[
https://issues.apache.org/jira/browse/ZOOKEEPER-2429?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15302630#comment-15302630
]
Chris Nauroth commented on ZOOKEEPER-2429:
------------------------------------------
Additional user-facing configuration for this might not be necessary, and it
might push more operational complexity onto administrators. FWIW, there is a
bit of code in Hadoop that takes the approach of runtime detection of the IBM
JRE, and then automatically toggles between the two algorithms. See the
[SSLFactory|https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java#L71]
and
[PlatformName|https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/util/PlatformName.java#L46-L50]
classes.
A challenge we've had in the Hadoop community is that not many (none?) of the
committers have access to the IBM JRE for verification of proposed patches.
Saurabh, if you can help on any testing efforts related to IBM JRE support, we
would greatly appreciate that.
> IbmX509 KeyManager and TrustManager algorithm not supported
> -----------------------------------------------------------
>
> Key: ZOOKEEPER-2429
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2429
> Project: ZooKeeper
> Issue Type: Bug
> Components: security, server
> Affects Versions: 3.5.0
> Reporter: Saurabh Jain
> Assignee: Saurabh jain
> Priority: Minor
> Fix For: 3.5.1
>
>
> When connecting from a zookeeper client running in IBM WebSphere Application
> Server version 8.5.5, with SSL configured in ZooKeeper, the below mentioned
> exception is observed.
> org.jboss.netty.channel.ChannelPipelineException: Failed to initialize a
> pipeline.
> at
> org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.java:208)
> at
> org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.java:182)
> at
> org.apache.zookeeper.ClientCnxnSocketNetty.connect(ClientCnxnSocketNetty.java:112)
> at
> org.apache.zookeeper.ClientCnxn$SendThread.startConnect(ClientCnxn.java:1130)
> at org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1158)
> Caused by: org.apache.zookeeper.common.X509Exception$SSLContextException:
> Failed to create KeyManager
> at
> org.apache.zookeeper.common.X509Util.createSSLContext(X509Util.java:75)
> at
> org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.initSSL(ClientCnxnSocketNetty.java:358)
> at
> org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.getPipeline(ClientCnxnSocketNetty.java:348)
> at
> org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.java:206)
> ... 4 more
> Caused by: org.apache.zookeeper.common.X509Exception$KeyManagerException:
> java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not
> available
> at
> org.apache.zookeeper.common.X509Util.createKeyManager(X509Util.java:129)
> at
> org.apache.zookeeper.common.X509Util.createSSLContext(X509Util.java:73)
> ... 7 more
> Caused by: java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory
> not available
> at sun.security.jca.GetInstance.getInstance(GetInstance.java:172)
> at javax.net.ssl.KeyManagerFactory.getInstance(KeyManagerFactory.java:9)
> at
> org.apache.zookeeper.common.X509Util.createKeyManager(X509Util.java:118)
> Reason : IBM websphere uses its own jre and supports only IbmX509 keymanager
> algorithm which is causing an exception when trying to get an key manager
> instance using SunX509 which is not supported.
> Currently KeyManager algorithm name (SunX509) is hardcoded in the class
> X509Util.java.
> Possible fix: Instead of having algorithm name hardcoded to SunX509 we can
> fall back to the default algorithm supported by the underlying jre.
> Instead of having this -
> KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
> TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
> can we have ?
> KeyManagerFactory kmf =
> KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
> TrustManagerFactory tmf =
> TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
