geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zakharov, Vasily M" <vasily.m.zakha...@intel.com>
Subject RE: How to change KeyStore type?
Date Mon, 21 Jan 2008 17:51:14 GMT
Vamsi,

 

Thanks for the detailed analysis. The problem indeed looks non-trivial.

 

Step 1. This looks pretty simple, and I'm now creating a patch for that.
This change seems very important to me, how about getting it to
v2.0.3/2.1?

 

Step 2. This change also seems very important, but less critical than
the first one, and it requires essential interface changes, so I tend to
agree it certainly should wait till 2.1 or later.

 

As of pitfalls, they seem unavoidable. Sure we want compatibility, but
any compatibility has its limits. I suppose that changing JDK under a
particular running installation of Geronimo is not a feature in great
demand, and in a rare case when such a change would be necessary, a
keystore conversion could be done manually (e.g. JKS<->PKCS12 conversion
can be done in Sun, PKCS12<->BKS conversion can be done in Harmony etc.)

 

Vasily

 

________________________________

From: Vamsavardhana Reddy [mailto:c1vamsi1c@gmail.com] 
Sent: Monday, January 21, 2008 8:23 PM
To: dev@geronimo.apache.org
Subject: Re: How to change KeyStore type?

 

Providing a keystoreType attribute does not seem to be a big deal.  But,
if the Keystores portlet has to allow creating all types of keystores,
it gets really messy.  Here is one more observation.
    IBMJDK does not allow storing an empty PKCS12 keystore to disk. 

This prevents creating an empty PKCS12 keystore and then adding which
ever keys and certificates the user wants to.

Here is the approach I want to take.
Step 1.  Provide a keystoreType attribute in FileKeystoreInstance. 
Step 2.  Update KeyStores portlet to allow creation of all keystore
types that the JDK allows to store an empty keystore to disk.

Step 1 will allow the users to replace a keystore file of one type with
that of another type,  change the keystoreType in config.xml and get the
server running.
Step 2 will allow users to manage all keystore types using Keystores
portlet and there is no hard-coding of any keystoreType except for
geronimo-default keystore which is JKS.

Now to some pitfalls.
1. If keystore type other than JKS is in use, the user may not be able
to switch JDK's for reasons like PKCS12 keystore created using IBMJDK
are not readble using SUNJDK.
2. Though IBMJDK does not allow creating an empty PKCS12 (and a few
other types) keystore as a starting point for managing a PKCS12
keystore, the users can always add a PKCS12 keystore to
var/security/keystores and the gbean definition to config.xml.  This
will make the keystore manageable through KeyStores portlet as long as
the keystore is not empty.

This will require a change in
org.apache.geronimo.management.geronimo.KeystoreManager interface, etc.
I doubt if we can consider this change for branches\2.0. 

Comments?

++Vamsi

On Jan 18, 2008 1:37 AM, Zakharov, Vasily M
<vasily.m.zakharov@intel.com> wrote:


Yes, sure, I fully agree.

I've filed GERONIMO-3757 for this issue and now thinking of the patch to
the trunk that would provide the necessary customization - unless any
objections arise.

As of GERONIMO-2015, I think we may close it, as there're objective 
reasons (stated there by Vamsavardhana Reddy) to not move from JKS on
Sun.

Vasily



-----Original Message-----
From: Alexey Petrenko [mailto: alexey.a.petrenko@gmail.com]
Sent: Wednesday, January 16, 2008 1:37 PM
To: dev@geronimo.apache.org
Subject: Re: How to change KeyStore type? 

I think we should add PKCS12 to Geronimo.
If we afraid of possible incompatibilities and not full support of JKS
or PKCS12 why not to let user choose what keystore to use?
We can specify keystore in configs or choose type from available on 
current VM.

SY, Alexey

2008/1/15, Zakharov, Vasily M <vasily.m.zakharov@intel.com>:
> Hi, all,
>
> Is there a way to change the geronimo-default keystore 
> from JKS to, say, PKCS12 without patching the
> org.apache.geronimo.security.keystore.FileKeystore* classes?
>
> That way of patching sources is suggested at GERONIMO-2015,
> and it works, but it's probably not the best idea. 
>
> I see the reasons of not making PKCS12 a default keystore type,
> but what about making it possible to change keystore type
> using config.xml, without source recompilation?
>
> I've browsed through the configuration options of geronimo-security 
> gbean, a found no way for that. Should I provide a patch for
> that to be possible, would that be appropriate?
>
> Thank you!
>
> Vasily Zakharov
> Intel ESSD
>
>
>
> ---
>
>

 


Mime
View raw message