Booting the server and connecting to it

Finally, boot the server and start the client.

The previous three topics covered the first two setup steps described in Configuring SSL/TLS, creating client certificates and creating a server certificate, then importing the certificates. This topic describes the remaining two steps, server startup and client startup.

Every time that we bring up the server, we must remember to turn on network encryption. We must set four VM properties that declare the locations and passwords for the server's key store and trust store:

In addition, we specify the -ssl peerAuthentication startup option. The command to start the server, therefore, looks something like this:

java -Djavax.net.ssl.keyStore=/Users/me/vault/ServerKeyStore \
-Djavax.net.ssl.keyStorePassword=secretServerPassword \
-Djavax.net.ssl.trustStore=/Users/me/vault/ServerTrustStore \
-Djavax.net.ssl.trustStorePassword=secretServerTrustStorePassword \
org.apache.derby.drda.NetworkServerControl start -p 8246 \
-ssl peerAuthentication

The -p 8246 option starts the server on a nondefault port (rather than the default port of 1527).

The final step is to bring up a client. As with server startup, we must tell the VM the locations and passwords of the local key store and trust store. This example is a simple ij script. Notice the extra ssl attribute on the connection URL. That attribute tells the client to authenticate the server's identity using a certificate, and it tells the client that the network traffic must be encrypted:

java -Djavax.net.ssl.trustStore=/Users/me/vault/ClientTrustStore \
-Djavax.net.ssl.trustStorePassword=secretClientTrustStorePassword \
-Djavax.net.ssl.keyStore=/Users/me/vault/ClientKeyStore \
-Djavax.net.ssl.keyStorePassword=secretClientPassword \
org.apache.derby.tools.ij
ij version 10.11
ij> connect 'jdbc:derby://localhost:8246/testdb;create=true;ssl=peerAuthentication';
ij> select schemaName, authorizationID from sys.sysschemas;

You will get errors from ij if you do not specify the extra VM properties and/or if you do not specify the ssl attribute on the connection URL. Here, for instance, is the output from running ij without the VM properties and ssl attribute:

java org.apache.derby.tools.ij
ij version 10.11
ij> connect 'jdbc:derby://localhost:8246/testdb;create=true';
ERROR 08006: A network protocol error was encountered and the connection has been
terminated: A PROTOCOL Data Stream Syntax Error was detected. Reason: 0x3. 
Plaintext connection attempt to an SSL enabled server?

When you want to administer the server (for instance, to bring it down), you will need to specify the locations and passwords of a valid key store and trust store as well as the extra ssl option on the server command line:

java -Djavax.net.ssl.trustStore=/Users/me/vault/ClientTrustStore \
-Djavax.net.ssl.trustStorePassword=secretClientTrustStorePassword \
-Djavax.net.ssl.keyStore=/Users/me/vault/ClientKeyStore \
-Djavax.net.ssl.keyStorePassword=secretClientPassword \
org.apache.derby.drda.NetworkServerControl shutdown -p 8246 \
-ssl peerAuthentication
Related concepts
Key and certificate handling
Starting the server with SSL/TLS
Running the client with SSL/TLS
Other server commands
Related tasks
Creating a client key pair and certificate
Creating a server key pair and certificate
Importing certificates