geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vamsavardhana Reddy" <c1vams...@gmail.com>
Subject Re: How to change KeyStore type?
Date Mon, 28 Jan 2008 13:23:06 GMT
Here is an essence of the fix that went in to trunk (2.1):
o Allow creation of all possible keystore types supported. Keystore type is
no longer restricted to JKS.
o Added a type parameter to create keystore methods.
o Keystores portlet will now allow creating and managing all types of
keystores.
o This revision will simplify the configuration changes required to run G on
a JVM that does not support JKS keystores (for e.g., Harmony).
o Allow selecting any keystore type supported by the JVM in Tomcat HTTPS
Connector pages.

As this "feature" required some interface changes, for e.g. KeystoreManager,
KeystoreInstance etc., I would like to hear from others on considering this
for branches\2.0 as it may break compatibility.

++Vamsi



On Jan 21, 2008 11:21 PM, Zakharov, Vasily M <vasily.m.zakharov@intel.com>
wrote:

>  Vamsi,
>
>
>
> Thanks for the detailed analysis. The problem indeed looks non-trivial.
>
>
>
> Step 1. This looks pretty simple, and I'm now creating a patch for that.
> This change seems very important to me, how about getting it to v2.0.3
> /2.1?
>
>
>
> Step 2. This change also seems very important, but less critical than the
> first one, and it requires essential interface changes, so I tend to agree
> it certainly should wait till 2.1 or later.
>
>
>
> As of pitfalls, they seem unavoidable. Sure we want compatibility, but any
> compatibility has its limits. I suppose that changing JDK under a particular
> running installation of Geronimo is not a feature in great demand, and in a
> rare case when such a change would be necessary, a keystore conversion could
> be done manually (e.g. JKS<->PKCS12 conversion can be done in Sun,
> PKCS12<->BKS conversion can be done in Harmony etc.)
>
>
>
> Vasily
>
>
>  ------------------------------
>
> *From:* Vamsavardhana Reddy [mailto:c1vamsi1c@gmail.com]
> *Sent:* Monday, January 21, 2008 8:23 PM
>
> *To:* dev@geronimo.apache.org
> *Subject:* Re: How to change KeyStore type?
>
>
>
> Providing a keystoreType attribute does not seem to be a big deal.  But,
> if the Keystores portlet has to allow creating all types of keystores, it
> gets really messy.  Here is one more observation.
>     *IBMJDK does not allow storing an empty PKCS12 keystore to disk. *
>
> This prevents creating an empty PKCS12 keystore and then adding which ever
> keys and certificates the user wants to.
>
> Here is the approach I want to take.
> Step 1.  Provide a keystoreType attribute in FileKeystoreInstance.
> Step 2.  Update KeyStores portlet to allow creation of all keystore types
> that the JDK allows to store an empty keystore to disk.
>
> Step 1 will allow the users to replace a keystore file of one type with
> that of another type,  change the keystoreType in config.xml and get the
> server running.
> Step 2 will allow users to manage all keystore types using Keystores
> portlet and there is no hard-coding of any keystoreType except for
> geronimo-default keystore which is JKS.
>
> Now to some pitfalls.
> 1. If keystore type other than JKS is in use, the user may not be able to
> switch JDK's for reasons like PKCS12 keystore created using IBMJDK are not
> readble using SUNJDK.
> 2. Though IBMJDK does not allow creating an empty PKCS12 (and a few other
> types) keystore as a starting point for managing a PKCS12 keystore, the
> users can always add a PKCS12 keystore to var/security/keystores and the
> gbean definition to config.xml.  This will make the keystore manageable
> through KeyStores portlet as long as the keystore is not empty.
>
> This will require a change in
> org.apache.geronimo.management.geronimo.KeystoreManager interface, etc.  I
> doubt if we can consider this change for branches\2.0.
>
> Comments?
>
> ++Vamsi
>
> On Jan 18, 2008 1:37 AM, Zakharov, Vasily M <vasily.m.zakharov@intel.com>
> wrote:
>
>
> Yes, sure, I fully agree.
>
> I've filed GERONIMO-3757 for this issue and now thinking of the patch to
> the trunk that would provide the necessary customization - unless any
> objections arise.
>
> As of GERONIMO-2015, I think we may close it, as there're objective
> reasons (stated there by Vamsavardhana Reddy) to not move from JKS on
> Sun.
>
> Vasily
>
>
>
> -----Original Message-----
> From: Alexey Petrenko [mailto: alexey.a.petrenko@gmail.com]
> Sent: Wednesday, January 16, 2008 1:37 PM
> To: dev@geronimo.apache.org
> Subject: Re: How to change KeyStore type?
>
> I think we should add PKCS12 to Geronimo.
> If we afraid of possible incompatibilities and not full support of JKS
> or PKCS12 why not to let user choose what keystore to use?
> We can specify keystore in configs or choose type from available on
> current VM.
>
> SY, Alexey
>
> 2008/1/15, Zakharov, Vasily M <vasily.m.zakharov@intel.com>:
> > Hi, all,
> >
> > Is there a way to change the geronimo-default keystore
> > from JKS to, say, PKCS12 without patching the
> > org.apache.geronimo.security.keystore.FileKeystore* classes?
> >
> > That way of patching sources is suggested at GERONIMO-2015,
> > and it works, but it's probably not the best idea.
> >
> > I see the reasons of not making PKCS12 a default keystore type,
> > but what about making it possible to change keystore type
> > using config.xml, without source recompilation?
> >
> > I've browsed through the configuration options of geronimo-security
> > gbean, a found no way for that. Should I provide a patch for
> > that to be possible, would that be appropriate?
> >
> > Thank you!
> >
> > Vasily Zakharov
> > Intel ESSD
> >
> >
> >
> > ---
> >
> >
>
>
>

Mime
View raw message