You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by viola lu <vi...@gmail.com> on 2011/10/12 12:16:51 UTC
Keystore files filter problem under var/security/keystores
Hi, Dev:
Currently in geronimo 2.1.*, if i run keytool in jdk to generate csr or
other non-keystore files under var/security/keystores, geronimo server will
persist them in j2ee-security module when i access keystore porlet in admin
console, which scans all files under this folder and instance
FileKeystoreInstance GBean no matter what type of file.
If so, even user create an empty file of any type, it will be written to
config.xml. We have to filter files, only keystore files should be under
that folder.
I plan to filter files under var/security/keystore through file name
postfix, for example: *, *.jks, *.pcks, but is there other way to valid
content of keystore? From keystore api in jdk, it must provide a password
before load and access it, which we don't know except the user who generate
it.
Any suggestion?
--
viola
Apache Geronimo
Re: Keystore files filter problem under var/security/keystores
Posted by viola lu <vi...@gmail.com>.
On Thu, Oct 13, 2011 at 10:02 AM, Ivan <xh...@gmail.com> wrote:
> Add a filter option should be fine, and it should be also allowed no
> suffix, IIRC Geronimo's own store files are of no suffix.
>
Right, no suffix should be included.
> While I am thinking why those other files are there, does those csr files
> are generated by the console and store there by default ?If does, we may
> just need to update those logic.
End-user is using jdk keytool to generate csr and certificates, not
console. Our console CA portlet generates CSR and cerificates to its ca
specific folder, not keystore folder, so no need to change this logic.
> Also, it looks to me that the user will not create an empty file there
> manually, that action makes no sense.
Some types of keystore files permits empty file. So we just need to check
its type whether in empty allowed keystore file.
>
> 2011/10/13 Forrest Xia <fo...@gmail.com>
>
>> Make a doc, and tell user not putting non-keystore files in that folder,
>> might be an option :)
>>
>> Forrest
>>
>>
>> On Wed, Oct 12, 2011 at 6:16 PM, viola lu <vi...@gmail.com> wrote:
>>
>>> Hi, Dev:
>>>
>>> Currently in geronimo 2.1.*, if i run keytool in jdk to generate csr or
>>> other non-keystore files under var/security/keystores, geronimo server will
>>> persist them in j2ee-security module when i access keystore porlet in admin
>>> console, which scans all files under this folder and instance
>>> FileKeystoreInstance GBean no matter what type of file.
>>> If so, even user create an empty file of any type, it will be written to
>>> config.xml. We have to filter files, only keystore files should be under
>>> that folder.
>>>
>>> I plan to filter files under var/security/keystore through file name
>>> postfix, for example: *, *.jks, *.pcks, but is there other way to valid
>>> content of keystore? From keystore api in jdk, it must provide a password
>>> before load and access it, which we don't know except the user who generate
>>> it.
>>>
>>> Any suggestion?
>>>
>>> --
>>> viola
>>>
>>> Apache Geronimo
>>>
>>>
>>
>
>
> --
> Ivan
>
--
viola
Apache Geronimo
Re: Keystore files filter problem under var/security/keystores
Posted by Ivan <xh...@gmail.com>.
Add a filter option should be fine, and it should be also allowed no suffix,
IIRC Geronimo's own store files are of no suffix.
While I am thinking why those other files are there, does those csr files
are generated by the console and store there by default ? If does, we may
just need to update those logic. Also, it looks to me that the user will not
create an empty file there manually, that action makes no sense.
2011/10/13 Forrest Xia <fo...@gmail.com>
> Make a doc, and tell user not putting non-keystore files in that folder,
> might be an option :)
>
> Forrest
>
>
> On Wed, Oct 12, 2011 at 6:16 PM, viola lu <vi...@gmail.com> wrote:
>
>> Hi, Dev:
>>
>> Currently in geronimo 2.1.*, if i run keytool in jdk to generate csr or
>> other non-keystore files under var/security/keystores, geronimo server will
>> persist them in j2ee-security module when i access keystore porlet in admin
>> console, which scans all files under this folder and instance
>> FileKeystoreInstance GBean no matter what type of file.
>> If so, even user create an empty file of any type, it will be written to
>> config.xml. We have to filter files, only keystore files should be under
>> that folder.
>>
>> I plan to filter files under var/security/keystore through file name
>> postfix, for example: *, *.jks, *.pcks, but is there other way to valid
>> content of keystore? From keystore api in jdk, it must provide a password
>> before load and access it, which we don't know except the user who generate
>> it.
>>
>> Any suggestion?
>>
>> --
>> viola
>>
>> Apache Geronimo
>>
>>
>
--
Ivan
Re: Keystore files filter problem under var/security/keystores
Posted by Forrest Xia <fo...@gmail.com>.
Make a doc, and tell user not putting non-keystore files in that folder,
might be an option :)
Forrest
On Wed, Oct 12, 2011 at 6:16 PM, viola lu <vi...@gmail.com> wrote:
> Hi, Dev:
>
> Currently in geronimo 2.1.*, if i run keytool in jdk to generate csr or
> other non-keystore files under var/security/keystores, geronimo server will
> persist them in j2ee-security module when i access keystore porlet in admin
> console, which scans all files under this folder and instance
> FileKeystoreInstance GBean no matter what type of file.
> If so, even user create an empty file of any type, it will be written to
> config.xml. We have to filter files, only keystore files should be under
> that folder.
>
> I plan to filter files under var/security/keystore through file name
> postfix, for example: *, *.jks, *.pcks, but is there other way to valid
> content of keystore? From keystore api in jdk, it must provide a password
> before load and access it, which we don't know except the user who generate
> it.
>
> Any suggestion?
>
> --
> viola
>
> Apache Geronimo
>
>