Welcome Guest! Log in
Stambia versions 2.x, 3.x, S17, S18, S19 and S20 are reaching End of Support January, 15th, 2024. Please consider upgrading to the supported Semarchy xDI versions. See Global Policy Support and the Semarchy Documentation.

The Stambia User Community is moving to Semarchy! All the applicable resources have already been moved or are currently being moved to their new location. Read more…

Choosing the right Java version

    Stambia DI Software products are developed with Java and therefore need a Java Virtual Machine (JVM) to run.

    Java virtual machine is distributed by several vendors in many versions, therefore you must choose the appropriate Java version depending on your technical needs and requirements.

    In this article we are giving some advice to help choosing the appropriate Java version for your Stambia DI environment.

    Read more: Choosing the right Java version

    Configuring Java for Certificates and SSL

      Some technologies sometimes require a certificate to connect to the server. For example when working with HTTPS, SSH, SFTP, FTPS, SMTP servers, etc.

      Java needs to have these certificates in the truststore, and then Stambia DI Runtime will be able to connect.

      Creating a certificate

      If you need to configure Stambia for publishing a service with SSL, then maybe you need to create a certificate.

      The usual recommendation is to get a certificate from a Certification Authority, especially when the service is publicly exposed and/or critical. Other use cases (such as SSL communication within the company local network, or test environments) can be satisfied with a self-signed certificate.

      Here is how to create a self-signed certificate using Java keytool.

       

      Creating the certificate and registering it in the Java installation:

      D:\apps\java\jre1.8.0_151_64\bin>keytool.exe -genkey -keyalg RSA -alias MyCertificate -keystore keystore.jks -storepass changeit -validity 365 -keysize 2048
      What is your first and last name?
        [Unknown]:  myserver.domain.com
      What is the name of your organizational unit?
        [Unknown]:  companyName
      What is the name of your organization?
        [Unknown]:  companyName
      What is the name of your City or Locality?
        [Unknown]:  Somewhere
      What is the name of your State or Province?
        [Unknown]:  Somewhere
      What is the two-letter country code for this unit?
        [Unknown]:  FR
      Is CN=myserver.domain.com, OU=companyName, O=companyName, L=Somewhere, ST=Somewhere, C=FR correct?
        [no]:  yes

      Enter key password for <MyCertificate>
              (RETURN if same as keystore password):
      Re-enter new password:

       

       

      Viewing the certificates installed in the Java keystore:

      D:\apps\java\jre1.8.0_151_64\bin>keytool -list -v -keystore keystore.jks
      Enter keystore password:
      Keystore type: JKS
      Keystore provider: SUN

      Your keystore contains 1 entry

      Alias name: mycertificate
      Creation date: 12-Feb-2019
      Entry type: PrivateKeyEntry
      Certificate chain length: 1
      Certificate[1]:
      Owner: CN=myserver.domain.com, OU=companyName, O=companyName, L=Somewhere, ST=Somewhere, C=FR
      Issuer: CN=myserver.domain.com, OU=companyName, O=companyName, L=Somewhere, ST=Somewhere, C=FR
      Serial number: 2165da64
      Valid from: Tue Feb 12 12:13:40 CET 2019 until: Wed Feb 12 12:13:40 CET 2020
      Certificate fingerprints:
               MD5:  31:DD:93:B9:51:CA:6F:64:08:57:0F:60:ED:F4:C5:7D
               SHA1: E1:2F:94:67:4C:9D:39:03:82:9B:69:1E:2B:5D:8E:2E:6C:FB:BA:D5
               SHA256: C7:AD:21:DD:0B:7D:0A:7D:A9:CB:FB:14:7B:54:EF:E4:19:FA:45:1D:27:B2:75:EE:AB:01:11:5A:02:DA:44:68
      Signature algorithm name: SHA256withRSA
      Subject Public Key Algorithm: 2048-bit RSA key
      Version: 3

      Extensions:

      #1: ObjectId: 2.5.29.14 Criticality=false
      SubjectKeyIdentifier [
      KeyIdentifier [
      0000: 2A 4A F3 6F 7C 70 E2 C4   41 5F 12 BC 24 D9 FB 7D  *J.o.p..A_..$...
      0010: 98 78 8D 73                                        .x.s
      ]
      ]

      *******************************************
      *******************************************

       

       

      Exporting the certificate:

      D:\apps\java\jre1.8.0_151_64\bin>keytool -certreq -alias MyCertificate -keystore keystore.jks -file MyCertificate.csr

      Enter keystore password:

      D:\apps\java\jre1.8.0_151_64\bin>dir MyCertificate.csr
       Volume in drive D is Data
       Volume Serial Number is 2891-91F0

       Directory of D:\apps\java\jre1.8.0_151_64\bin

      12/02/2019  12:25             1,128 MyCertificate.csr
                     1 File(s)          1,128 bytes
                     0 Dir(s)  91,272,257,536 bytes free

       

      Viewing the certificate content:

      D:\apps\java\jre1.8.0_151_64\bin>type MyCertificate.csr
      -----BEGIN NEW CERTIFICATE REQUEST-----
      MIIC9OKNVdwCAQAwfzELMAkGA1UEBhMCRlIxEjAQBgNVBAgTCVNvbWV3aGVyZTES
      MBAGA1UEBxMJU29tZXdoZXJlMRQwEgYDVQQKEwtjb21wYW55TmFtZTEUMBIGA1UE
      CxMLY29tcGFueU5hbWUxHDAaBgNPTGSTE215c2VydmVyLmRvbWFpbi5jb20wggEi
      MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqIv1uYxujXBqSwMBx8HsObWbo
      VIoeKabEgM3UmwRKcmFp0HTNvApsqu/hibVxDAui5mWYKRa9pQCjrXSbsKpaYuw4
      z9AI9O71wV1ip7wVilXlOkwvd6X25vkjBFMjBMDlEEPo+nAm+e+yl7JsIr6a6svp
      3ueXPl18TV5VyrAAVSuXGCdIW9/pHYgPJULmA8QvGhcqGnPYLRsCHOwGOUDMV/xG
      TE/cJoRtLvRpMS3zen92EwGrl37SHplmwEWuiR4L/RN2KR1KB+BOTacUFpDHWuOx
      wgmwM6zEYMjBzKvHA1+UAQT5YfG1pg2KWfvwki22Jtub/vBT8vdquXbV8z05AgMB
      AAGgMDAuBgkqhkiG9w0BCQ4xITAfMB0GA1UdDgQWBBQqSvNvfHDixEFfErwk2ft9
      mHiNczANBgkqhkiG9w0BAQsFAAOCAQEANljQi0YvYjHJFpfEcdC4UnbiGqxXEHBq
      VXoHP8eAh5LcdgjkFZKs2f/2Z+3vkbVH/e1DamtqKC9xNV3NBRd8GbTFCTSWvIbi
      f2S8abtw3mkOvu9B1gS3aWL7PpWA7sV8O2pGDd/gfMqjsjldKDWwwAeXjZqwJgAr
      a9gAiaL4VBJEKPPfURf9eRqicAJkXvlZXTx5eyFvgYAz4vN+dkN/FRZ0eZoPUrkw
      N6WQhxSg+Ri2m6ada+caF6TKCrP1z9M/nxfh7Fix/KSbnwGy7PH36q/rNxmll2/+
      ojX/c0AYDdPBRyefi9hI9deDgCOFmXR2jOumpQwQl/EeYBZ67BkxVQ==
      -----END NEW CERTIFICATE REQUEST-----

       

      Getting an existing certificate

      You will need a certificate file (extension is usually .crt or .csr). This must be done out of Stambia DI.

      The server administrator can generally provide this certificate.

      Other ways to get the certificate are:

      • HTTPS servers: point a web browser to the URL and export the Certificate (search "how to export certificate using your_browser_name")
      • Using openssl command line
        > openssl s_client -connect <host>:<port> 
        CONNECTED(000001B0)
        [...]
        Server certificate
        -----BEGIN CERTIFICATE-----
        MIAJHTCCAjkCBE3yCVIwDQYJKp87hvcNAQEFBQAwbTELMAkGA1UEBhMCRlIxDjAM
        BgNVBAgMBXJob25lMRIwEAYDVQQHDAlsb2NhbGhvc3QxEjAQBgNVBAoMCWxvY2Fs
        aG9zdDESMBAGA1UECwwJbG9jYWxob3N0MRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcN
        MTEwNj45FDwODUwMOIHMTIwNjA5MfTIwODUwWjBtMQswCQYDVQQGEwJGUjEOMAwG
        A1UECAwFcmhvbmUxEjAQBgNVBAcMCWxvY2FsaG9zdDESMBAGA1UECgwJbG9jYWxo
        b3N0MRIwEAYDVQQLDAlsb2NhbGhvc3QxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIw
        DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJtqhXrGNhWG8UpLS/gPN2NI0zSJ
        wMIyVNHwwOdg2Vj8R+Pbda+FX+DvDOGFRE3HWNgCw3WKN526c9p4EkCtr0K01Qc1
        GyXIuYagpzs/RrfkWFXoQ0pcTe9yilzlggYF0cYuweIGJCJMCzoyaupr4/Pd5N7K
        laDHyvVpGwNFLwfwNht6fToCfr7jZA8mp2OJ8VdqbhS7PoO2LSusN2ct0IhyXwFh
        YyjtFTslj8h6N5GSx/kMqUcEx+rbHslL1MTplgbG+X3S5oTIDqsgR0Il7W5IaBJl
        MyzyGMxPVi1U6auEouSpI+KYlRNO7EdTzod+hLn5H6SO8b7A9CEL67cw22UCAwEA
        ATANBgkqhkiG9w0BAQUFAA9k7zvjz851yH/hnGgwTTDCgaaZHzaOMuTq/DNLFDCL
        rYcDC1+yokwPicTJIUxPDQ/tYs51Ml0IDjz+j+0p44PDbonmMM+Axb4RJElzH66i
        tPGKqW2A8h5f9HJBiq5pRmLwqb2N5Gio8uPY3ncRaM9LbOvQ0A4VHTzy5PR+4w8t
        +hvuDDhSiD168nMljkyvXvlMJW8VlCgVBtq2ByFZA4s0xXSropqcIpIiwuWetnKp
        BnrTkZOAm/JsS8R2zE3n46sTo4Ej/on+7Z6524coS1ky9QXTQ21+TeXaO0xEOCUK
        AtHZbGYtCEEd3iI1eib3tuhssEJPyjXY9wkHV1rznx1r+fXHcA==
        -----END CERTIFICATE-----
        [...]

      • Copy the lines between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----", including these
      • Save these lines to a temporary "certificate.crt" file

      Importing the certificate into your Java installation

      This is usually done with the keytool utility, included in your Java distribution.

      Example 1: adding the certificate to the default truststore

      <JAVA_HOME>/bin/keytool -import -alias <server_name> -keystore <JAVA_HOME>/jre/lib/security/cacerts -file certificate.crt

       

      Example 2: creating a specific truststore

      <JAVA_HOME>/bin/keytool -import -alias alias01 -file D:\data\certificate.crt -keystore d:\data\myKeyStore.jks
      Enter new keyfile password :
      Re-enter new password :
      Owner : C=FR
      Issuer : C=FR
      Serial Number : 0
      Valid from: Thu Sep 25 18:01:13 PDT 1997 until: Wed Dec 24 17:01:13 PDT 1997
      Certificate Fingerprints:
               MD5:  C0:5B:B9:6F:63:1B:5E:70:4C:E3:A1:C6:0F:2B:58:68
               SHA1 : F8:44:F1:BC:9B:19:8A:FA:8A:58:D4:7C:AC:D3:16:B8:92:79:66:78
               SHA256 : F2:9D:89:02:55:4C:F5:77:E5:13:C7:5F:06:CF:0B:2C:F1:C6:04:4B:D5:1F:E4:E6:FD:9B:98:A1:F0:A3:F4:C7
      Trust this certificate? [no] :  yes
      Certificate added to keystore

       

      Please consult your Java distribution's documentation for further details.

      Making sure that Stambia DI uses the certificate

      When the certificate is installed in the default truststore of the Java installation, then Stambia DI will automatically use it.

      When the certificate is installed in a specific location, you can specify the truststore on the Action by adding the following properties:

      KEY_STORE: d:\data\myKeyStore.jks
      KEY_STORE_TYPE: JKS
      KEY_STORE_PASSWORD: <encrypted password>

      Note: the password can be encrypted using the Runtime's encrypt <password> command.

       

      Articles

      Suggest a new Article!