zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Gainty <mgai...@hotmail.com>
Subject RE: [jira] [Updated] (ZOOKEEPER-2428) IbmX509 KeyManager and TrustManager algorithm not supported
Date Sat, 14 May 2016 13:22:17 GMT
X509 support is a key security feature for banks and financial institutions that should be
addressed asap

please recreate the JIRA issue in zookeeper project at https://issues.apache.orgplease cc
patrick and myself on the issueplease keep a local copy of the bug on your local harddrive
Thanks!
Martin 
______________________________________________                                           
                                                      



> From: phunt@apache.org
> Date: Fri, 13 May 2016 21:46:42 -0700
> Subject: Re: [jira] [Updated] (ZOOKEEPER-2428) IbmX509 KeyManager and TrustManager algorithm
not supported
> To: user@zookeeper.apache.org
> 
> Hi Saurabh. I don't see that jira either, although I do see the email to
> our list when you created it. I don't see any email about it being
> deleted/moved/etc...
> 
> The Apache infra team has been dealing with a massive JIRA spam attack over
> the past few days (not the first time). I'm not sure but it could be that
> some of the counter-measures and/or cleanup implemented by the infra team
> to address the spam may have caused your jira to go missing. Did you create
> your JIRA user account recently? Regardless, I recommend you recreate your
> jira - sorry for the trouble!
> 
> Regards,
> 
> Patrick
> 
> On Fri, May 13, 2016 at 5:12 PM, saurabh jain <sauravmanit@gmail.com> wrote:
> 
> > Hello everyone,
> >
> > Two days back i created a jira for an issue which we are facing in our
> > application while using zookeeper.
> >
> > Jira no is - 2428 ,https://issues.apache.org/jira/browse/ZOOKEEPER-2428
> >
> > But right now when i am trying to see this jira , it is saying it doesn't
> > exist.
> >
> > Is it removed or moved somewhere else ?
> >
> > Please advise.
> >
> > Thanks,
> > Saurabh
> >
> > ---------- Forwarded message ----------
> > From: Timothy Fanelli (JIRA) <jira@apache.org>
> > Date: Wed, May 11, 2016 at 3:35 PM
> > Subject: [jira] [Updated] (ZOOKEEPER-2428) IbmX509 KeyManager and
> > TrustManager algorithm not supported
> > To: sauravmanit@gmail.com
> >
> >
> >
> >      [
> >
> > https://issues.apache.org/jira/browse/ZOOKEEPER-2428?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
> > ]
> >
> > Timothy Fanelli updated ZOOKEEPER-2428:
> > ---------------------------------------
> >     Description:
> > When connecting from a zookeeper client running in IBM WebSphere
> > Application Server version 8.5.5, with SSL configured in ZooKeeper, the
> > below mentioned exception is observed.
> >
> > org.jboss.netty.channel.ChannelPipelineException: Failed to initialize a
> > pipeline.
> >       at
> > org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.java:208)
> >       at
> > org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.java:182)
> >       at
> >
> > org.apache.zookeeper.ClientCnxnSocketNetty.connect(ClientCnxnSocketNetty.java:112)
> >       at
> >
> > org.apache.zookeeper.ClientCnxn$SendThread.startConnect(ClientCnxn.java:1130)
> >       at
> > org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1158)
> > Caused by: org.apache.zookeeper.common.X509Exception$SSLContextException:
> > Failed to create KeyManager
> >       at
> > org.apache.zookeeper.common.X509Util.createSSLContext(X509Util.java:75)
> >       at
> >
> > org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.initSSL(ClientCnxnSocketNetty.java:358)
> >       at
> >
> > org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.getPipeline(ClientCnxnSocketNetty.java:348)
> >       at
> > org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.java:206)
> >       ... 4 more
> > Caused by: org.apache.zookeeper.common.X509Exception$KeyManagerException:
> > java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not
> > available
> >       at
> > org.apache.zookeeper.common.X509Util.createKeyManager(X509Util.java:129)
> >       at
> > org.apache.zookeeper.common.X509Util.createSSLContext(X509Util.java:73)
> >       ... 7 more
> > Caused by: java.security.NoSuchAlgorithmException: SunX509
> > KeyManagerFactory not available
> >       at sun.security.jca.GetInstance.getInstance(GetInstance.java:172)
> >       at
> > javax.net.ssl.KeyManagerFactory.getInstance(KeyManagerFactory.java:9)
> >       at
> > org.apache.zookeeper.common.X509Util.createKeyManager(X509Util.java:118)
> >
> > Reason : IBM websphere uses its own jre and supports only IbmX509
> > keymanager algorithm which is causing an exception when trying to get an
> > key manager instance using SunX509 which is not supported.
> > Currently KeyManager algorithm name  (SunX509) is hardcoded in the class
> > X509Util.java.
> >
> > Possible fix: Instead of having algorithm name hardcoded to SunX509 we can
> > fall back to the default algorithm supported by the underlying jre.
> >
> > Instead of having this -
> > KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
> > TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
> >
> > can we have ?
> > KeyManagerFactory kmf =
> > KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
> >
> > TrustManagerFactory tmf =
> > TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
> >
> >   was:
> > When connecting from a zookeeper client running on websphere version 8.5.5
> > in SSL mode below mentioned exception is observed.
> >
> > org.jboss.netty.channel.ChannelPipelineException: Failed to initialize a
> > pipeline.
> >       at
> > org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.java:208)
> >       at
> > org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.java:182)
> >       at
> >
> > org.apache.zookeeper.ClientCnxnSocketNetty.connect(ClientCnxnSocketNetty.java:112)
> >       at
> >
> > org.apache.zookeeper.ClientCnxn$SendThread.startConnect(ClientCnxn.java:1130)
> >       at
> > org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1158)
> > Caused by: org.apache.zookeeper.common.X509Exception$SSLContextException:
> > Failed to create KeyManager
> >       at
> > org.apache.zookeeper.common.X509Util.createSSLContext(X509Util.java:75)
> >       at
> >
> > org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.initSSL(ClientCnxnSocketNetty.java:358)
> >       at
> >
> > org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.getPipeline(ClientCnxnSocketNetty.java:348)
> >       at
> > org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.java:206)
> >       ... 4 more
> > Caused by: org.apache.zookeeper.common.X509Exception$KeyManagerException:
> > java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not
> > available
> >       at
> > org.apache.zookeeper.common.X509Util.createKeyManager(X509Util.java:129)
> >       at
> > org.apache.zookeeper.common.X509Util.createSSLContext(X509Util.java:73)
> >       ... 7 more
> > Caused by: java.security.NoSuchAlgorithmException: SunX509
> > KeyManagerFactory not available
> >       at sun.security.jca.GetInstance.getInstance(GetInstance.java:172)
> >       at
> > javax.net.ssl.KeyManagerFactory.getInstance(KeyManagerFactory.java:9)
> >       at
> > org.apache.zookeeper.common.X509Util.createKeyManager(X509Util.java:118)
> >
> > Reason : IBM websphere uses its own jre and supports only IbmX509
> > keymanager algorithm which is causing an exception when trying to get an
> > key manager instance using SunX509 which is not supported.
> > Currently KeyManager algorithm name  (SunX509) is hardcoded in the class
> > X509Util.java.
> >
> > Possible fix: Instead of having algorithm name hardcoded to SunX509 we can
> > fall back to the default algorithm supported by the underlying jre.
> >
> > Instead of having this -
> > KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
> > TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
> >
> > can we have ?
> > KeyManagerFactory kmf =
> > KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
> >
> > TrustManagerFactory tmf =
> > TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
> >
> >
> > > IbmX509 KeyManager and TrustManager algorithm not supported
> > > -----------------------------------------------------------
> > >
> > >                 Key: ZOOKEEPER-2428
> > >                 URL:
> > https://issues.apache.org/jira/browse/ZOOKEEPER-2428
> > >             Project: ZooKeeper
> > >          Issue Type: Bug
> > >          Components: security
> > >    Affects Versions: 3.5.1
> > >            Reporter: Saurabh Jain
> > >            Priority: Minor
> > >
> > > When connecting from a zookeeper client running in IBM WebSphere
> > Application Server version 8.5.5, with SSL configured in ZooKeeper, the
> > below mentioned exception is observed.
> > > org.jboss.netty.channel.ChannelPipelineException: Failed to initialize a
> > pipeline.
> > >       at
> > org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.java:208)
> > >       at
> > org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.java:182)
> > >       at
> >
> > org.apache.zookeeper.ClientCnxnSocketNetty.connect(ClientCnxnSocketNetty.java:112)
> > >       at
> >
> > org.apache.zookeeper.ClientCnxn$SendThread.startConnect(ClientCnxn.java:1130)
> > >       at
> > org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1158)
> > > Caused by: org.apache.zookeeper.common.X509Exception$SSLContextException:
> > Failed to create KeyManager
> > >       at
> > org.apache.zookeeper.common.X509Util.createSSLContext(X509Util.java:75)
> > >       at
> >
> > org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.initSSL(ClientCnxnSocketNetty.java:358)
> > >       at
> >
> > org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.getPipeline(ClientCnxnSocketNetty.java:348)
> > >       at
> > org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.java:206)
> > >       ... 4 more
> > > Caused by: org.apache.zookeeper.common.X509Exception$KeyManagerException:
> > java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not
> > available
> > >       at
> > org.apache.zookeeper.common.X509Util.createKeyManager(X509Util.java:129)
> > >       at
> > org.apache.zookeeper.common.X509Util.createSSLContext(X509Util.java:73)
> > >       ... 7 more
> > > Caused by: java.security.NoSuchAlgorithmException: SunX509
> > KeyManagerFactory not available
> > >       at sun.security.jca.GetInstance.getInstance(GetInstance.java:172)
> > >       at
> > javax.net.ssl.KeyManagerFactory.getInstance(KeyManagerFactory.java:9)
> > >       at
> > org.apache.zookeeper.common.X509Util.createKeyManager(X509Util.java:118)
> > > Reason : IBM websphere uses its own jre and supports only IbmX509
> > keymanager algorithm which is causing an exception when trying to get an
> > key manager instance using SunX509 which is not supported.
> > > Currently KeyManager algorithm name  (SunX509) is hardcoded in the class
> > X509Util.java.
> > > Possible fix: Instead of having algorithm name hardcoded to SunX509 we
> > can fall back to the default algorithm supported by the underlying jre.
> > > Instead of having this -
> > > KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
> > > TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
> > > can we have ?
> > > KeyManagerFactory kmf =
> > KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
> > > TrustManagerFactory tmf =
> > TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
> >
> >
> >
> > --
> > This message was sent by Atlassian JIRA
> > (v6.3.4#6332)
> >
 		 	   		  
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message