I think that Aaron raised this issue (or indicated there might be a
problem here) in a previous post on an earlier thread.
Aaron suggested that there be a wiki page or some other summary page
that explains what we think we need to have functionally so that it can
be agreed upon and them implemented in a future Geronimo release. Can
you take a stab at this summary Vamsi? I think that you along with
David Jencks, Aaron, and possibly a few others will need to reach a
consensus.
Joe
Vamsavardhana Reddy wrote:
Looks like there is no point in having more than one private key entry
in a keystore for the purpose of SSL Server authentication as there is
no control on which key will be picked. I do not know if this is useful
for Client authentication. Unless all the private key entries have the
same password, KeyManagerFactory.init() will throw an exception.
-Vamsi
On 7/31/06, *Joe Bohn* <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
Just an update on this problem.
There is still a problem with the locking (esp. in jetty) due to
multiple attributes (containing both the password value and null) for
the keystorePassword and keyPasswords. However, with the fix just
integrated for GERONIMO-2252 we at least have some recovery plan (modify
the config.xml to remove the null entries and the remain stored entries
will correctly unlock the keys).
Thanks to Vamsavardhana Reddy for finding the root cause of why the
passwords were being stored incorrectly. Now we just need to figure out
why we're ending up with multiple entries in config.xml for the same
attributes.
Joe
Joe Bohn wrote:
>
> I'm still trying to figure out some critical problems with the
keystore
> processing on jetty.
>
> The most serious problem that I've yet to resolve is a problem
with the
> lock/unlock of the keystore availability lock. A subsequent server
> restart will fail because "Keystore 'geronimo-default' is
locked". It
> appears that we cannot recover from this error either. Even if I
change
> the config.xml for SSLConnector to load="false", restart the server,
> unlock the keystore/key (again) I still get the same failure when I
> attempt to start with the SSLConnector enabled.
>
> At first I thought this was because of the duplicate attribute
entries
> referenced in an earlier post. In fact, I'm pretty sure that I
edited
> the config.xml to remove the "null" entries and was able to get the
> server started. However, I have recently been unable to recover from
> this error using the same mechanism. In fact it seems to create
more
> problems because after removing the null entries I now get an
> UnrecoverableKeyException.
>
> Any advice or recommendations? I'm beginning to wonder if we should
> disable the keystore portlet for 1.1.1 so that the user can't shoot
> himself in the foot.
>
> Joe
>
>
