I am trying to run RMI over a SSL connection. The Server- and ClientSocketFactories seem to be straight forward but how could I specify when I request a remote object, what keypair to use for the SSL connection. That means I can't just load the keys from a static key file, I want to pass them dynamically, at least to the client.
I am not exactly sure of why you would want to pass the key pair to the client, but I guess your situation must be similar to my own. I have a client callback object which is using SSL, so to create the server socket for this object I need a KeyStore. As the client is loaded via Java Web Start I don't want to interfere with the plug and play by requiring the client's user to configure keystores and truststores.
Currently I am requesting a KeyStore from the client using an https URL connection to the server which opens a keystore file in my webstart server and loads it into the client.
What I need to do is to make this a four phase operation: first authorize the client via a login; then request a Keystore object from the server (storing this as a transient object in the client); create the callback object using this Keystore as the source of the server certificate; and finally register the callback object with the server.
Using this method I believe you could use randomly generated certificates to send to your clients and add these on the fly to the servers (transient)truststore, which means that you don't have to hand out any sensitive data, but as I haven't implemented this yet I will reserve judgement.....
I reckon this approach is as secure as I can make it, but I would be interested to receive any commments.