Re: [Hbci4java-help] java.security.cert.CertPathValidatorException: Path does not chain with any of
Brought to you by:
kleiner77
Menu
▾
▴
Re: [Hbci4java-help] java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
|
From: Rolf V. <ro...@we...> - 2010-01-15 00:36:47
|
> > If I understand it correctly, you could use the parameter > > client.passport.PinTan.certfile to specify a file that you ship > > along with your code that will be used by HBCI4Java. This file > > could contain any (root or immediate) certificate that will be > > needed to communicate with the host. > Do you know any way of doing this at configuration-time inside the > program? > Preferably one that works with any version of the hbci-protocol. (I > donŽt know > much about how hbci and FinTS work on the network-layer.) Well, it should look similar to: - HBCI - HTTPS - SSL layer (that's the one we are configuring here) - HTTPS - HTTP layer - TCP - IP - ... something irrelevant to this discussion ... You could try the client.passport.PinTan.certfile option that seems to be specifed in the hbci.properties file. A sample could be found here: http://hbci4java.kapott.org/svn/hbci4java/trunk/src/hbci.properties.template Just search for "client.passport.PinTan" ... > I donŽt think itŽs an option to ship and update the certificates of > every bank > the user could configure with the software. This is not needed, only the certificates above the bank certificate should ever be needed (se my other mail for details). Java contains most certificates needed for everyday usage. > > Also, the password for the default Java keystore seems to be > > documented, it's either "changeit" or "changeme" (the latter only > > on MacOSX). > Yes, cou can find out about it but not easy enough to let an untrained > everyday-user do it. I think, if you use a standard Java JDK keystore and "pimp" it as described in my other mail, but without changing the password, the user does not have to enter anything at all. > > You could also check out the great open source (GNU GPL v2) > > software Portecle (http://portecle.sourceforge.net/) that can be > > used to inspect and modify Java keystores. > Never seen that one yet. Thanks for mentioning it. > > Marcus |
