Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Reload Java cacerts without restarting JVM

Status
Not open for further replies.

Gary2308

Programmer
Sep 8, 2014
3
EU
We have a product that uses multiple servers, each using a java based control program. We need to add the SSL cert from each of these servers to the cacerts stores on a central control server. The problem is we need to do this without having to restart the JVM each time.

I've been looking for a solution for a few weeks but haven't found anything, is it possible to reload the cacert file without restarting the JVM?

I don't think it is, but want to be certain before I tell marketing the one thing they really really want can't be done....
 
I don't think you can do that unless you write your own security manager.

And this is for a good security reason: dinamycally added certs is an important security flaw. Anyway, how often do you update your certs?

Cheers,
Dian
 
Thats the big question. I thought the use case for this would be that it was something the customer didn't do very often, maybe once when a cluster was initially configured. But marketing found another use case where it would happen a lot more frequently - hence the issue being raised.

I've seen a few references to writing a security manager, overriding the TrustManager, but our system is built on Rest-restlett and I can see how I would do that in our architecture.
 
You would replace it so the JVM uses the new TrustManager, no matter what application is running. Anyway, I still can't see the case where the certs are so often changed. In most cases, certs are delivered offline to maintain security and its strength is mostly based on its stability.

Cheers,
Dian
 
How do you replace the JVM trustmanager?

The reason we need to add certs so often is that there is a centrol control server that talks to clients in a cluster via SSL/HTTPS. Each time a new client is added to the cluster (a cluster could have up to 100 clients added over a period of time) the client certificate needs to be added to the trust store, and each time that happens we would need to reload. The client cert is placed in the server via sftp.
 
Why don't just adding all the certs? I've never replaced it, but should be something like this

Cheers,
Dian
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top