public class SSLServerWithContext { public static void mainString[] args throws Exception { SSLContext sc = SSLContext.getInstanceTLS; KeyManagerFactory kmf = KeyManagerFactory.getInstanceSunX509; KeyStore ks = KeyStore.getInstancejceks; char[] password = args[1].toCharArray ; ks.loadnew FileInputStreamargs[0], null; kmf.initks, password; sc.initkmf.getKeyManagers , null, null; ServerSocketFactory ssf = sc.getServerSocketFactory ; ServerSocket ss = ssf.createServerSocket9096; while true { new SSLSimpleServerss.accept.start ; } } } Here, we create the SSL context and then obtain a key manager factory. The factory is initialized with the keystore that we load from the first argument on the command line. The keystore uses the second argument to look up its private keys. Once the context is initialized, we create the server socket factory from the context and obtain the server socket from that factory. As before, the server socket is actually an instance of the SSLServerSocket class, and the bulk of the program logic is still provided by the SSLSimpleServer class. In this case, all weve really done is gone from specifying the keystore via a property to specifying it on the command line. This server is run as follows: piccolo java javasec.samples.ch14.SSLServerWithContext HOME.keystore This code contains the outline to use if you have a nondefault keystore; notice, for instance, that were using the JCEKS algorithm as input to the getInstance method of the KeyStore class. Similarly, if there are other differences in the way you obtain keystores, or if youd rather not specify the command−line property, this code shows how to initialize the key manager. However, our server still will use an arbitrary alias from the keystore. So now well take this example one step further and develop a key manager that allows us to specify which alias in the keystore to use. To write our own key manager, we must develop a class that implements the X509KeyManager interface com.sun.net.ssl.X509KeyManager . This interface extends the KeyManager interface com.sun.net.ssl.KeyManager , which is an empty interface used for type identification. Because the KeyManager interface does not define an API, the implementation of a key manager is tightly coupled with the implementation of the SSLContext class in use. Suns implementation of the SSLContext class requires you to pass at least one key manager that implements the X509KeyManager interface in the key manager array passed to the init method; the first such class in the array is the one that the SSLContext class uses to look up keys. All other key managers in the array are ignored. If no appropriate key manager is present in the array no exception is thrown, but nothing will work either. If youre using a third−party security provider that defines a different SSLContext class, it may expect a different type of key manager. To write our key manager, we must implement the following methods of the X509KeyManager interface: public String[] getClientAliasesString keyType, Principal[] issuers 276 Return all possible aliases from the keystore that could be used to perform client−side SSL encryption for the given key type e.g., RSA or DSA. If the issuers array is not null , it will contain an array of principals who are CAs. The key belonging to an alias in the returned array must have been issued by an entity contained in the array. This method should not return null ; if no appropriate aliases are found, it should return an array of length 0. public String chooseClientAliasString keyType, Principal[] issuers Select the alias from the keystore that should be used to perform client−side SSL encryption for the given key type e.g., RSA or DSA. If the issuers array is not null , the key must be provided by an entity contained in the array. This method should return null if no appropriate alias is found. public String[] getServerAliasesString keyType, Principal[] issuers Return all possible aliases from the keystore that could be used to perform server−side SSL encryption for the given key type e.g., RSA or DSA. If the issuers array is not null , the key must be provided by an entity contained in the array. This method should not return null ; if no appropriate aliases are found, it should return an array of length 0. public String chooseServerAliasString keyType, Principal[] issuers Select the alias from the keystore that should be used to perform server−side SSL encryption for the given key type e.g., RSA or DSA. If the issuers array is not null , the key must be provided by an entity contained in the array. This method should return null if no appropriate alias is found. public X509Certificate[] getCertificateChainString alias Return the array of X509 certificates associated with the given alias. If the keystore contains non−X509 certificates for the given alias, those certificates should be ignored. Note that the method returns an array of java.security.cert.X509Certificate objects, not as do most other classes within JSSE javax.security.cert.X509Certificate objects. public PrivateKey getPrivateKeyString alias Return the private key for the alias. As the API indicates, key managers may be used by both clients and servers in an SSL conversation. They are more frequently used by servers, since servers must always authenticate themselves to clients. Heres an implementation of this interface: package javasec.samples.ch14; import java.net.; import java.security.cert.X509Certificate; import java.security.interfaces.; import java.security.; import java.util.; import javax.net.ssl.; import com.sun.net.ssl.; public class SSLKeyManager implements X509KeyManager { protected String alias; protected KeyStore ks; protected char[] pw;