geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vamsavardhana Reddy" <c1vams...@gmail.com>
Subject Re: Geronimo, keystores and SSL
Date Fri, 05 Dec 2008 08:28:25 GMT
Hi Christian,

Once you create a new keystore, the keystore is not unlocked for
availability automatically.  After creating the keystore and private key,
you need unlock the keystore for availability.  The unlocked state for
"availability" of the keystore is persistent. I assume that you are using
Geronimo Jetty Server.  Here are the steps I tried with Geronimo Jetty 2.1.3
and had no problem restarting the server.
1. Created a new keystore 'mykeystore'.
2. Created a private-key 'mykey'.
3. Unlock keystore 'mykeystore' and private-key 'mykey' for availability.
4. Edit HTTS web connector to use 'mykeystore'
5. Restart the server.

6. Unlock 'mykeystore' for editing.
7. Change password for 'mykey'.
8. Restart the server.

The Geronimo Tomcat server does not use the keystoregbean for HTTPS and
directly access the keystore files.  Also, "the keystore password and
keypassword must be same" is applicable to G Tomcat server.

Can you tell me the exact version of Geronimo server and the steps you are
following that are resulting in the problem?


On Tue, Dec 2, 2008 at 5:48 AM, Christian Svensson <blue@cmd.nu> wrote:

> Hello!
>
> I've been trying for the better part of today getting keystores to
> automatically unlock on startup - with very limited success.
> Is there something that I should know about keystore password / key
> password? Digging around some old mailing list threads said something about
> key password must be equal to keystore password - any more of those gotchas?
>
> The problem is that I create (or change password on geronimo-default for
> that matter) a new keystore, assign SSL to use the certificate and restart
> the server:
> org.apache.geronimo.management.geronimo.KeystoreIsLocked: Keystore
> 'plasma-ssl' is locked; please use the keystore page in the admin console to
> unlock it
>         at
> org.apache.geronimo.security.keystore.FileKeystoreManager.createSSLContext(FileKeystoreManager.java:343)
>         at
> org.apache.geronimo.jetty6.connector.GeronimoSelectChannelSSLListener.createSSLContext(GeronimoSelectChannelSSLListener.java:54)
>
>
> Resetting the SSL connector to using geronimo-default / geronimo with
> secret / secret as passwords makes it work again - but why on earth doesn't
> Geronimo unlock my keystores on startup? I mean, it saves the password (or
> something like it) in config.xml.
>
> Greetings,
> --
> Christian Svensson
> Command Systems
>



-- 
Vamsi

Mime
View raw message