Here is an essence of the fix that went in to trunk (2.1): o Allow creation of all possible keystore types supported. Keystore type is no longer restricted to JKS. o Added a type parameter to create keystore methods. o Keystores portlet will now allow creating and managing all types of keystores. o This revision will simplify the configuration changes required to run G on a JVM that does not support JKS keystores (for e.g., Harmony). o Allow selecting any keystore type supported by the JVM in Tomcat HTTPS Connector pages.
As this "feature" required some interface changes, for e.g. KeystoreManager, KeystoreInstance etc., I would like to hear from others on considering this for branches\2.0 as it may break compatibility. ++Vamsi On Jan 21, 2008 11:21 PM, Zakharov, Vasily M <[EMAIL PROTECTED]> wrote: > Vamsi, > > > > Thanks for the detailed analysis. The problem indeed looks non-trivial. > > > > Step 1. This looks pretty simple, and I'm now creating a patch for that. > This change seems very important to me, how about getting it to v2.0.3 > /2.1? > > > > Step 2. This change also seems very important, but less critical than the > first one, and it requires essential interface changes, so I tend to agree > it certainly should wait till 2.1 or later. > > > > As of pitfalls, they seem unavoidable. Sure we want compatibility, but any > compatibility has its limits. I suppose that changing JDK under a particular > running installation of Geronimo is not a feature in great demand, and in a > rare case when such a change would be necessary, a keystore conversion could > be done manually (e.g. JKS<->PKCS12 conversion can be done in Sun, > PKCS12<->BKS conversion can be done in Harmony etc.) > > > > Vasily > > > ------------------------------ > > *From:* Vamsavardhana Reddy [mailto:[EMAIL PROTECTED] > *Sent:* Monday, January 21, 2008 8:23 PM > > *To:* [email protected] > *Subject:* Re: How to change KeyStore type? > > > > Providing a keystoreType attribute does not seem to be a big deal. But, > if the Keystores portlet has to allow creating all types of keystores, it > gets really messy. Here is one more observation. > *IBMJDK does not allow storing an empty PKCS12 keystore to disk. * > > This prevents creating an empty PKCS12 keystore and then adding which ever > keys and certificates the user wants to. > > Here is the approach I want to take. > Step 1. Provide a keystoreType attribute in FileKeystoreInstance. > Step 2. Update KeyStores portlet to allow creation of all keystore types > that the JDK allows to store an empty keystore to disk. > > Step 1 will allow the users to replace a keystore file of one type with > that of another type, change the keystoreType in config.xml and get the > server running. > Step 2 will allow users to manage all keystore types using Keystores > portlet and there is no hard-coding of any keystoreType except for > geronimo-default keystore which is JKS. > > Now to some pitfalls. > 1. If keystore type other than JKS is in use, the user may not be able to > switch JDK's for reasons like PKCS12 keystore created using IBMJDK are not > readble using SUNJDK. > 2. Though IBMJDK does not allow creating an empty PKCS12 (and a few other > types) keystore as a starting point for managing a PKCS12 keystore, the > users can always add a PKCS12 keystore to var/security/keystores and the > gbean definition to config.xml. This will make the keystore manageable > through KeyStores portlet as long as the keystore is not empty. > > This will require a change in > org.apache.geronimo.management.geronimo.KeystoreManager interface, etc. I > doubt if we can consider this change for branches\2.0. > > Comments? > > ++Vamsi > > On Jan 18, 2008 1:37 AM, Zakharov, Vasily M <[EMAIL PROTECTED]> > wrote: > > > Yes, sure, I fully agree. > > I've filed GERONIMO-3757 for this issue and now thinking of the patch to > the trunk that would provide the necessary customization - unless any > objections arise. > > As of GERONIMO-2015, I think we may close it, as there're objective > reasons (stated there by Vamsavardhana Reddy) to not move from JKS on > Sun. > > Vasily > > > > -----Original Message----- > From: Alexey Petrenko [mailto: [EMAIL PROTECTED] > Sent: Wednesday, January 16, 2008 1:37 PM > To: [email protected] > Subject: Re: How to change KeyStore type? > > I think we should add PKCS12 to Geronimo. > If we afraid of possible incompatibilities and not full support of JKS > or PKCS12 why not to let user choose what keystore to use? > We can specify keystore in configs or choose type from available on > current VM. > > SY, Alexey > > 2008/1/15, Zakharov, Vasily M <[EMAIL PROTECTED]>: > > Hi, all, > > > > Is there a way to change the geronimo-default keystore > > from JKS to, say, PKCS12 without patching the > > org.apache.geronimo.security.keystore.FileKeystore* classes? > > > > That way of patching sources is suggested at GERONIMO-2015, > > and it works, but it's probably not the best idea. > > > > I see the reasons of not making PKCS12 a default keystore type, > > but what about making it possible to change keystore type > > using config.xml, without source recompilation? > > > > I've browsed through the configuration options of geronimo-security > > gbean, a found no way for that. Should I provide a patch for > > that to be possible, would that be appropriate? > > > > Thank you! > > > > Vasily Zakharov > > Intel ESSD > > > > > > > > --- > > > > > > >
