[
https://issues.apache.org/jira/browse/ARTEMIS-3081?focusedWorklogId=543690&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-543690
]
ASF GitHub Bot logged work on ARTEMIS-3081:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 28/Jan/21 15:17
Start Date: 28/Jan/21 15:17
Worklog Time Spent: 10m
Work Description: gemmellr commented on pull request #3416:
URL: https://github.com/apache/activemq-artemis/pull/3416#issuecomment-769155367
I think this proposal is actually somewhat different than the previous ones
and warrants further consideration.
Previous proposals were primarily aiming for the more traditional behaviour
of URI settings overriding System Properties, whereas this one does not and is
just specific to behaviour of using the latter. In particular around the fact
that if you set both the javax.ssl.* and org.apache.activemq.ssl.* system
properties currently, the latter will surprisingly be ignored and not do
anything. That makes those properties useless a lot of the time since folks
using system properties for TLS config also seem likely be using javax.ssl.* as
well for other components. The main reason to want to ever set both is to use
different values, which would clearly suggest the Artemis ones should have
higher precedence or else you cant do that and neednt bother ever setting the
Artemis one.
As @brusdev noted, the order handling of these system properties was
originally that the Artemis ones took precedence. That only looks to have
changed in Artemis 2.5.0 during a config handling rewrite while adding OpenSSL
support in https://issues.apache.org/jira/browse/ARTEMIS-1649. Its not clear to
me that was a deliberate change, it was seemingly not mentioned or documented
at the time, and per above makes little sense since there is a good chance it
removes the ability to even use the system property. I think the change may
have been an error in the port to using Stream handling for the config values.
The test that needs changed here only looks to be present because Chris
added tests of the by-then-current wider behaviour of the TLS config handling
whilst adding the override flag in Artemis 2.7.0 to allow the desired URI
option precedence.
I think it makes sense to restore the more useful and original Artemis 1.0.0
- 2.4.0 behaviour for these system properties, rather than leaving the somewhat
useless 2.5.0+ behaviour.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 543690)
Time Spent: 1h 20m (was: 1h 10m)
> Cannot override the default Java key/truststore properties
> ----------------------------------------------------------
>
> Key: ARTEMIS-3081
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3081
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Affects Versions: 2.15.0, 2.17.0
> Environment: In our case the application uses the default Java
> truststore location at {{$JAVA_HOME/lib/security/jssecacerts}}, and only
> supplies its password in {{javax.net.ssl.trustStorePassword}}, and then uses
> a dedicated truststore for Artemis. Defining both
> {{org.apache.activemq.ssl.trustStore}} and
> {{org.apache.activemq.ssl.trustStorePassword}} now makes Artemis use the
> dedicated truststore ({{javax.net.ssl.trustStore}} is not set as we use the
> default location, so the second choice
> {{org.apache.activemq.ssl.trustStore}} applies), but with the Java default
> truststore password (first choice {{javax.net.ssl.trustStorePassword}}
> applies instead of the second choice because it is set for the default
> truststore). Obviously, this does not work unless both passwords are
> identical!
> Reporter: Ingo Karkat
> Priority: Major
> Labels: pull-request-available
> Time Spent: 1h 20m
> Remaining Estimate: 0h
>
> If an application wants to use a special key/truststore for Artemis but have
> the remainder of the application use the default Java store, the
> {code:java}
> org.apache.activemq.ssl.keyStore{code}
> needs to take precedence over Java's
> {code:java}
> javax.net.ssl.keyStore{code}
> However, the current implementation takes the first non-null value from
> {code:java}
> System.getProperty(JAVAX_KEYSTORE_PATH_PROP_NAME)
> System.getProperty(ACTIVEMQ_KEYSTORE_PATH_PROP_NAME)
> keyStorePath{code}
> So if the default Java property is set, no override is possible.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
