A. 'Crash'
An exception isn't a crash, and it shouldn't bring down your application. That's just poor code structure and poor exception handling. You need to start a thread per accepted socket, with its own exception handling in its run method.
B. Certificate steps.
#GENERATE KEYS
keytool -genkeypair -alias plainserverkeys -keyalg RSA -dname "CN=Plain Server,OU=kl2217,O=kl2217org,L=Boston,ST=MA,C=US" -keypass password -keystore plainserver.jks -storepass password
keytool -genkeypair -alias plainclientkeys -keyalg RSA -dname "CN=Plain Client,OU=kl2217,O=kl2217org,L=Boston,ST=MA,C=US" -keypass password -keystore plainclient.jks -storepass password
So far so good. Here you have created or updated two keystores: one for the server, one for the client.
#EXPORT SERVER CERT + IMPORT NEW KEYSTORE
keytool -exportcert -alias plainserverkeys -file serverpub.cer -keystore plainserver.jks -storepass password
keytool -importcert -keystore serverpub.jks -alias serverpub -file serverpub.cer -storepass password
Here you have created or updated a truststore for the client.
#EXPORT CLIENT CERT + IMPORT NEW KEYSTORE
keytool -exportcert -alias plainclientkeys -file clientpub.cer -keystore plainclient.jks -storepass password
keytool -importcert -keystore clientpub.jks -alias clientpub -file clientpub.cer -storepass password
Here you have created or updated a truststore for the server.
So your intention is clearly to engage in mutually authenticated SSL.
#EXPORT PLAIN CLIENT CERT + IMPORT TO MAIN JAVA KEYSTORE
keytool -export -alias plainclientkeys -keystore plainclient.jks -rfc -file plainclient.cert
keytool -import -trustcacerts -keystore /usr/java/jdk1.7.0_25/jre/lib/security/cacerts -storepass changeit -noprompt -alias mycert -file plainclient.cert
I don't understand why you're doing this step. The first command just creates another copy of the file 'clientpub.cer' that you already have. The second part puts it into the JDK truststore, for reasons I don't understand. You don't need both these two steps and the previous two, just either the previous two or these two.
But I don't understand why you're doing any of the four. You don't need a client certificate, a client keystore, and a server truststore at all, unless:
- You have enabled
wantClientAuth
orneedClientAuth
at the server, and - You have installed the client certificate in your Firefox browser.