Return-Path: Delivered-To: apmail-geronimo-dev-archive@www.apache.org Received: (qmail 37471 invoked from network); 6 May 2008 18:37:23 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 6 May 2008 18:37:23 -0000 Received: (qmail 57623 invoked by uid 500); 6 May 2008 18:37:24 -0000 Delivered-To: apmail-geronimo-dev-archive@geronimo.apache.org Received: (qmail 57564 invoked by uid 500); 6 May 2008 18:37:23 -0000 Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: dev@geronimo.apache.org List-Id: Delivered-To: mailing list dev@geronimo.apache.org Received: (qmail 57553 invoked by uid 99); 6 May 2008 18:37:23 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 06 May 2008 11:37:23 -0700 X-ASF-Spam-Status: No, hits=2.0 required=10.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of c1vamsi1c@gmail.com designates 64.233.170.187 as permitted sender) Received: from [64.233.170.187] (HELO rn-out-0910.google.com) (64.233.170.187) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 06 May 2008 18:36:38 +0000 Received: by rn-out-0910.google.com with SMTP id j40so1009510rnf.4 for ; Tue, 06 May 2008 11:36:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; bh=mVy+teOxBmT5o3sEdgFi7MNUqlpTv7dUcKsbxS5Hor0=; b=b2zO0lA6o6nHxxGRL5PIKxRGYwy4FARGWkrCjo1JVjYEgfgkAv7XOJziFQm1JG9xBxod+ViRL3QIqlSnrgVR79g42tpTCba0jjtWpuWTxB3T6mDE0cG5xN2cQHpXHHwEQU6WOLrJ1SlTGu5NquxS1UjzwzTSmiC6eeJNmvufTl4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=smrFkYFPUMXGhPTXr+D31j2kAs+s+tSLnIEreUy5BXfWycrHPPEEZ9i95JI+/6lirm7v6YG35cg85PNG9btd8QImR5rx4Szr7Wna0QF3QoMJ+DQPeItiE4YZFcSLgsey1NgQFypFw7gYpLfeN7JNMLFRv7wQ8S+OGkzdvGo7tHg= Received: by 10.142.57.12 with SMTP id f12mr465689wfa.277.1210099011381; Tue, 06 May 2008 11:36:51 -0700 (PDT) Received: by 10.142.233.12 with HTTP; Tue, 6 May 2008 11:36:51 -0700 (PDT) Message-ID: <22d56c4d0805061136j2965ec86n91207147ae3c4f4e@mail.gmail.com> Date: Wed, 7 May 2008 00:06:51 +0530 From: "Vamsavardhana Reddy" To: dev@geronimo.apache.org Subject: Re: How to stop loading of default certificate In-Reply-To: <5eb405c70805061107q310fde82x174e775ce0bd5d10@mail.gmail.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_21174_19803202.1210099011371" References: <16993213.post@talk.nabble.com> <06F0705F2FE41247888B0AAF3FC96222011A02D1@fsmail3.ui.uillinois.edu> <06F0705F2FE41247888B0AAF3FC96222011A02E8@fsmail3.ui.uillinois.edu> <4E7AA0F7-B8E6-49E2-9E61-215A6DF207C2@yahoo.com> <06F0705F2FE41247888B0AAF3FC96222011A0319@fsmail3.ui.uillinois.edu> <5eb405c70805050625g23ee312dlcc9bd2b12eecd650@mail.gmail.com> <5eb405c70805051240v1cbc5f9cm79bfbbc1e248a157@mail.gmail.com> <22d56c4d0805061009wd381e12hbf55017582bc26c6@mail.gmail.com> <5eb405c70805061107q310fde82x174e775ce0bd5d10@mail.gmail.com> X-Virus-Checked: Checked by ClamAV on apache.org ------=_Part_21174_19803202.1210099011371 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Hi Jarek, One reason for introducing the certKeystoreTypes is that the PKCS12 keystoreType in Sun JRE 5.0 does not allow storing of trusted certificates where as the one in IBM JRE 5.0 does allow storing of trusted certificates. Instead of letting the user figure it out, I thought it is better done before presenting a choice to the user. Irrespective of this certKeystoreTypes member, we will have to prevent these special keystore type entries from making into the supported keystore types since "Windows-MY" and "Windows-ROOT" type keystores don't behave in the same way as other keystores. ++Vamsi On Tue, May 6, 2008 at 11:37 PM, Jarek Gawor wrote: > I see. I guess we could ignore those two types of keystores but it's > not a foolproof solution. Same problem might happen on other OSes or > with other keystore types since there is no reliable way to determine > if the keystore supports storing of certificates or not. So I'm > wondering if it would be better to let the user make that > determination (that is, present the user with all keystore types and > let him/her choose the right one). > > Jarek > > On Tue, May 6, 2008 at 1:09 PM, Vamsavardhana Reddy > wrote: > > Hi Jarek, > > > > The reason I introduced this certKeystoreTypes member is that I wanted > to > > update (but have not done so!!) the keystores portlet to display whether > a > > keystore can be used to store trusted certificate entries. The problem > > seems to be that in Windows environment there are two special keystore > types > > "Windows-MY" and "Windows-ROOT" which correspond to the windows private > > keystore and windows root certificate keystores. We should be skipping > > these two keystore types as they don't exactly fit in with the other > > keystore types in terms of creating new key stores etc. > > > > ++Vamsi > > > > > > > > On Tue, May 6, 2008 at 1:10 AM, Jarek Gawor wrote: > > > Well, the problem is that the org.apache.geronimo.crypto.KeystoreUtil > > > (in static block) goes through all the KeyStore providers and tests if > > > they support storing a certificate. That test causes that window to be > > > displayed on Windows with Java 1.6. The KeystoreUtil keeps a list of > > > the providers which supporting storing a certificate in a public > > > certKeystoreTypes variable. However, I cannot find a single reference > > > to that variable in the entire Geronimo code. > > > > > > If there are no external references to that certKeystoreTypes variable > > > maybe we should just remove that piece of code altogether (that > > > particular test and the variable). If there are external references we > > > can either make it empty or set it to a list that contains all > > > KeyStore providers (since there is no easy way to figure out if the > > > KeyStore supports certificates or not and without causing other side > > > effects like on Windows, AFAIK). > > > > > > Thoughts? > > > > > > Jarek > > > > > > > > > > > > > > > On Mon, May 5, 2008 at 2:29 PM, Kevan Miller > > wrote: > > > > Seems like it's time to get this fixed :-) > > > > > > > > --kevan > > > > > > > > > > > > > > > > On May 5, 2008, at 8:25 AM, "Jarek Gawor" wrote: > > > > > > > > > > > > > Try with jetty assembly: > > > > https://issues.apache.org/jira/browse/GERONIMO-3864 > > > > > > > > > > :) > > > > > > > > > > Jarek > > > > > > > > > > On Mon, May 5, 2008 at 9:18 AM, Ashwill, Steve (Facilities & > Services) > > > > > wrote: > > > > > > > > > > > I haven't found it in the documentation, perhaps I'm just not > > looking > > > > > > in the right place. > > > > > > > > > > > > The message says: > > > > > > You are about to install a certificate from a certification > > authority > > > > > > (CA) claiming to represent: > > > > > > > > > > > > ME > > > > > > > > > > > > {text omitted} > > > > > > > > > > > > > > > > > > Do you want to install this certificate? > > > > > > > > > > > > Yes No > > > > > > > > > > > > > > > > > > I do not believe that anything has been modified concerning the > > > > > > keystores. This started as soon as I upgraded to "2.1" I start > it > > as a > > > > > > service, but the same thing happens if I run from the command > line > > as > > > > > > well with startup.bat. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Steven Ashwill > > > > > > Application Developer > > > > > > University of Illinois > > > > > > 1609 S. Oak St. M/C 662 > > > > > > Champaign, IL 61821 > > > > > > (217) 265-6337 > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: David Jencks [mailto:david_jencks@yahoo.com] > > > > > > Sent: Friday, May 02, 2008 12:44 PM > > > > > > To: user@geronimo.apache.org > > > > > > Subject: Re: How to stop loading of default certificate > > > > > > > > > > > > I've never seen this happen. Have you modified the geronimo > > keystore/ > > > > > > truststore setup? How are you restarting geronimo? What does > the > > popup > > > > > > look like? Is there a stack trace? > > > > > > > > > > > > This seems like something we should cover in the > documentation... > > > > > > > > > > > > thanks > > > > > > david jencks > > > > > > > > > > > > On May 2, 2008, at 9:10 AM, Ashwill, Steve (Facilities & > Services) > > > > > > wrote: > > > > > > > > > > > > > > > > > > > Can someone save me some research time and tell me how to stop > > > > > > > Geronimo from trying to load the default certificate. The pop > up > > boxes > > > > > > > > > > > > > > > > > > > > > > > > > > asking if I want to load it are causing a problem if I am > doing a > > > > > > > remote restart because they appear on the console not on the > > remote > > > > > > > desktop connection. > > > > > > > > > > > > > > Thanks, > > > > > > > Steven Ashwill > > > > > > > > > > > > > > > > > > > > > Sorry for the duplicate message, but I though I'd better get > the > > right > > > > > > > > > > > > > > > > > > > > > > > > > > subject line. Haste does indeed make waste. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------=_Part_21174_19803202.1210099011371 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Hi Jarek,

One reason for introducing the certKeystoreTypes is that the PKCS12 keystoreType in Sun JRE 5.0 does not allow storing of trusted certificates where as the one in IBM JRE 5.0 does allow storing of trusted certificates.  Instead of letting the user figure it out, I thought it is better done before presenting a choice to the user.

Irrespective of this certKeystoreTypes member, we will have to prevent these special keystore type entries from making into the supported keystore types since "Windows-MY" and "Windows-ROOT" type keystores don't behave in the same way as other keystores.

++Vamsi

On Tue, May 6, 2008 at 11:37 PM, Jarek Gawor <jgawor@gmail.com> wrote:
I see. I guess we could ignore those two types of keystores but it's
not a foolproof solution. Same problem might happen on other OSes or
with other keystore types since there is no reliable way to determine
if the keystore supports storing of certificates or not. So I'm
wondering if it would be better to let the user make that
determination (that is, present the user with all keystore types and
let him/her choose the right one).

Jarek

On Tue, May 6, 2008 at 1:09 PM, Vamsavardhana Reddy <c1vamsi1c@gmail.com> wrote:
> Hi Jarek,
>
> The reason I introduced this certKeystoreTypes member is that I wanted to
> update (but have not done so!!) the keystores portlet to display whether a
> keystore can be used to store trusted certificate entries.  The problem
> seems to be that in Windows environment there are two special keystore types
> "Windows-MY" and "Windows-ROOT" which correspond to the windows private
> keystore and windows root certificate keystores.  We should be skipping
> these two keystore types as they don't exactly fit in with the other
> keystore types in terms of creating new key stores etc.
>
> ++Vamsi
>
>
>
> On Tue, May 6, 2008 at 1:10 AM, Jarek Gawor <jgawor@gmail.com> wrote:
> > Well, the problem is that the org.apache.geronimo.crypto.KeystoreUtil
> > (in static block) goes through all the KeyStore providers and tests if
> > they support storing a certificate. That test causes that window to be
> > displayed on Windows with Java 1.6. The KeystoreUtil keeps a list of
> > the providers which supporting storing a certificate in a public
> > certKeystoreTypes variable. However, I cannot find a single reference
> > to that variable in the entire Geronimo code.
> >
> > If there are no external references to that certKeystoreTypes variable
> > maybe we should just remove that piece of code altogether (that
> > particular test and the variable). If there are external references we
> > can either make it empty or set it to a list that contains all
> > KeyStore providers (since there is no easy way to figure out if the
> > KeyStore supports certificates or not and without causing other side
> > effects like on Windows, AFAIK).
> >
> > Thoughts?
> >
> > Jarek
> >
> >
> >
> >
> > On Mon, May 5, 2008 at 2:29 PM, Kevan Miller <kevan.miller@gmail.com>
> wrote:
> > > Seems like it's time to get this fixed :-)
> > >
> > >  --kevan
> > >
> > >
> > >
> > >  On May 5, 2008, at 8:25 AM, "Jarek Gawor" <jgawor@gmail.com> wrote:
> > >
> > >
> > > > Try with jetty assembly:
> > > https://issues.apache.org/jira/browse/GERONIMO-3864
> > > >
> > > > :)
> > > >
> > > > Jarek
> > > >
> > > > On Mon, May 5, 2008 at 9:18 AM, Ashwill, Steve (Facilities & Services)
> > > > <sashwill@uiuc.edu> wrote:
> > > >
> > > > > I haven't found it in the documentation, perhaps I'm just not
> looking
> > > > > in the right place.
> > > > >
> > > > > The message says:
> > > > > You are about to install a certificate from a certification
> authority
> > > > > (CA) claiming to represent:
> > > > >
> > > > > ME
> > > > >
> > > > > {text omitted}
> > > > >
> > > > >
> > > > > Do you want to install this certificate?
> > > > >
> > > > > Yes No
> > > > >
> > > > >
> > > > > I do not believe that anything has been modified concerning the
> > > > > keystores.  This started as soon as I upgraded to "2.1" I start it
> as a
> > > > > service, but the same thing happens if I run from the command line
> as
> > > > > well with startup.bat.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > Steven Ashwill
> > > > > Application Developer
> > > > > University of Illinois
> > > > > 1609 S. Oak St.   M/C 662
> > > > > Champaign, IL 61821
> > > > > (217) 265-6337
> > > > >
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: David Jencks [mailto:david_jencks@yahoo.com]
> > > > > Sent: Friday, May 02, 2008 12:44 PM
> > > > > To: user@geronimo.apache.org
> > > > > Subject: Re: How to stop loading of default certificate
> > > > >
> > > > > I've never seen  this happen.  Have you modified the geronimo
> keystore/
> > > > > truststore setup?  How are you restarting geronimo?  What does the
> popup
> > > > > look like?  Is there a stack trace?
> > > > >
> > > > > This seems like something we should cover in the documentation...
> > > > >
> > > > > thanks
> > > > > david jencks
> > > > >
> > > > > On May 2, 2008, at 9:10 AM, Ashwill, Steve (Facilities & Services)
> > > > > wrote:
> > > > >
> > > > >
> > > > > > Can someone save me some research time and tell me how to stop
> > > > > > Geronimo from trying to load the default certificate. The pop up
> boxes
> > > > > >
> > > > >
> > > > >
> > > > > > asking if I want to load it are causing a problem if I am doing a
> > > > > > remote restart because they appear on the console not on the
> remote
> > > > > > desktop connection.
> > > > > >
> > > > > > Thanks,
> > > > > > Steven Ashwill
> > > > > >
> > > > > >
> > > > > > Sorry for the duplicate message, but I though I'd better get the
> right
> > > > > >
> > > > >
> > > > >
> > > > > > subject line. Haste does indeed make waste.
> > > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > >
> >
>
>

------=_Part_21174_19803202.1210099011371--