如何设置 Java 以使用 Eclipse 的用户特定证书？

发布于 2024-07-16 02:04:42 字数 2653 浏览 1 评论 0原文

我不敢相信我是唯一遇到这个问题的人。我已经用谷歌搜索了几个小时，但没有任何运气。 Java 安全文档似乎没有彻底解决 PKCS12 证书。

我正在尝试为用户特定的 PKCS12 证书设置 Java。除此之外，这将用于在 Eclipse 中访问通过证书进行身份验证的 Trac 服务器。我正在使用 Eclipse 的 Trac Mylyn 集成插件。

设置如下：

用户主目录位于 /home
多用户挂载位于 /central
每个用户都有一个个人证书，位于： ~/user.p12
个人证书的密码是： pass1234
用户密码存储在 ~/password 的 0400 文件中.txt
ca 的只读信任存储位于：/central/ca.jks
信任存储没有密码
安装在 /central/jdk_1.6.0 的 JDK 1.6
安装在 /central/eclipse_3.4.0 的 Eclipse 3.4
JAVA_HOME=/central/ jdk_1.6.0
JAVA_HOME 设置为 JDK 位置，因为 Eclipse 需要此
ECLIPSE_HOME=/central/eclipse_3.4.0
JRE 位于 $JAVA_HOME/jre
每个用户都有一个 ~/.java.policy 文件
有一个 trac 服务器在 https://trac.internal/trac
trac 服务器使用证书进行身份验证

现在，我希望能够让每个用户简单地修改他们拥有一些文件（例如 ~/.java.policy 文件），并且能够启动中央 Eclipse 应用程序并访问 Trac 存储库。看起来很简单。

现在，我可以让它工作的唯一方法是编辑 $ECLIPSE_HOME/eclipse.ini 文件并添加

-Djavax.net.ssl.keyStore="/home/user/user.p12"
-Djavax.net.ssl.keyStoreType="PKCS12"
-Djavax.net.ssl.keyStorePassword="pass1234"
-Djavax.net.ssl.trustStore="/central/ca.jks"

好吧，这可行，但有两个问题：

每个用户都必须安装自己的 ecipse。（或者 Eclipse 可以从用户文件中读取它吗？）
它是 Eclipse 特定的，我最终希望将其作为 Java 配置。

另外，我记得从前一段时间起，您可以编辑 $JAVA_HOME/jre/lib/security/java.security 文件并添加

keystore=/home/user/user.p12
keystore.type=PKCS12
keystore.password=pass1234
truststore=/central/ca.jks

但 Eclipse 似乎没有选择它。难道是因为我的JAVA_HOME指向的是JDK，而不是JDK的嵌套JRE？

我看过 Java PKCS#11 Reference引用以下属性： keyStoreURL=“无” keyStoreType =“PKCS11” keyStorePasswordURL=some_pin_url

我看到另一个参考资料说您可以编辑 ~/.java.policy 文件以包含：

keyStore "file:///home/user/user.p12", "PKCS12", "SunJSSE";
keyStorePasswordUrl "file:///home/user/password.txt";

但这也没有被采纳。也许它确实有效，但由于 java.security 文件不起作用的相同原因而没有被读取，或者也许它根本不起作用。

我看到的一些系统属性：

javax.net.ssl.keyStore="/home/user/user.p12"
javax.net.ssl.keyStoreType="PKCS12"
javax.net.ssl.keyStorePassword="password"
javax.net.ssl.keyStoreProvider="SunJSSE"
javax.net.ssl.trustStore="/home/user/ca.jks"
javax.net.ssl.trustStoreType="JKS"
javax.net.ssl.trustStorePassword=""
javax.net.ssl.trustStoreProvider="Sun"

所以，现在，我想我坚持让每个用户安装自己的 Eclipse。我知道这听起来像是一个复杂的设置，但是就证书设置而言，这实际上与 Eclipse 没有任何关系......它实际上是针对用户特定证书的 Java 设置。

有任何想法吗？

原文

I can't believe I'm the only person to run up against this problem. I've been googling for hours and have not had any luck. The Java security documentation doesn't seem to address PKCS12 certificates thoroughly.

I am trying to setup Java for user specific PKCS12 certificates. Among other things, this will be used so that, in Eclipse, I can access a Trac server that is authenticated via certificates. I am using the Trac Mylyn integration plugin for eclipse.

Here is the setup:

user home directories are at /home
multiuser mount at /central
each user has a personal certificate at: ~/user.p12
password for personal certificates is: pass1234
the users password is stored in a 0400 file at ~/password.txt
a read-only trust store for the ca is at: /central/ca.jks
no password for the truststore
JDK 1.6 installed at /central/jdk_1.6.0
Eclipse 3.4 installed at /central/eclipse_3.4.0
JAVA_HOME=/central/jdk_1.6.0
JAVA_HOME is set to the JDK location because Eclipse needs this
ECLIPSE_HOME=/central/eclipse_3.4.0
JRE lives at $JAVA_HOME/jre
each user has a ~/.java.policy file
there is a trac server running at https://trac.internal/trac
the trac server authenticates using certificates

Now, I want to be able to have each user simply modify some file that they own (like the ~/.java.policy file, for example), and be able to launch the central Eclipse application and access the Trac repository. Seems simple enough.

Right now, the only way I can get this to work is to edit the $ECLIPSE_HOME/eclipse.ini file and add

-Djavax.net.ssl.keyStore="/home/user/user.p12"
-Djavax.net.ssl.keyStoreType="PKCS12"
-Djavax.net.ssl.keyStorePassword="pass1234"
-Djavax.net.ssl.trustStore="/central/ca.jks"

Ok, that works, but there are two problems with it:

Each user has to have their own ecipse install. (or can eclipse read that from a user file?)
It is Eclipse specific, I'd ultimately like to have this as a Java configuration.

Also, I remember from some time back that you can edit the $JAVA_HOME/jre/lib/security/java.security file and add

keystore=/home/user/user.p12
keystore.type=PKCS12
keystore.password=pass1234
truststore=/central/ca.jks

But Eclipse doesn't seem to pick that up. Could it be because my JAVA_HOME points to a JDK, and not the JDK's nested JRE?

I've seen the Java PKCS#11 Reference that references the following properties:
keyStoreURL="NONE"
keyStoreType="PKCS11"
keyStorePasswordURL=some_pin_url

There was another reference I saw that said you could edit the ~/.java.policy file to include:

keyStore "file:///home/user/user.p12", "PKCS12", "SunJSSE";
keyStorePasswordUrl "file:///home/user/password.txt";

But that doesn't get picked up either. Maybe it actually does work and its not getting read for the same reason the java.security file doesn't work, or maybe it just doesn't work at all.

Some system properties I've seen:

javax.net.ssl.keyStore="/home/user/user.p12"
javax.net.ssl.keyStoreType="PKCS12"
javax.net.ssl.keyStorePassword="password"
javax.net.ssl.keyStoreProvider="SunJSSE"
javax.net.ssl.trustStore="/home/user/ca.jks"
javax.net.ssl.trustStoreType="JKS"
javax.net.ssl.trustStorePassword=""
javax.net.ssl.trustStoreProvider="Sun"

So, right now, I guess I'm stuck with having each user to have their own Eclipse intall. I know it sounds like a complicated setup, but this shouldn't really have anything to do with Eclipse as far as the certificate setup... its really a Java setup for user specific certificates.

Any ideas?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

眼波传意 2024-07-23 02:04:42

使用用户特定的配置。

设置私有配置区域位置
私有配置区域的默认位置是：
user-home-dir/.eclipse/<产品 ID>_<产品版本>/configuration
用户主目录由 user.home Java 系统属性确定。产品 ID 和版本是从 Eclipse 安装下的产品标记文件 .eclipseproduct 中获取的。

回复收藏 0 原文