geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zakharov, Vasily M" <>
Subject RE: How to change KeyStore type?
Date Mon, 28 Jan 2008 15:22:29 GMT


Thanks a lot for the patch!


I'm voting for getting the change into the nearest release, as it allows
Geronimo to run on Harmony and maybe other VMs - current release can't
do that, and adding this feature is a good bonus to Geronimo flexibility
and compatibility.








From: Vamsavardhana Reddy [] 
Sent: Monday, January 28, 2008 4:23 PM
Subject: Re: How to change KeyStore type?


Here is an essence of the fix that went in to trunk (2.1):

o Allow creation of all possible keystore types supported. Keystore type
is no longer restricted to JKS.
o Added a type parameter to create keystore methods.
o Keystores portlet will now allow creating and managing all types of
o This revision will simplify the configuration changes required to run
G on a JVM that does not support JKS keystores (for e.g., Harmony).
o Allow selecting any keystore type supported by the JVM in Tomcat HTTPS
Connector pages.

As this "feature" required some interface changes, for e.g.
KeystoreManager, KeystoreInstance etc., I would like to hear from others
on considering this for branches\2.0 as it may break compatibility.



On Jan 21, 2008 11:21 PM, Zakharov, Vasily M
<> wrote:



Thanks for the detailed analysis. The problem indeed looks non-trivial.


Step 1. This looks pretty simple, and I'm now creating a patch for that.
This change seems very important to me, how about getting it to


Step 2. This change also seems very important, but less critical than
the first one, and it requires essential interface changes, so I tend to
agree it certainly should wait till 2.1 or later.


As of pitfalls, they seem unavoidable. Sure we want compatibility, but
any compatibility has its limits. I suppose that changing JDK under a
particular running installation of Geronimo is not a feature in great
demand, and in a rare case when such a change would be necessary, a
keystore conversion could be done manually (e.g. JKS<->PKCS12 conversion
can be done in Sun, PKCS12<->BKS conversion can be done in Harmony etc.)





From: Vamsavardhana Reddy [] 
Sent: Monday, January 21, 2008 8:23 PM

Subject: Re: How to change KeyStore type?


Providing a keystoreType attribute does not seem to be a big deal.  But,
if the Keystores portlet has to allow creating all types of keystores,
it gets really messy.  Here is one more observation.
    IBMJDK does not allow storing an empty PKCS12 keystore to disk. 

This prevents creating an empty PKCS12 keystore and then adding which
ever keys and certificates the user wants to.

Here is the approach I want to take.
Step 1.  Provide a keystoreType attribute in FileKeystoreInstance. 
Step 2.  Update KeyStores portlet to allow creation of all keystore
types that the JDK allows to store an empty keystore to disk.

Step 1 will allow the users to replace a keystore file of one type with
that of another type,  change the keystoreType in config.xml and get the
server running.
Step 2 will allow users to manage all keystore types using Keystores
portlet and there is no hard-coding of any keystoreType except for
geronimo-default keystore which is JKS.

Now to some pitfalls.
1. If keystore type other than JKS is in use, the user may not be able
to switch JDK's for reasons like PKCS12 keystore created using IBMJDK
are not readble using SUNJDK.
2. Though IBMJDK does not allow creating an empty PKCS12 (and a few
other types) keystore as a starting point for managing a PKCS12
keystore, the users can always add a PKCS12 keystore to
var/security/keystores and the gbean definition to config.xml.  This
will make the keystore manageable through KeyStores portlet as long as
the keystore is not empty.

This will require a change in interface, etc.
I doubt if we can consider this change for branches\2.0. 



On Jan 18, 2008 1:37 AM, Zakharov, Vasily M
<> wrote:

Yes, sure, I fully agree.

I've filed GERONIMO-3757 for this issue and now thinking of the patch to
the trunk that would provide the necessary customization - unless any
objections arise.

As of GERONIMO-2015, I think we may close it, as there're objective 
reasons (stated there by Vamsavardhana Reddy) to not move from JKS on


-----Original Message-----
From: Alexey Petrenko [mailto:]
Sent: Wednesday, January 16, 2008 1:37 PM
Subject: Re: How to change KeyStore type? 

I think we should add PKCS12 to Geronimo.
If we afraid of possible incompatibilities and not full support of JKS
or PKCS12 why not to let user choose what keystore to use?
We can specify keystore in configs or choose type from available on 
current VM.

SY, Alexey

2008/1/15, Zakharov, Vasily M <>:
> Hi, all,
> Is there a way to change the geronimo-default keystore 
> from JKS to, say, PKCS12 without patching the
>* classes?
> That way of patching sources is suggested at GERONIMO-2015,
> and it works, but it's probably not the best idea. 
> I see the reasons of not making PKCS12 a default keystore type,
> but what about making it possible to change keystore type
> using config.xml, without source recompilation?
> I've browsed through the configuration options of geronimo-security 
> gbean, a found no way for that. Should I provide a patch for
> that to be possible, would that be appropriate?
> Thank you!
> Vasily Zakharov
> Intel ESSD
> ---



View raw message