geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Donald Woods <dwo...@apache.org>
Subject Re: How to change KeyStore type?
Date Tue, 29 Jan 2008 21:45:11 GMT
Sounds like the change should only be made in 2.1, as this is a new 
"feature".

-Donald

Vamsavardhana Reddy wrote:
> Here is an essence of the fix that went in to trunk (2.1):
> o Allow creation of all possible keystore types supported. Keystore type 
> is no longer restricted to JKS.
> o Added a type parameter to create keystore methods.
> o Keystores portlet will now allow creating and managing all types of 
> keystores.
> o This revision will simplify the configuration changes required to run 
> G on a JVM that does not support JKS keystores (for e.g., Harmony).
> o Allow selecting any keystore type supported by the JVM in Tomcat HTTPS 
> Connector pages.
> 
> As this "feature" required some interface changes, for e.g. 
> KeystoreManager, KeystoreInstance etc., I would like to hear from others 
> on considering this for branches\2.0 as it may break compatibility.
> 
> ++Vamsi
> 
> 
> 
> On Jan 21, 2008 11:21 PM, Zakharov, Vasily M 
> <vasily.m.zakharov@intel.com <mailto:vasily.m.zakharov@intel.com>> wrote:
> 
>     Vamsi,
> 
>      
> 
>     Thanks for the detailed analysis. The problem indeed looks non-trivial.
> 
>      
> 
>     Step 1. This looks pretty simple, and I'm now creating a patch for
>     that. This change seems very important to me, how about getting it
>     to v2.0.3/2.1?
> 
>      
> 
>     Step 2. This change also seems very important, but less critical
>     than the first one, and it requires essential interface changes, so
>     I tend to agree it certainly should wait till 2.1 or later.
> 
>      
> 
>     As of pitfalls, they seem unavoidable. Sure we want compatibility,
>     but any compatibility has its limits. I suppose that changing JDK
>     under a particular running installation of Geronimo is not a feature
>     in great demand, and in a rare case when such a change would be
>     necessary, a keystore conversion could be done manually (e.g.
>     JKS<->PKCS12 conversion can be done in Sun, PKCS12<->BKS conversion
>     can be done in Harmony etc.)
> 
>      
> 
>     Vasily
> 
>      
> 
>     ------------------------------------------------------------------------
> 
>     *From:* Vamsavardhana Reddy [mailto:c1vamsi1c@gmail.com
>     <mailto:c1vamsi1c@gmail.com>]
>     *Sent:* Monday, January 21, 2008 8:23 PM
> 
>     *To:* dev@geronimo.apache.org <mailto:dev@geronimo.apache.org>
>     *Subject:* Re: How to change KeyStore type?
> 
>      
> 
>     Providing a keystoreType attribute does not seem to be a big deal. 
>     But, if the Keystores portlet has to allow creating all types of
>     keystores, it gets really messy.  Here is one more observation.
>         *IBMJDK does not allow storing an empty PKCS12 keystore to disk. *
> 
>     This prevents creating an empty PKCS12 keystore and then adding
>     which ever keys and certificates the user wants to.
> 
>     Here is the approach I want to take.
>     Step 1.  Provide a keystoreType attribute in FileKeystoreInstance.
>     Step 2.  Update KeyStores portlet to allow creation of all keystore
>     types that the JDK allows to store an empty keystore to disk.
> 
>     Step 1 will allow the users to replace a keystore file of one type
>     with that of another type,  change the keystoreType in config.xml
>     and get the server running.
>     Step 2 will allow users to manage all keystore types using Keystores
>     portlet and there is no hard-coding of any keystoreType except for
>     geronimo-default keystore which is JKS.
> 
>     Now to some pitfalls.
>     1. If keystore type other than JKS is in use, the user may not be
>     able to switch JDK's for reasons like PKCS12 keystore created using
>     IBMJDK are not readble using SUNJDK.
>     2. Though IBMJDK does not allow creating an empty PKCS12 (and a few
>     other types) keystore as a starting point for managing a PKCS12
>     keystore, the users can always add a PKCS12 keystore to
>     var/security/keystores and the gbean definition to config.xml.  This
>     will make the keystore manageable through KeyStores portlet as long
>     as the keystore is not empty.
> 
>     This will require a change in
>     org.apache.geronimo.management.geronimo.KeystoreManager interface,
>     etc.  I doubt if we can consider this change for branches\2.0.
> 
>     Comments?
> 
>     ++Vamsi
> 
>     On Jan 18, 2008 1:37 AM, Zakharov, Vasily M
>     <vasily.m.zakharov@intel.com <mailto:vasily.m.zakharov@intel.com>>
>     wrote:
> 
> 
>     Yes, sure, I fully agree.
> 
>     I've filed GERONIMO-3757 for this issue and now thinking of the patch to
>     the trunk that would provide the necessary customization - unless any
>     objections arise.
> 
>     As of GERONIMO-2015, I think we may close it, as there're objective
>     reasons (stated there by Vamsavardhana Reddy) to not move from JKS on
>     Sun.
> 
>     Vasily
> 
> 
> 
>     -----Original Message-----
>     From: Alexey Petrenko [mailto: alexey.a.petrenko@gmail.com
>     <mailto:alexey.a.petrenko@gmail.com>]
>     Sent: Wednesday, January 16, 2008 1:37 PM
>     To: dev@geronimo.apache.org <mailto:dev@geronimo.apache.org>
>     Subject: Re: How to change KeyStore type?
> 
>     I think we should add PKCS12 to Geronimo.
>     If we afraid of possible incompatibilities and not full support of JKS
>     or PKCS12 why not to let user choose what keystore to use?
>     We can specify keystore in configs or choose type from available on
>     current VM.
> 
>     SY, Alexey
> 
>     2008/1/15, Zakharov, Vasily M <vasily.m.zakharov@intel.com
>     <mailto:vasily.m.zakharov@intel.com>>:
>     >  Hi, all,
>     >
>     >  Is there a way to change the geronimo-default keystore
>     >  from JKS to, say, PKCS12 without patching the
>     >  org.apache.geronimo.security.keystore.FileKeystore* classes?
>     >
>     >  That way of patching sources is suggested at GERONIMO-2015,
>     >  and it works, but it's probably not the best idea.
>     >
>     >  I see the reasons of not making PKCS12 a default keystore type,
>     >  but what about making it possible to change keystore type
>     >  using config.xml, without source recompilation?
>     >
>     >  I've browsed through the configuration options of geronimo-security
>     >  gbean, a found no way for that. Should I provide a patch for
>     >  that to be possible, would that be appropriate?
>     >
>     >  Thank you!
>     >
>     >  Vasily Zakharov
>     >  Intel ESSD
>     >
>     >
>     >
>     >  ---
>     >
>     >
> 
>      
> 
> 

Mime
View raw message