Creating an X509TrustManager

You can either implement this interface directly yourself or obtain one from a provider-based TrustManagerFactory (such as that supplied by the IBMJSSE2 provider). You could also implement your own interface that delegates to a factory-generated trust manager. For example, you might do this to filter the resulting trust decisions and query an end-user through a graphical user interface.
Note: If a null KeyStore parameter is passed to the IBMJSSE2 IbmX509 or PKIX TrustManagerFactory, the factory uses the following steps to try to find trust material:
  1. If the system property: javax.net.ssl.trustStore is defined, then the TrustManagerFactory attempts to find a file using the filename specified by that system property, and uses that file for the KeyStore. If the javax.net.ssl.trustStorePassword system property is also defined, its value is used to check the integrity of the data in the truststore before opening it.

    If javax.net.ssl.trustStore is defined but the specified file does not exist, if a password was specified and it is incorrect, or the keystore type was inappropriate for the truststore, then an error is thrown.

  2. If the javax.net.ssl.trustStore system property was not specified, then if the file <install_dir>/jre/lib/security/jssecacerts exists, that file is used.
  3. Else the following file is used: <install_dir>/jre/lib/security/cacerts

The factory looks for a file specified via the security property javax.net.ssl.trustStore or for the jssecacerts file before checking for a cacerts file so that you can provide a JSSE-specific set of trusted root certificates separate from ones that might be present in cacerts for code-signing purposes.