Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 29A13200AEF for ; Sat, 14 May 2016 02:12:42 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 28871160A12; Sat, 14 May 2016 00:12:42 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 2725416099F for ; Sat, 14 May 2016 02:12:41 +0200 (CEST) Received: (qmail 65805 invoked by uid 500); 14 May 2016 00:12:40 -0000 Mailing-List: contact user-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@zookeeper.apache.org Delivered-To: mailing list user@zookeeper.apache.org Received: (qmail 65792 invoked by uid 99); 14 May 2016 00:12:39 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 14 May 2016 00:12:39 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 5D7D8C006A for ; Sat, 14 May 2016 00:12:39 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.198 X-Spam-Level: * X-Spam-Status: No, score=1.198 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id JzfNHejuO0Jk for ; Sat, 14 May 2016 00:12:37 +0000 (UTC) Received: from mail-oi0-f43.google.com (mail-oi0-f43.google.com [209.85.218.43]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 9FAD05F59E for ; Sat, 14 May 2016 00:12:36 +0000 (UTC) Received: by mail-oi0-f43.google.com with SMTP id x201so195132131oif.3 for ; Fri, 13 May 2016 17:12:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to; bh=b8Hi3Gpe7tuLywIiztgRG53yG8NLKskKJEBcG2iANzk=; b=k/3gCQ7WNpHx7o1atxVFEUh/c+1dpT/JW6B7niy0vJNGvItjcj/N7hqGPF/naEFa+G C8PDTA2zIAfhxhMUjIkC34x0FaRHDPJG8+6dVxhNUEH5t9fqRviofOa62I0YA0GsHuhj 8/DjrVyaMDAClfSTp9zChbZ0Rs45qGffTM+bpMMEXuZ60jsoXtqndy5YYDw1YgxXcBTW n6nB9Nlxd9c9fXJOuaBesFhydNZ1GAhJDDOvosb6XBaw3sSRVwj1hTTJLoJYlNZr/0hJ tYh/UFkABbjeRCv9od3xSNDach5EydUvk5SYg0FRP5qlCL1imx6FWlqmkDXCcnCuGZgC WbLA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to; bh=b8Hi3Gpe7tuLywIiztgRG53yG8NLKskKJEBcG2iANzk=; b=XRJpTYSniZUXtxDMZmlYoW/m5XNACvk8lzmImgSoWjutKphFtSSTrFGImV8LVSZpBi YbiGoT9yLJ8LbgYIhdqtqTiYiqKkmxCqXC6H3/TxApJIMJrh+M7a6j0mn1qkE77Ks9GV vTkcwzZOb9Hbmk04hRUsEd43Ctx6uOg8Ff8oxcovJ5Sv5S7CWIow7ju5JOXNm+wLs7Ur WmGAMPxhIV+In2BJi+/kAw/zUf5XUbjR32TZQYijyFSpPjgSzsfTUjtvWkUhYeB3UABs hnvlkXe1HDJb+5Y9borAsGSJsZ53XWwse7MuKL3rq2fOnXcwi5CotDQYagywFyZVqGOa L9oA== X-Gm-Message-State: AOPr4FWCpSjThox9s5Qd3FC4ygCPUa8k4zmUdplQCmkFvM0be+w8u63MEwphZbYE99H/BJEwpwixEhWNp0xYzg== MIME-Version: 1.0 X-Received: by 10.202.92.69 with SMTP id q66mr10589258oib.41.1463184749160; Fri, 13 May 2016 17:12:29 -0700 (PDT) Received: by 10.157.46.34 with HTTP; Fri, 13 May 2016 17:12:29 -0700 (PDT) In-Reply-To: References: Date: Fri, 13 May 2016 20:12:29 -0400 Message-ID: Subject: Fwd: [jira] [Updated] (ZOOKEEPER-2428) IbmX509 KeyManager and TrustManager algorithm not supported From: saurabh jain To: user@zookeeper.apache.org Content-Type: multipart/alternative; boundary=001a113d608636f1b70532c23f1a archived-at: Sat, 14 May 2016 00:12:42 -0000 --001a113d608636f1b70532c23f1a Content-Type: text/plain; charset=UTF-8 Hello everyone, Two days back i created a jira for an issue which we are facing in our application while using zookeeper. Jira no is - 2428 ,https://issues.apache.org/jira/browse/ZOOKEEPER-2428 But right now when i am trying to see this jira , it is saying it doesn't exist. Is it removed or moved somewhere else ? Please advise. Thanks, Saurabh ---------- Forwarded message ---------- From: Timothy Fanelli (JIRA) Date: Wed, May 11, 2016 at 3:35 PM Subject: [jira] [Updated] (ZOOKEEPER-2428) IbmX509 KeyManager and TrustManager algorithm not supported To: sauravmanit@gmail.com [ https://issues.apache.org/jira/browse/ZOOKEEPER-2428?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Timothy Fanelli updated ZOOKEEPER-2428: --------------------------------------- Description: When connecting from a zookeeper client running in IBM WebSphere Application Server version 8.5.5, with SSL configured in ZooKeeper, the below mentioned exception is observed. org.jboss.netty.channel.ChannelPipelineException: Failed to initialize a pipeline. at org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.java:208) at org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.java:182) at org.apache.zookeeper.ClientCnxnSocketNetty.connect(ClientCnxnSocketNetty.java:112) at org.apache.zookeeper.ClientCnxn$SendThread.startConnect(ClientCnxn.java:1130) at org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1158) Caused by: org.apache.zookeeper.common.X509Exception$SSLContextException: Failed to create KeyManager at org.apache.zookeeper.common.X509Util.createSSLContext(X509Util.java:75) at org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.initSSL(ClientCnxnSocketNetty.java:358) at org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.getPipeline(ClientCnxnSocketNetty.java:348) at org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.java:206) ... 4 more Caused by: org.apache.zookeeper.common.X509Exception$KeyManagerException: java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not available at org.apache.zookeeper.common.X509Util.createKeyManager(X509Util.java:129) at org.apache.zookeeper.common.X509Util.createSSLContext(X509Util.java:73) ... 7 more Caused by: java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not available at sun.security.jca.GetInstance.getInstance(GetInstance.java:172) at javax.net.ssl.KeyManagerFactory.getInstance(KeyManagerFactory.java:9) at org.apache.zookeeper.common.X509Util.createKeyManager(X509Util.java:118) Reason : IBM websphere uses its own jre and supports only IbmX509 keymanager algorithm which is causing an exception when trying to get an key manager instance using SunX509 which is not supported. Currently KeyManager algorithm name (SunX509) is hardcoded in the class X509Util.java. Possible fix: Instead of having algorithm name hardcoded to SunX509 we can fall back to the default algorithm supported by the underlying jre. Instead of having this - KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); can we have ? KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); was: When connecting from a zookeeper client running on websphere version 8.5.5 in SSL mode below mentioned exception is observed. org.jboss.netty.channel.ChannelPipelineException: Failed to initialize a pipeline. at org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.java:208) at org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.java:182) at org.apache.zookeeper.ClientCnxnSocketNetty.connect(ClientCnxnSocketNetty.java:112) at org.apache.zookeeper.ClientCnxn$SendThread.startConnect(ClientCnxn.java:1130) at org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1158) Caused by: org.apache.zookeeper.common.X509Exception$SSLContextException: Failed to create KeyManager at org.apache.zookeeper.common.X509Util.createSSLContext(X509Util.java:75) at org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.initSSL(ClientCnxnSocketNetty.java:358) at org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.getPipeline(ClientCnxnSocketNetty.java:348) at org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.java:206) ... 4 more Caused by: org.apache.zookeeper.common.X509Exception$KeyManagerException: java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not available at org.apache.zookeeper.common.X509Util.createKeyManager(X509Util.java:129) at org.apache.zookeeper.common.X509Util.createSSLContext(X509Util.java:73) ... 7 more Caused by: java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not available at sun.security.jca.GetInstance.getInstance(GetInstance.java:172) at javax.net.ssl.KeyManagerFactory.getInstance(KeyManagerFactory.java:9) at org.apache.zookeeper.common.X509Util.createKeyManager(X509Util.java:118) Reason : IBM websphere uses its own jre and supports only IbmX509 keymanager algorithm which is causing an exception when trying to get an key manager instance using SunX509 which is not supported. Currently KeyManager algorithm name (SunX509) is hardcoded in the class X509Util.java. Possible fix: Instead of having algorithm name hardcoded to SunX509 we can fall back to the default algorithm supported by the underlying jre. Instead of having this - KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); can we have ? KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); > IbmX509 KeyManager and TrustManager algorithm not supported > ----------------------------------------------------------- > > Key: ZOOKEEPER-2428 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2428 > Project: ZooKeeper > Issue Type: Bug > Components: security > Affects Versions: 3.5.1 > Reporter: Saurabh Jain > Priority: Minor > > When connecting from a zookeeper client running in IBM WebSphere Application Server version 8.5.5, with SSL configured in ZooKeeper, the below mentioned exception is observed. > org.jboss.netty.channel.ChannelPipelineException: Failed to initialize a pipeline. > at org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.java:208) > at org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.java:182) > at org.apache.zookeeper.ClientCnxnSocketNetty.connect(ClientCnxnSocketNetty.java:112) > at org.apache.zookeeper.ClientCnxn$SendThread.startConnect(ClientCnxn.java:1130) > at org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1158) > Caused by: org.apache.zookeeper.common.X509Exception$SSLContextException: Failed to create KeyManager > at org.apache.zookeeper.common.X509Util.createSSLContext(X509Util.java:75) > at org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.initSSL(ClientCnxnSocketNetty.java:358) > at org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.getPipeline(ClientCnxnSocketNetty.java:348) > at org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.java:206) > ... 4 more > Caused by: org.apache.zookeeper.common.X509Exception$KeyManagerException: java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not available > at org.apache.zookeeper.common.X509Util.createKeyManager(X509Util.java:129) > at org.apache.zookeeper.common.X509Util.createSSLContext(X509Util.java:73) > ... 7 more > Caused by: java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not available > at sun.security.jca.GetInstance.getInstance(GetInstance.java:172) > at javax.net.ssl.KeyManagerFactory.getInstance(KeyManagerFactory.java:9) > at org.apache.zookeeper.common.X509Util.createKeyManager(X509Util.java:118) > Reason : IBM websphere uses its own jre and supports only IbmX509 keymanager algorithm which is causing an exception when trying to get an key manager instance using SunX509 which is not supported. > Currently KeyManager algorithm name (SunX509) is hardcoded in the class X509Util.java. > Possible fix: Instead of having algorithm name hardcoded to SunX509 we can fall back to the default algorithm supported by the underlying jre. > Instead of having this - > KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); > TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); > can we have ? > KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); > TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); -- This message was sent by Atlassian JIRA (v6.3.4#6332) --001a113d608636f1b70532c23f1a--