geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vamsavardhana Reddy" <c1vams...@gmail.com>
Subject Re: How to change KeyStore type?
Date Mon, 21 Jan 2008 17:23:19 GMT
Providing a keystoreType attribute does not seem to be a big deal.  But, if
the Keystores portlet has to allow creating all types of keystores, it gets
really messy.  Here is one more observation.
    *IBMJDK does not allow storing an empty PKCS12 keystore to disk.*

This prevents creating an empty PKCS12 keystore and then adding which ever
keys and certificates the user wants to.

Here is the approach I want to take.
Step 1.  Provide a keystoreType attribute in FileKeystoreInstance.
Step 2.  Update KeyStores portlet to allow creation of all keystore types
that the JDK allows to store an empty keystore to disk.

Step 1 will allow the users to replace a keystore file of one type with that
of another type,  change the keystoreType in config.xml and get the server
running.
Step 2 will allow users to manage all keystore types using Keystores portlet
and there is no hard-coding of any keystoreType except for geronimo-default
keystore which is JKS.

Now to some pitfalls.
1. If keystore type other than JKS is in use, the user may not be able to
switch JDK's for reasons like PKCS12 keystore created using IBMJDK are not
readble using SUNJDK.
2. Though IBMJDK does not allow creating an empty PKCS12 (and a few other
types) keystore as a starting point for managing a PKCS12 keystore, the
users can always add a PKCS12 keystore to var/security/keystores and the
gbean definition to config.xml.  This will make the keystore manageable
through KeyStores portlet as long as the keystore is not empty.

This will require a change in
org.apache.geronimo.management.geronimo.KeystoreManager interface, etc.  I
doubt if we can consider this change for branches\2.0.

Comments?

++Vamsi

On Jan 18, 2008 1:37 AM, Zakharov, Vasily M <vasily.m.zakharov@intel.com>
wrote:

>
> Yes, sure, I fully agree.
>
> I've filed GERONIMO-3757 for this issue and now thinking of the patch to
> the trunk that would provide the necessary customization - unless any
> objections arise.
>
> As of GERONIMO-2015, I think we may close it, as there're objective
> reasons (stated there by Vamsavardhana Reddy) to not move from JKS on
> Sun.
>
> Vasily
>
>
> -----Original Message-----
> From: Alexey Petrenko [mailto:alexey.a.petrenko@gmail.com]
> Sent: Wednesday, January 16, 2008 1:37 PM
> To: dev@geronimo.apache.org
> Subject: Re: How to change KeyStore type?
>
> I think we should add PKCS12 to Geronimo.
> If we afraid of possible incompatibilities and not full support of JKS
> or PKCS12 why not to let user choose what keystore to use?
> We can specify keystore in configs or choose type from available on
> current VM.
>
> SY, Alexey
>
> 2008/1/15, Zakharov, Vasily M <vasily.m.zakharov@intel.com>:
> > Hi, all,
> >
> > Is there a way to change the geronimo-default keystore
> > from JKS to, say, PKCS12 without patching the
> > org.apache.geronimo.security.keystore.FileKeystore* classes?
> >
> > That way of patching sources is suggested at GERONIMO-2015,
> > and it works, but it's probably not the best idea.
> >
> > I see the reasons of not making PKCS12 a default keystore type,
> > but what about making it possible to change keystore type
> > using config.xml, without source recompilation?
> >
> > I've browsed through the configuration options of geronimo-security
> > gbean, a found no way for that. Should I provide a patch for
> > that to be possible, would that be appropriate?
> >
> > Thank you!
> >
> > Vasily Zakharov
> > Intel ESSD
> >
> >
> >
> > ---
> >
> >
>

Mime
View raw message