[jira] [Commented] (DIRSERVER-2242) Keystore change from JKS to PKCS12

Wed, 08 Aug 2018 02:44:41 -0700 


    [ 
https://issues.apache.org/jira/browse/DIRSERVER-2242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16572947#comment-16572947
 ] 

Emmanuel Lecharny commented on DIRSERVER-2242:
----------------------------------------------

We use the {{KeyStore.getInstance()}} method in three places :

* {{ReplicationTrustManager}} ( {{KeyStore.getInstance( "JKS" )}} )
* {{LdapServer}} ( {{KeyStore.getInstance( KeyStore.getDefaultType() )}} )
* {{HttpServer}} ( {{KeyStore.getInstance( KeyStore.getDefaultType() )}} )

and in four tests (one with "JKS" )

We *could use {{KeyStore.getInstance( "JKS" )}} everywhere, but that would be 
problematic in the long run. What we could do is to add a configuration 
parameter in the server ({{ads-keystoreType}}) that would store the flavor we 
want to use, with a default value of {{JKS}}, and {{default}} would result to 
{{KeyStore.getDefaultType() }}. Some other values might be set. That would 
probably be the best option.

That will not fix the KeyStore migration issue though... At this point, the 
only good solution would be to ask users to create a new KeyStore with their 
certificates... Not exactly user-friendly :/

> Keystore change from JKS to PKCS12
> ----------------------------------
>
>                 Key: DIRSERVER-2242
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-2242
>             Project: Directory ApacheDS
>          Issue Type: Improvement
>            Reporter: Stefan Seelmann
>            Priority: Major
>
> Until Java 8 the default key store was JKS, since Java 9 the default is 
> PKCS12.
> In the server code when we use key stores there is a mix of
>  * KeyStore.getInstance( KeyStore.getDefaultType() );
>  * KeyStore.getInstance( "JKS" );
> This needs to be cleaned up.
> There is also the question if an automatic migration from existing JKS stores 
> in existing installations .to PKCS12 is possible
> Workaround is to change default keystore to JKS (property keystore.type in 
> $JAVA_HOME/conf/security/java.security)
>  Reference: http://openjdk.java.net/jeps/229



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to