[
https://issues.apache.org/jira/browse/GERONIMO-3757?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12562836#action_12562836
]
Vamsavardhana Reddy commented on GERONIMO-3757:
-----------------------------------------------
"try to load with all available providers" is the first option I tried. And
the results from IBMJDK 1.5, SunJDK 1.5 and Harmony 5.0M4 are not at all
satisfying. It is much worse when the keystore password is not known (which is
the case when a new keystore file is dropped in the keystores directory).
Harmony won't load anything without the password; IBMJDK chooses wrong
keystoreType etc. So, I decided to go with the file extension (which will
allow users to drop any type of keystore file into the keystores directory) or
defaultType when there is no extension and the user will be able to access the
keystore from admin console right away.
I was under the impression that when a new keystore is dropped in keystores
directory, it won't be recognized by KeystoreManager unless a KeystoreInstance
GBean is added to config.xml. But then I was wrong and KeystoreManager is
dynamically adding the required KeystoreInstance gbean. If we don't decide
upon the type at the type of the keystore at the time KeystoreManager adds the
gbean, Option1: the user will have to stop the server, edit config.xml to
correct the keystoreType and start the server, Option 2: make the keystoreType
attribute manageable and add keystorePortlet pages to let the user change the
type through admin console etc (which will be used only for new keystores added
directly to keystores directory). So, I took the easy way out as it also keeps
things simple :)
> KeyStore type can't be changed
> ------------------------------
>
> Key: GERONIMO-3757
> URL: https://issues.apache.org/jira/browse/GERONIMO-3757
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security
> Affects Versions: 2.0.2, 2.0.x, 2.1
> Reporter: Vasily Zakharov
> Attachments: Geronimo-3757-trunk.patch, Geronimo-3757.patch,
> Geronimo-3757.patch, GERONIMO-3757.patch
>
>
> For now (r612905), Geronimo is hardcoded to use JKS keystore type, which
> prevents Geronimo from running on Harmony or other JDKs that have no JKS
> implementation:
> org.apache.geronimo.security.keystore.FileKeystoreInstance, line 635:
> KeyStore tempKeystore = KeyStore.getInstance(JKS);
> org.apache.geronimo.security.keystore.FileKeystoreManager, line 364:
> KeyStore keystore =
> KeyStore.getInstance(FileKeystoreInstance.JKS);
> To workaround this issue, one can change JKS to KeyStore.getDefaultType()
> (this returns "BKS" for Harmony) or particular other keystore type, but this
> requires source recompilation. Replacing
> var/security/keystores/geronimo-default with the proper keystore type file is
> not a problem.
> A proper solution seems to apply the fix above to use the JDK-default
> keystore type, and provide FileKeystoreInstance with an additional
> configuration option, keystoreType, that would allow to change the keystore
> type through config.xml without recompilation, like this:
> <module name="org.apache.geronimo.configs/server-security-config/2.0.2/car">
> <gbean name="geronimo-default">
> <attribute name="keystoreType">PKCS12</attribute>
> <attribute
> name="keystorePath">var/security/keystores/geronimo-pkcs12</attribute>
> </gbean>
> </module>
> This issue if a follow up to GERONIMO-2015.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
