the "server" would hold the public key exported from
> the keystore of the "client".
>
> Making the keystore and truststore identical on both sides makes life a
> bit easier for testing, but make sure you toughen things up before you
> go into production!!!
>
> - Andrew
>
> On Sun, 2006-07-09 at 16:18 +1200, Scott Gray wrote:
>  
>> I'm trying to use the ExampleRemoteClient in
>> framework/service/src/org/ofbiz/service/rmi but the client won't connect
>> because the rmi server certificate has expired and i dont know how to
>> replace it.  I was hoping someone who knew how could replace it in the svn.
>>
>> BJ Freeman wrote:
>>    
>>> at what level.
>>> how to replace the JKS or how to create the JKS
>>> if you look in the base/config you will see all the jks file including
>>> the rmi.
>>>
>>>
>>> Scott Gray sent the following on 7/8/2006 8:54 PM:
>>>      
>>>> Hi BJ
>>>>
>>>> I saw the thread when it came through, that's what made me want to
>>>> take a look at rmi.  The thread didn't seem to have anything to do
>>>> with expired certificates though, and that's what i was hoping
>>>> someone who knows how could do, replace the expired rmi server
>>>> certificate.
>>>> I also saw Andrew's discussion with David and Andy on the old list
>>>> from a year or two ago, but that didn't help me much either.
>>>>
>>>> Regards
>>>> Scott
>>>>
>>>> BJ Freeman wrote:
>>>>        
>>>>> there was a discussion last few days in the user mailing list about RMI
>>>>> Brett palmer gave some details.
>>>>>
>>>>>
>>>>> Scott Gray sent the following on 7/8/2006 8:19 PM:
>>>>>          
>>>>>> Hi All
>>>>>>
>>>>>> I was wondering if anybody who knows how to do it, would mind
>>>>>> updating the ssl certs for the rmi server?  I've been staring at
>>>>>> the files for most of the day but i really have no idea about ssl,
>>>>>> and what was going to be a quick browse through rmi is turning into
>>>>>> a long browse through ssl.  Any help would be appreciated.
>>>>>>
>>>>>> Thanks
>>>>>> Scott
>>>>>>
>>>>>>            

> Hi Andrew
>
> Thanks for the advice, i had figured most of it out already but couldn't
> quite get there.  I wasn't sure what to do with ofbiztrust.jks as it
> looked like ofbizrmi.jks and ofbizcerts.jks covered the keys i needed.  
> I deleted the respective client/server trustcerts and keys from those 2
> keystores and then created new keys and exported the public certs, but
> that didn't work.  When it looked like i needed to start signing the
> keys (because the default ones have a cert chain?) thats when i gave up.
>
> But anyway all i wanted to do was have a go with rmi and see how i could
> get it to do a few things i need doing, production isn't even a dot on
> the horizon at this stage.
>
> Thanks for your help
> Scott
>
>
> Andrew Sykes wrote:
> > Scott,
> >
> > You really don't want to use the SSL cert straight out of SVN, as this
> > would allow anyone else with a default cert to connect to your server.
> >
> > It's we'll worth looking at the instructions to make sure you can
> > generate certs for yourself.
> >
> > One hint though, you need to have the ofbizrmi.jks and ofbiztrust.jks
> > setup at both ends.
> >
> > For testing, the easiest way is to create a certificate export it to the
> > trust store and then just copy both these files to the other instance.
> >
> > For production, remember that the truststore of the "client" would hold
> > the public key exported from the keystore of the "server". Conversely
> > the truststore of the "server" would hold the public key exported from
> > the keystore of the "client".
> >
> > Making the keystore and truststore identical on both sides makes life a
> > bit easier for testing, but make sure you toughen things up before you
> > go into production!!!
> >
> > - Andrew
> >
> > On Sun, 2006-07-09 at 16:18 +1200, Scott Gray wrote:
> >  
> >> I'm trying to use the ExampleRemoteClient in
> >> framework/service/src/org/ofbiz/service/rmi but the client won't connect
> >> because the rmi server certificate has expired and i dont know how to
> >> replace it.  I was hoping someone who knew how could replace it in the svn.
> >>
> >> BJ Freeman wrote:
> >>    
> >>> at what level.
> >>> how to replace the JKS or how to create the JKS
> >>> if you look in the base/config you will see all the jks file including
> >>> the rmi.
> >>>
> >>>
> >>> Scott Gray sent the following on 7/8/2006 8:54 PM:
> >>>      
> >>>> Hi BJ
> >>>>
> >>>> I saw the thread when it came through, that's what made me want to
> >>>> take a look at rmi.  The thread didn't seem to have anything to do
> >>>> with expired certificates though, and that's what i was hoping
> >>>> someone who knows how could do, replace the expired rmi server
> >>>> certificate.
> >>>> I also saw Andrew's discussion with David and Andy on the old list
> >>>> from a year or two ago, but that didn't help me much either.
> >>>>
> >>>> Regards
> >>>> Scott
> >>>>
> >>>> BJ Freeman wrote:
> >>>>        
> >>>>> there was a discussion last few days in the user mailing list about RMI
> >>>>> Brett palmer gave some details.
> >>>>>
> >>>>>
> >>>>> Scott Gray sent the following on 7/8/2006 8:19 PM:
> >>>>>          
> >>>>>> Hi All
> >>>>>>
> >>>>>> I was wondering if anybody who knows how to do it, would mind
> >>>>>> updating the ssl certs for the rmi server?  I've been staring at
> >>>>>> the files for most of the day but i really have no idea about ssl,
> >>>>>> and what was going to be a quick browse through rmi is turning into
> >>>>>> a long browse through ssl.  Any help would be appreciated.
> >>>>>>
> >>>>>> Thanks
> >>>>>> Scott
> >>>>>>
> >>>>>>