Frequently Asked Questions

Adaptor module

1. How do I use this module ?

Security

1. How do I use the Java keystore in JSAGA ?
2. How to import a certificate and a key into the Java Keystore ?
3. How to import CA certificates into the Java Keystore ?
4. Does JSAGA support multiple keys in a keystore ?
5. How to convert certificate from PEM to PKCS12 ?
6. How to convert certificate from CRT to PKCS12 ?
7. How to set up a "JKS" context ?
8. How to set up a "AxisJKS" context ?

Data Management

1. How to enable client authentication for HTTPS ?
2. How to enable mutual authentication ?

Execution management

1. What is the URL syntax understood by this plug-in ?
2. What are the pre-requisites to use this plug-in on Windows ?

Adaptor module

How do I use this module ?

The command "jsaga-help" provides some useful information about the usage and the current configuration of the plug-ins.

jsaga-help -help

If this command does not provides the answer to your question, then please contact us so that we can fill out this FAQ.

[top]

Security

How do I use the Java keystore in JSAGA ?

Specify the keystore name and password in Java properties:

-Djavax.net.ssl.keyStore=your_keystore_path -Djavax.net.ssl.keyStorePassword=your_password

If no keystore file is given in properties, JSAGA will search for a file with the following path:

~/.jsaga/.keystore

There is no default value for password. You can also specify a trustStore (that contains certificates of the trusted CAs) and a truststore password :

-Djavax.net.ssl.trustStore=your_truststore_path -Djavax.net.ssl.trustStorePassword=your_password

If no truststore is given in properties, JSAGA will search for a file with the following path:

~/.jsaga/.keystore

If this file does not exist, the default values will be used by JSSE (Java security layer):

• $JAVA_HOME/lib/security/jssecacerts

• $JAVA_HOME/lib/security/cacerts

. There is no default value for password. It is possible to override these values in the JKS adaptor configuration.

[top]

---

How to import a certificate and a key into the Java Keystore ?

The certificate and the key should be in a PKCS12 (.p12) file. You can use the JKSImportCert utility provided with JSAGA:

java -Djavax.net.ssl.keyStore=mykeystore.jks -Djavax.net.ssl.keyStorePassword=YOUR_KEYSTORE_PASSWORD \
	-cp $JSAGA_HOME/lib-adaptors/jsaga-adaptor-classic-*.jar \
	fr.in2p3.jsaga.adaptor.security.JKSImportCert mycert.p12 YOUR_PKCS12_PASSPHRASE
     			

Remember to choose a password with at least 6 characters for your keystore.

[top]

---

How to import CA certificates into the Java Keystore ?

Use the "keytool" command line interface from Java distribution (use a different alias for each imported CA)

keytool -import -alias ALIAS_NAME -file CA_CERTIFICATE_FILE -keystore mykeystore.jks

To import multiple certificates with a single command (within the directory where certificates are located):

for i in *.pem ; do \
	keytool -keystore mykeystore.jks -import -file $i -noprompt \
	-alias `basename $i` -storepass YOUR_KEYSTORE_PASSWORD; done

[top]

---

Does JSAGA support multiple keys in a keystore ?

Yes but each key must have an alias in the keystore. The alias must be specified in the configuration for the adaptor to be able to retrieve the appropriate key for authentication.

[top]

---

How to convert certificate from PEM to PKCS12 ?

Use the "openssl" command line interface from Linux/Cygwin distribution:

openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out mycert.p12

[top]

---

How to convert certificate from CRT to PKCS12 ?

Use the "openssl" command line interface from Linux/Cygwin distribution:

openssl pkcs12 -export -in mycert.crt -inkey mycert.key -out mycert.p12

[top]

---

How to set up a "JKS" context ?

Available attributes are:

• Keystore: the path of your keystore file (.jks)
• KeystorePass: the password of your keystore
• Truststore: the path of the truststore file (the file that contains CA certificates). It can be the same file as the keystore
• TruststorePass: the password of the truststore
• UserAlias: the alias of the certificate to use within your keystore if your keystore contains more than 1 certificate.
• UserPass: the password of the certificate to use

[top]

---

How to set up a "AxisJKS" context ?

This context does not provide any attributes to set. If your application does use a context of type "AxisJKS", it must be run with the following JVM properties:

• -Djavax.net.ssl.keyStore=YOUR_KEYSTORE_FILE
• -Djavax.net.ssl.keyStorePassword=YOUR_KEYSTORE_PASSWORD

Those properties can also be set in the SAGA property file.

[top]

Data Management

How to enable client authentication for HTTPS ?

Configure the HTTPS plug-in to use a security context of one of the following types:

• X509: the certificate must be in a PKCS12 file
• JKS: the certificate must be in a Java Keystore

[top]

---

How to enable mutual authentication ?

Configure the HTTPS plug-in...

• with attribute "MutualAuthentication" set to value "true"
• use a security context of type "JKS" (mutual authentication with context type "X509" is not supported)

[top]

Execution management

What is the URL syntax understood by this plug-in ?

The URL must be:

local://localhost

[top]

---

What are the pre-requisites to use this plug-in on Windows ?

You must install cygwin, and configure the path to the shell executable in file $HOME/.jsaga/jsaga-user.properties

local.default.ShellPath=C\:\\cygwin\\bin\\sh.exe

[top]