Re: How to change KeyStore type?
Sounds like the change should only be made in 2.1, as this is a new feature. -Donald Vamsavardhana Reddy wrote: Here is an essence of the fix that went in to trunk (2.1): o Allow creation of all possible keystore types supported. Keystore type is no longer restricted to JKS. o Added a type parameter to create keystore methods. o Keystores portlet will now allow creating and managing all types of keystores. o This revision will simplify the configuration changes required to run G on a JVM that does not support JKS keystores (for e.g., Harmony). o Allow selecting any keystore type supported by the JVM in Tomcat HTTPS Connector pages. As this feature required some interface changes, for e.g. KeystoreManager, KeystoreInstance etc., I would like to hear from others on considering this for branches\2.0 as it may break compatibility. ++Vamsi On Jan 21, 2008 11:21 PM, Zakharov, Vasily M [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Vamsi, Thanks for the detailed analysis. The problem indeed looks non-trivial. Step 1. This looks pretty simple, and I'm now creating a patch for that. This change seems very important to me, how about getting it to v2.0.3/2.1? Step 2. This change also seems very important, but less critical than the first one, and it requires essential interface changes, so I tend to agree it certainly should wait till 2.1 or later. As of pitfalls, they seem unavoidable. Sure we want compatibility, but any compatibility has its limits. I suppose that changing JDK under a particular running installation of Geronimo is not a feature in great demand, and in a rare case when such a change would be necessary, a keystore conversion could be done manually (e.g. JKS-PKCS12 conversion can be done in Sun, PKCS12-BKS conversion can be done in Harmony etc.) Vasily *From:* Vamsavardhana Reddy [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] *Sent:* Monday, January 21, 2008 8:23 PM *To:* dev@geronimo.apache.org mailto:dev@geronimo.apache.org *Subject:* Re: How to change KeyStore type? Providing a keystoreType attribute does not seem to be a big deal. But, if the Keystores portlet has to allow creating all types of keystores, it gets really messy. Here is one more observation. *IBMJDK does not allow storing an empty PKCS12 keystore to disk. * This prevents creating an empty PKCS12 keystore and then adding which ever keys and certificates the user wants to. Here is the approach I want to take. Step 1. Provide a keystoreType attribute in FileKeystoreInstance. Step 2. Update KeyStores portlet to allow creation of all keystore types that the JDK allows to store an empty keystore to disk. Step 1 will allow the users to replace a keystore file of one type with that of another type, change the keystoreType in config.xml and get the server running. Step 2 will allow users to manage all keystore types using Keystores portlet and there is no hard-coding of any keystoreType except for geronimo-default keystore which is JKS. Now to some pitfalls. 1. If keystore type other than JKS is in use, the user may not be able to switch JDK's for reasons like PKCS12 keystore created using IBMJDK are not readble using SUNJDK. 2. Though IBMJDK does not allow creating an empty PKCS12 (and a few other types) keystore as a starting point for managing a PKCS12 keystore, the users can always add a PKCS12 keystore to var/security/keystores and the gbean definition to config.xml. This will make the keystore manageable through KeyStores portlet as long as the keystore is not empty. This will require a change in org.apache.geronimo.management.geronimo.KeystoreManager interface, etc. I doubt if we can consider this change for branches\2.0. Comments? ++Vamsi On Jan 18, 2008 1:37 AM, Zakharov, Vasily M [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Yes, sure, I fully agree. I've filed GERONIMO-3757 for this issue and now thinking of the patch to the trunk that would provide the necessary customization - unless any objections arise. As of GERONIMO-2015, I think we may close it, as there're objective reasons (stated there by Vamsavardhana Reddy) to not move from JKS on Sun. Vasily -Original Message- From: Alexey Petrenko [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 16, 2008 1:37 PM To: dev@geronimo.apache.org mailto:dev@geronimo.apache.org Subject: Re: How to change KeyStore type? I think we should add PKCS12 to Geronimo. If we afraid of possible incompatibilities and not full support of JKS or PKCS12 why not to let user choose what
Re: How to change KeyStore type?
Here is an essence of the fix that went in to trunk (2.1): o Allow creation of all possible keystore types supported. Keystore type is no longer restricted to JKS. o Added a type parameter to create keystore methods. o Keystores portlet will now allow creating and managing all types of keystores. o This revision will simplify the configuration changes required to run G on a JVM that does not support JKS keystores (for e.g., Harmony). o Allow selecting any keystore type supported by the JVM in Tomcat HTTPS Connector pages. As this feature required some interface changes, for e.g. KeystoreManager, KeystoreInstance etc., I would like to hear from others on considering this for branches\2.0 as it may break compatibility. ++Vamsi On Jan 21, 2008 11:21 PM, Zakharov, Vasily M [EMAIL PROTECTED] wrote: Vamsi, Thanks for the detailed analysis. The problem indeed looks non-trivial. Step 1. This looks pretty simple, and I'm now creating a patch for that. This change seems very important to me, how about getting it to v2.0.3 /2.1? Step 2. This change also seems very important, but less critical than the first one, and it requires essential interface changes, so I tend to agree it certainly should wait till 2.1 or later. As of pitfalls, they seem unavoidable. Sure we want compatibility, but any compatibility has its limits. I suppose that changing JDK under a particular running installation of Geronimo is not a feature in great demand, and in a rare case when such a change would be necessary, a keystore conversion could be done manually (e.g. JKS-PKCS12 conversion can be done in Sun, PKCS12-BKS conversion can be done in Harmony etc.) Vasily -- *From:* Vamsavardhana Reddy [mailto:[EMAIL PROTECTED] *Sent:* Monday, January 21, 2008 8:23 PM *To:* dev@geronimo.apache.org *Subject:* Re: How to change KeyStore type? Providing a keystoreType attribute does not seem to be a big deal. But, if the Keystores portlet has to allow creating all types of keystores, it gets really messy. Here is one more observation. *IBMJDK does not allow storing an empty PKCS12 keystore to disk. * This prevents creating an empty PKCS12 keystore and then adding which ever keys and certificates the user wants to. Here is the approach I want to take. Step 1. Provide a keystoreType attribute in FileKeystoreInstance. Step 2. Update KeyStores portlet to allow creation of all keystore types that the JDK allows to store an empty keystore to disk. Step 1 will allow the users to replace a keystore file of one type with that of another type, change the keystoreType in config.xml and get the server running. Step 2 will allow users to manage all keystore types using Keystores portlet and there is no hard-coding of any keystoreType except for geronimo-default keystore which is JKS. Now to some pitfalls. 1. If keystore type other than JKS is in use, the user may not be able to switch JDK's for reasons like PKCS12 keystore created using IBMJDK are not readble using SUNJDK. 2. Though IBMJDK does not allow creating an empty PKCS12 (and a few other types) keystore as a starting point for managing a PKCS12 keystore, the users can always add a PKCS12 keystore to var/security/keystores and the gbean definition to config.xml. This will make the keystore manageable through KeyStores portlet as long as the keystore is not empty. This will require a change in org.apache.geronimo.management.geronimo.KeystoreManager interface, etc. I doubt if we can consider this change for branches\2.0. Comments? ++Vamsi On Jan 18, 2008 1:37 AM, Zakharov, Vasily M [EMAIL PROTECTED] wrote: Yes, sure, I fully agree. I've filed GERONIMO-3757 for this issue and now thinking of the patch to the trunk that would provide the necessary customization - unless any objections arise. As of GERONIMO-2015, I think we may close it, as there're objective reasons (stated there by Vamsavardhana Reddy) to not move from JKS on Sun. Vasily -Original Message- From: Alexey Petrenko [mailto: [EMAIL PROTECTED] Sent: Wednesday, January 16, 2008 1:37 PM To: dev@geronimo.apache.org Subject: Re: How to change KeyStore type? I think we should add PKCS12 to Geronimo. If we afraid of possible incompatibilities and not full support of JKS or PKCS12 why not to let user choose what keystore to use? We can specify keystore in configs or choose type from available on current VM. SY, Alexey 2008/1/15, Zakharov, Vasily M [EMAIL PROTECTED]: Hi, all, Is there a way to change the geronimo-default keystore from JKS to, say, PKCS12 without patching the org.apache.geronimo.security.keystore.FileKeystore* classes? That way of patching sources is suggested at GERONIMO-2015, and it works, but it's probably not the best idea. I see the reasons of not making PKCS12 a default keystore type, but what about making it possible to change keystore type using
RE: How to change KeyStore type?
Vamsi, Thanks a lot for the patch! I'm voting for getting the change into the nearest release, as it allows Geronimo to run on Harmony and maybe other VMs - current release can't do that, and adding this feature is a good bonus to Geronimo flexibility and compatibility. Thanks, Vasily From: Vamsavardhana Reddy [mailto:[EMAIL PROTECTED] Sent: Monday, January 28, 2008 4:23 PM To: dev@geronimo.apache.org Subject: Re: How to change KeyStore type? Here is an essence of the fix that went in to trunk (2.1): o Allow creation of all possible keystore types supported. Keystore type is no longer restricted to JKS. o Added a type parameter to create keystore methods. o Keystores portlet will now allow creating and managing all types of keystores. o This revision will simplify the configuration changes required to run G on a JVM that does not support JKS keystores (for e.g., Harmony). o Allow selecting any keystore type supported by the JVM in Tomcat HTTPS Connector pages. As this feature required some interface changes, for e.g. KeystoreManager, KeystoreInstance etc., I would like to hear from others on considering this for branches\2.0 as it may break compatibility. ++Vamsi On Jan 21, 2008 11:21 PM, Zakharov, Vasily M [EMAIL PROTECTED] wrote: Vamsi, Thanks for the detailed analysis. The problem indeed looks non-trivial. Step 1. This looks pretty simple, and I'm now creating a patch for that. This change seems very important to me, how about getting it to v2.0.3/2.1? Step 2. This change also seems very important, but less critical than the first one, and it requires essential interface changes, so I tend to agree it certainly should wait till 2.1 or later. As of pitfalls, they seem unavoidable. Sure we want compatibility, but any compatibility has its limits. I suppose that changing JDK under a particular running installation of Geronimo is not a feature in great demand, and in a rare case when such a change would be necessary, a keystore conversion could be done manually (e.g. JKS-PKCS12 conversion can be done in Sun, PKCS12-BKS conversion can be done in Harmony etc.) Vasily From: Vamsavardhana Reddy [mailto:[EMAIL PROTECTED] Sent: Monday, January 21, 2008 8:23 PM To: dev@geronimo.apache.org Subject: Re: How to change KeyStore type? Providing a keystoreType attribute does not seem to be a big deal. But, if the Keystores portlet has to allow creating all types of keystores, it gets really messy. Here is one more observation. IBMJDK does not allow storing an empty PKCS12 keystore to disk. This prevents creating an empty PKCS12 keystore and then adding which ever keys and certificates the user wants to. Here is the approach I want to take. Step 1. Provide a keystoreType attribute in FileKeystoreInstance. Step 2. Update KeyStores portlet to allow creation of all keystore types that the JDK allows to store an empty keystore to disk. Step 1 will allow the users to replace a keystore file of one type with that of another type, change the keystoreType in config.xml and get the server running. Step 2 will allow users to manage all keystore types using Keystores portlet and there is no hard-coding of any keystoreType except for geronimo-default keystore which is JKS. Now to some pitfalls. 1. If keystore type other than JKS is in use, the user may not be able to switch JDK's for reasons like PKCS12 keystore created using IBMJDK are not readble using SUNJDK. 2. Though IBMJDK does not allow creating an empty PKCS12 (and a few other types) keystore as a starting point for managing a PKCS12 keystore, the users can always add a PKCS12 keystore to var/security/keystores and the gbean definition to config.xml. This will make the keystore manageable through KeyStores portlet as long as the keystore is not empty. This will require a change in org.apache.geronimo.management.geronimo.KeystoreManager interface, etc. I doubt if we can consider this change for branches\2.0. Comments? ++Vamsi On Jan 18, 2008 1:37 AM, Zakharov, Vasily M [EMAIL PROTECTED] wrote: Yes, sure, I fully agree. I've filed GERONIMO-3757 for this issue and now thinking of the patch to the trunk that would provide the necessary customization - unless any objections arise. As of GERONIMO-2015, I think we may close it, as there're objective reasons (stated there by Vamsavardhana Reddy) to not move from JKS on Sun. Vasily -Original Message- From: Alexey Petrenko [mailto: [EMAIL PROTECTED] Sent: Wednesday, January 16, 2008 1:37 PM To: dev@geronimo.apache.org Subject: Re: How to change KeyStore type? I think we should add PKCS12 to Geronimo. If we afraid of possible incompatibilities and not full support of JKS or PKCS12 why not to let user choose what keystore to use? We can specify keystore in configs or choose type from available on current VM. SY, Alexey 2008/1/15, Zakharov, Vasily M [EMAIL
Re: How to change KeyStore type?
Providing a keystoreType attribute does not seem to be a big deal. But, if the Keystores portlet has to allow creating all types of keystores, it gets really messy. Here is one more observation. *IBMJDK does not allow storing an empty PKCS12 keystore to disk.* This prevents creating an empty PKCS12 keystore and then adding which ever keys and certificates the user wants to. Here is the approach I want to take. Step 1. Provide a keystoreType attribute in FileKeystoreInstance. Step 2. Update KeyStores portlet to allow creation of all keystore types that the JDK allows to store an empty keystore to disk. Step 1 will allow the users to replace a keystore file of one type with that of another type, change the keystoreType in config.xml and get the server running. Step 2 will allow users to manage all keystore types using Keystores portlet and there is no hard-coding of any keystoreType except for geronimo-default keystore which is JKS. Now to some pitfalls. 1. If keystore type other than JKS is in use, the user may not be able to switch JDK's for reasons like PKCS12 keystore created using IBMJDK are not readble using SUNJDK. 2. Though IBMJDK does not allow creating an empty PKCS12 (and a few other types) keystore as a starting point for managing a PKCS12 keystore, the users can always add a PKCS12 keystore to var/security/keystores and the gbean definition to config.xml. This will make the keystore manageable through KeyStores portlet as long as the keystore is not empty. This will require a change in org.apache.geronimo.management.geronimo.KeystoreManager interface, etc. I doubt if we can consider this change for branches\2.0. Comments? ++Vamsi On Jan 18, 2008 1:37 AM, Zakharov, Vasily M [EMAIL PROTECTED] wrote: Yes, sure, I fully agree. I've filed GERONIMO-3757 for this issue and now thinking of the patch to the trunk that would provide the necessary customization - unless any objections arise. As of GERONIMO-2015, I think we may close it, as there're objective reasons (stated there by Vamsavardhana Reddy) to not move from JKS on Sun. Vasily -Original Message- From: Alexey Petrenko [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 16, 2008 1:37 PM To: dev@geronimo.apache.org Subject: Re: How to change KeyStore type? I think we should add PKCS12 to Geronimo. If we afraid of possible incompatibilities and not full support of JKS or PKCS12 why not to let user choose what keystore to use? We can specify keystore in configs or choose type from available on current VM. SY, Alexey 2008/1/15, Zakharov, Vasily M [EMAIL PROTECTED]: Hi, all, Is there a way to change the geronimo-default keystore from JKS to, say, PKCS12 without patching the org.apache.geronimo.security.keystore.FileKeystore* classes? That way of patching sources is suggested at GERONIMO-2015, and it works, but it's probably not the best idea. I see the reasons of not making PKCS12 a default keystore type, but what about making it possible to change keystore type using config.xml, without source recompilation? I've browsed through the configuration options of geronimo-security gbean, a found no way for that. Should I provide a patch for that to be possible, would that be appropriate? Thank you! Vasily Zakharov Intel ESSD ---
RE: How to change KeyStore type?
Vamsi, Thanks for the detailed analysis. The problem indeed looks non-trivial. Step 1. This looks pretty simple, and I'm now creating a patch for that. This change seems very important to me, how about getting it to v2.0.3/2.1? Step 2. This change also seems very important, but less critical than the first one, and it requires essential interface changes, so I tend to agree it certainly should wait till 2.1 or later. As of pitfalls, they seem unavoidable. Sure we want compatibility, but any compatibility has its limits. I suppose that changing JDK under a particular running installation of Geronimo is not a feature in great demand, and in a rare case when such a change would be necessary, a keystore conversion could be done manually (e.g. JKS-PKCS12 conversion can be done in Sun, PKCS12-BKS conversion can be done in Harmony etc.) Vasily From: Vamsavardhana Reddy [mailto:[EMAIL PROTECTED] Sent: Monday, January 21, 2008 8:23 PM To: dev@geronimo.apache.org Subject: Re: How to change KeyStore type? Providing a keystoreType attribute does not seem to be a big deal. But, if the Keystores portlet has to allow creating all types of keystores, it gets really messy. Here is one more observation. IBMJDK does not allow storing an empty PKCS12 keystore to disk. This prevents creating an empty PKCS12 keystore and then adding which ever keys and certificates the user wants to. Here is the approach I want to take. Step 1. Provide a keystoreType attribute in FileKeystoreInstance. Step 2. Update KeyStores portlet to allow creation of all keystore types that the JDK allows to store an empty keystore to disk. Step 1 will allow the users to replace a keystore file of one type with that of another type, change the keystoreType in config.xml and get the server running. Step 2 will allow users to manage all keystore types using Keystores portlet and there is no hard-coding of any keystoreType except for geronimo-default keystore which is JKS. Now to some pitfalls. 1. If keystore type other than JKS is in use, the user may not be able to switch JDK's for reasons like PKCS12 keystore created using IBMJDK are not readble using SUNJDK. 2. Though IBMJDK does not allow creating an empty PKCS12 (and a few other types) keystore as a starting point for managing a PKCS12 keystore, the users can always add a PKCS12 keystore to var/security/keystores and the gbean definition to config.xml. This will make the keystore manageable through KeyStores portlet as long as the keystore is not empty. This will require a change in org.apache.geronimo.management.geronimo.KeystoreManager interface, etc. I doubt if we can consider this change for branches\2.0. Comments? ++Vamsi On Jan 18, 2008 1:37 AM, Zakharov, Vasily M [EMAIL PROTECTED] wrote: Yes, sure, I fully agree. I've filed GERONIMO-3757 for this issue and now thinking of the patch to the trunk that would provide the necessary customization - unless any objections arise. As of GERONIMO-2015, I think we may close it, as there're objective reasons (stated there by Vamsavardhana Reddy) to not move from JKS on Sun. Vasily -Original Message- From: Alexey Petrenko [mailto: [EMAIL PROTECTED] Sent: Wednesday, January 16, 2008 1:37 PM To: dev@geronimo.apache.org Subject: Re: How to change KeyStore type? I think we should add PKCS12 to Geronimo. If we afraid of possible incompatibilities and not full support of JKS or PKCS12 why not to let user choose what keystore to use? We can specify keystore in configs or choose type from available on current VM. SY, Alexey 2008/1/15, Zakharov, Vasily M [EMAIL PROTECTED]: Hi, all, Is there a way to change the geronimo-default keystore from JKS to, say, PKCS12 without patching the org.apache.geronimo.security.keystore.FileKeystore* classes? That way of patching sources is suggested at GERONIMO-2015, and it works, but it's probably not the best idea. I see the reasons of not making PKCS12 a default keystore type, but what about making it possible to change keystore type using config.xml, without source recompilation? I've browsed through the configuration options of geronimo-security gbean, a found no way for that. Should I provide a patch for that to be possible, would that be appropriate? Thank you! Vasily Zakharov Intel ESSD ---
RE: How to change KeyStore type?
Yes, sure, I fully agree. I've filed GERONIMO-3757 for this issue and now thinking of the patch to the trunk that would provide the necessary customization - unless any objections arise. As of GERONIMO-2015, I think we may close it, as there're objective reasons (stated there by Vamsavardhana Reddy) to not move from JKS on Sun. Vasily -Original Message- From: Alexey Petrenko [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 16, 2008 1:37 PM To: dev@geronimo.apache.org Subject: Re: How to change KeyStore type? I think we should add PKCS12 to Geronimo. If we afraid of possible incompatibilities and not full support of JKS or PKCS12 why not to let user choose what keystore to use? We can specify keystore in configs or choose type from available on current VM. SY, Alexey 2008/1/15, Zakharov, Vasily M [EMAIL PROTECTED]: Hi, all, Is there a way to change the geronimo-default keystore from JKS to, say, PKCS12 without patching the org.apache.geronimo.security.keystore.FileKeystore* classes? That way of patching sources is suggested at GERONIMO-2015, and it works, but it's probably not the best idea. I see the reasons of not making PKCS12 a default keystore type, but what about making it possible to change keystore type using config.xml, without source recompilation? I've browsed through the configuration options of geronimo-security gbean, a found no way for that. Should I provide a patch for that to be possible, would that be appropriate? Thank you! Vasily Zakharov Intel ESSD ---
Re: How to change KeyStore type?
I think we should add PKCS12 to Geronimo. If we afraid of possible incompatibilities and not full support of JKS or PKCS12 why not to let user choose what keystore to use? We can specify keystore in configs or choose type from available on current VM. SY, Alexey 2008/1/15, Zakharov, Vasily M [EMAIL PROTECTED]: Hi, all, Is there a way to change the geronimo-default keystore from JKS to, say, PKCS12 without patching the org.apache.geronimo.security.keystore.FileKeystore* classes? That way of patching sources is suggested at GERONIMO-2015, and it works, but it's probably not the best idea. I see the reasons of not making PKCS12 a default keystore type, but what about making it possible to change keystore type using config.xml, without source recompilation? I've browsed through the configuration options of geronimo-security gbean, a found no way for that. Should I provide a patch for that to be possible, would that be appropriate? Thank you! Vasily Zakharov Intel ESSD ---
How to change KeyStore type?
Hi, all, Is there a way to change the geronimo-default keystore from JKS to, say, PKCS12 without patching the org.apache.geronimo.security.keystore.FileKeystore* classes? That way of patching sources is suggested at GERONIMO-2015, and it works, but it's probably not the best idea. I see the reasons of not making PKCS12 a default keystore type, but what about making it possible to change keystore type using config.xml, without source recompilation? I've browsed through the configuration options of geronimo-security gbean, a found no way for that. Should I provide a patch for that to be possible, would that be appropriate? Thank you! Vasily Zakharov Intel ESSD ---