geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vamsavardhana Reddy" <c1vams...@gmail.com>
Subject Re: How to stop loading of default certificate
Date Tue, 06 May 2008 18:36:51 GMT
Hi Jarek,

One reason for introducing the certKeystoreTypes is that the PKCS12
keystoreType in Sun JRE 5.0 does not allow storing of trusted certificates
where as the one in IBM JRE 5.0 does allow storing of trusted certificates.
Instead of letting the user figure it out, I thought it is better done
before presenting a choice to the user.

Irrespective of this certKeystoreTypes member, we will have to prevent these
special keystore type entries from making into the supported keystore types
since "Windows-MY" and "Windows-ROOT" type keystores don't behave in the
same way as other keystores.

++Vamsi

On Tue, May 6, 2008 at 11:37 PM, Jarek Gawor <jgawor@gmail.com> wrote:

> I see. I guess we could ignore those two types of keystores but it's
> not a foolproof solution. Same problem might happen on other OSes or
> with other keystore types since there is no reliable way to determine
> if the keystore supports storing of certificates or not. So I'm
> wondering if it would be better to let the user make that
> determination (that is, present the user with all keystore types and
> let him/her choose the right one).
>
> Jarek
>
> On Tue, May 6, 2008 at 1:09 PM, Vamsavardhana Reddy <c1vamsi1c@gmail.com>
> wrote:
> > Hi Jarek,
> >
> > The reason I introduced this certKeystoreTypes member is that I wanted
> to
> > update (but have not done so!!) the keystores portlet to display whether
> a
> > keystore can be used to store trusted certificate entries.  The problem
> > seems to be that in Windows environment there are two special keystore
> types
> > "Windows-MY" and "Windows-ROOT" which correspond to the windows private
> > keystore and windows root certificate keystores.  We should be skipping
> > these two keystore types as they don't exactly fit in with the other
> > keystore types in terms of creating new key stores etc.
> >
> > ++Vamsi
> >
> >
> >
> > On Tue, May 6, 2008 at 1:10 AM, Jarek Gawor <jgawor@gmail.com> wrote:
> > > Well, the problem is that the org.apache.geronimo.crypto.KeystoreUtil
> > > (in static block) goes through all the KeyStore providers and tests if
> > > they support storing a certificate. That test causes that window to be
> > > displayed on Windows with Java 1.6. The KeystoreUtil keeps a list of
> > > the providers which supporting storing a certificate in a public
> > > certKeystoreTypes variable. However, I cannot find a single reference
> > > to that variable in the entire Geronimo code.
> > >
> > > If there are no external references to that certKeystoreTypes variable
> > > maybe we should just remove that piece of code altogether (that
> > > particular test and the variable). If there are external references we
> > > can either make it empty or set it to a list that contains all
> > > KeyStore providers (since there is no easy way to figure out if the
> > > KeyStore supports certificates or not and without causing other side
> > > effects like on Windows, AFAIK).
> > >
> > > Thoughts?
> > >
> > > Jarek
> > >
> > >
> > >
> > >
> > > On Mon, May 5, 2008 at 2:29 PM, Kevan Miller <kevan.miller@gmail.com>
> > wrote:
> > > > Seems like it's time to get this fixed :-)
> > > >
> > > >  --kevan
> > > >
> > > >
> > > >
> > > >  On May 5, 2008, at 8:25 AM, "Jarek Gawor" <jgawor@gmail.com> wrote:
> > > >
> > > >
> > > > > Try with jetty assembly:
> > > > https://issues.apache.org/jira/browse/GERONIMO-3864
> > > > >
> > > > > :)
> > > > >
> > > > > Jarek
> > > > >
> > > > > On Mon, May 5, 2008 at 9:18 AM, Ashwill, Steve (Facilities &
> Services)
> > > > > <sashwill@uiuc.edu> wrote:
> > > > >
> > > > > > I haven't found it in the documentation, perhaps I'm just not
> > looking
> > > > > > in the right place.
> > > > > >
> > > > > > The message says:
> > > > > > You are about to install a certificate from a certification
> > authority
> > > > > > (CA) claiming to represent:
> > > > > >
> > > > > > ME
> > > > > >
> > > > > > {text omitted}
> > > > > >
> > > > > >
> > > > > > Do you want to install this certificate?
> > > > > >
> > > > > > Yes No
> > > > > >
> > > > > >
> > > > > > I do not believe that anything has been modified concerning
the
> > > > > > keystores.  This started as soon as I upgraded to "2.1" I start
> it
> > as a
> > > > > > service, but the same thing happens if I run from the command
> line
> > as
> > > > > > well with startup.bat.
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > Steven Ashwill
> > > > > > Application Developer
> > > > > > University of Illinois
> > > > > > 1609 S. Oak St.   M/C 662
> > > > > > Champaign, IL 61821
> > > > > > (217) 265-6337
> > > > > >
> > > > > >
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: David Jencks [mailto:david_jencks@yahoo.com]
> > > > > > Sent: Friday, May 02, 2008 12:44 PM
> > > > > > To: user@geronimo.apache.org
> > > > > > Subject: Re: How to stop loading of default certificate
> > > > > >
> > > > > > I've never seen  this happen.  Have you modified the geronimo
> > keystore/
> > > > > > truststore setup?  How are you restarting geronimo?  What does
> the
> > popup
> > > > > > look like?  Is there a stack trace?
> > > > > >
> > > > > > This seems like something we should cover in the
> documentation...
> > > > > >
> > > > > > thanks
> > > > > > david jencks
> > > > > >
> > > > > > On May 2, 2008, at 9:10 AM, Ashwill, Steve (Facilities &
> Services)
> > > > > > wrote:
> > > > > >
> > > > > >
> > > > > > > Can someone save me some research time and tell me how
to stop
> > > > > > > Geronimo from trying to load the default certificate. The
pop
> up
> > boxes
> > > > > > >
> > > > > >
> > > > > >
> > > > > > > asking if I want to load it are causing a problem if I
am
> doing a
> > > > > > > remote restart because they appear on the console not on
the
> > remote
> > > > > > > desktop connection.
> > > > > > >
> > > > > > > Thanks,
> > > > > > > Steven Ashwill
> > > > > > >
> > > > > > >
> > > > > > > Sorry for the duplicate message, but I though I'd better
get
> the
> > right
> > > > > > >
> > > > > >
> > > > > >
> > > > > > > subject line. Haste does indeed make waste.
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> >
>

Mime
View raw message