I can't believe I'm the only person to run up against this problem. I've been googling for hours and have not had any luck. The Java security documentation doesn't seem to address PKCS12 certificates thoroughly.

我不敢相信我是唯一遇到这个问题的人。我已经用谷歌搜索了几个小时，但没有任何运气。Java 安全文档似乎没有彻底解决 PKCS12 证书问题。

I am trying to setup Java for user specific PKCS12 certificates. Among other things, this will be used so that, in Eclipse, I can access a Trac server that is authenticated via certificates. I am using the Trac Mylyn integration plugin for eclipse.

我正在尝试为用户特定的 PKCS12 证书设置 Java。除其他外，这将被使用，以便在 Eclipse 中，我可以访问通过证书进行身份验证的 Trac 服务器。我正在为 Eclipse 使用 Trac Mylyn 集成插件。

Here is the setup:

这是设置：

• user home directories are at /home
• multiuser mount at /central
• each user has a personal certificate at: ~/user.p12
• password for personal certificates is: pass1234
• the users password is stored in a 0400 file at ~/password.txt
• a read-only trust store for the ca is at: /central/ca.jks
• no password for the truststore
• JDK 1.6 installed at /central/jdk_1.6.0
• Eclipse 3.4 installed at /central/eclipse_3.4.0
• JAVA_HOME=/central/jdk_1.6.0
• JAVA_HOME is set to the JDK location because Eclipse needs this
• ECLIPSE_HOME=/central/eclipse_3.4.0
• JRE lives at $JAVA_HOME/jre
• each user has a ~/.java.policy file
• there is a trac server running at https://trac.internal/trac
• the trac server authenticates using certificates

• 用户主目录位于 /home
• 多用户挂载在 /central
• 每个用户都有一个个人证书：~/user.p12
• 个人证书密码为：pass1234
• 用户密码存储在 ~/password.txt 的 0400 文件中
• ca 的只读信任存储位于：/central/ca.jks
• 信任库没有密码
• JDK 1.6 安装在 /central/jdk_1.6.0
• Eclipse 3.4 安装在 /central/eclipse_3.4.0
• JAVA_HOME=/central/jdk_1.6.0
• JAVA_HOME 设置为 JDK 位置，因为 Eclipse 需要这个
• ECLIPSE_HOME=/central/eclipse_3.4.0
• JRE 住在 $JAVA_HOME/jre
• 每个用户都有一个 ~/.java.policy 文件
• 有一个 trac 服务器运行在https://trac.internal/trac
• trac 服务器使用证书进行身份验证

Now, I want to be able to have each user simply modify some file that they own (like the ~/.java.policy file, for example), and be able to launch the central Eclipse application and access the Trac repository. Seems simple enough.

现在，我希望能够让每个用户简单地修改他们拥有的一些文件（例如 ~/.java.policy 文件），并且能够启动中央 Eclipse 应用程序并访问 Trac 存储库。看起来很简单。

Right now, the only way I can get this to work is to edit the $ECLIPSE_HOME/eclipse.ini file and add

现在，我可以让它工作的唯一方法是编辑 $ECLIPSE_HOME/eclipse.ini 文件并添加

-Djavax.net.ssl.keyStore="/home/user/user.p12"
-Djavax.net.ssl.keyStoreType="PKCS12"
-Djavax.net.ssl.keyStorePassword="pass1234"
-Djavax.net.ssl.trustStore="/central/ca.jks"

Ok, that works, but there are two problems with it:

好的，这可行，但有两个问题：

• Each user has to have their own ecipse install. (or can eclipse read that from a user file?)
• It is Eclipse specific, I'd ultimately like to have this as a Java configuration.

• 每个用户都必须安装自己的 ecipse。（或者 eclipse 可以从用户文件中读取它吗？）
• 它特定于 Eclipse，我最终希望将其作为 Java 配置。

Also, I remember from some time back that you can edit the $JAVA_HOME/jre/lib/security/java.security file and add

另外，我记得很久以前你可以编辑 $JAVA_HOME/jre/lib/security/java.security 文件并添加

keystore=/home/user/user.p12
keystore.type=PKCS12
keystore.password=pass1234
truststore=/central/ca.jks

But Eclipse doesn't seem to pick that up. Could it be because my JAVA_HOME points to a JDK, and not the JDK's nested JRE?

但是 Eclipse 似乎没有接受这一点。可能是因为我的 JAVA_HOME 指向 JDK，而不是 JDK 的嵌套 JRE？

I've seen the Java PKCS#11 Referencethat references the following properties: keyStoreURL="NONE" keyStoreType="PKCS11" keyStorePasswordURL=some_pin_url

我见过引用以下属性的Java PKCS#11 参考：keyStoreURL="NONE" keyStoreType="PKCS11" keyStorePasswordURL=some_pin_url

There was another reference I saw that said you could edit the ~/.java.policy file to include:

我看到另一个参考资料说您可以编辑 ~/.java.policy 文件以包括：

keyStore "file:///home/user/user.p12", "PKCS12", "SunJSSE";
keyStorePasswordUrl "file:///home/user/password.txt";

But that doesn't get picked up either. Maybe it actually does work and its not getting read for the same reason the java.security file doesn't work, or maybe it just doesn't work at all.

但这也没有被接受。也许它确实可以工作，并且由于 java.security 文件不工作的原因而没有被读取，或者它根本不工作。

Some system properties I've seen:

我见过的一些系统属性：

javax.net.ssl.keyStore="/home/user/user.p12"
javax.net.ssl.keyStoreType="PKCS12"
javax.net.ssl.keyStorePassword="password"
javax.net.ssl.keyStoreProvider="SunJSSE"
javax.net.ssl.trustStore="/home/user/ca.jks"
javax.net.ssl.trustStoreType="JKS"
javax.net.ssl.trustStorePassword=""
javax.net.ssl.trustStoreProvider="Sun"

So, right now, I guess I'm stuck with having each user to have their own Eclipse intall. I know it sounds like a complicated setup, but this shouldn't really have anything to do with Eclipse as far as the certificate setup... its really a Java setup for user specific certificates.

所以，现在，我想我坚持让每个用户安装自己的 Eclipse。我知道这听起来像是一个复杂的设置，但是就证书设置而言，这与 Eclipse 没有任何关系……它实际上是针对用户特定证书的 Java 设置。

Any ideas?

有任何想法吗？