I am working on an older IBM iSeries (IBM-i, i5OS, AS/400, etc), with a Java 5 JVM (Classic, not ITJ J9) on O/S version V5R3M0.
Here is the scenario in a nutshell:>
Instead of using an ephemeral keystore, you could handle everything within a single SSLContext
.
You would need to initialise your SSLContext
using an custom X509KeyManager instead of using the one given by the default KeyManagerFactory
. In this X509KeyManager
,chooseServerAlias(String keyType, Principal[] issuers, Socket socket)
should return a different alias depending on the local address obtained from the socket.
This way, you wouldn't have to worry about copying the private key from one keystore to another, and this would even work for keystore types from which you can't extract (and thus copy) but only use the private key, e.g. PKCS#11.