You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2021/02/03 16:59:00 UTC

[jira] [Work logged] (ARTEMIS-3081) Cannot override the default Java key/truststore properties

     [ https://issues.apache.org/jira/browse/ARTEMIS-3081?focusedWorklogId=547121&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-547121 ]

ASF GitHub Bot logged work on ARTEMIS-3081:
-------------------------------------------

                Author: ASF GitHub Bot
            Created on: 03/Feb/21 16:58
            Start Date: 03/Feb/21 16:58
    Worklog Time Spent: 10m 
      Work Description: inkarkat opened a new pull request #3416:
URL: https://github.com/apache/activemq-artemis/pull/3416


   If an application wants to use a special key/truststore for Artemis but
   have the remainder of the application use the default Java store, the
   org.apache.activemq.ssl.keyStore needs to take precedence over Java's
   javax.net.ssl.keyStore. However, the current implementation takes the
   first non-null value from
     System.getProperty(JAVAX_KEYSTORE_PATH_PROP_NAME),
     System.getProperty(ACTIVEMQ_KEYSTORE_PATH_PROP_NAME),
     keyStorePath
   
   So if the default Java property is set, no override is possible. Swap
   the order of the JAVAX_... and ACTIVEMQ_... property names so that the
   ActiveMQ ones come first (as a component-specific overrides), the
   standard Java ones comes second, and finally a local attribute value
   (through Stream.of(...).firstFirst()).
   
   (In our case the application uses the default Java truststore location
   at $JAVA_HOME/lib/security/jssecacerts, and only supplies its password
   in javax.net.ssl.trustStorePassword, and then uses a dedicated
   truststore for Artemis. Defining both org.apache.activemq.ssl.trustStore
   and org.apache.activemq.ssl.trustStorePassword now makes Artemis use the
   dedicated truststore (javax.net.ssl.trustStore is not set as we use the
   default location, so the second choice
   org.apache.activemq.ssl.trustStore applies), but with the Java default
   truststore password (first choice javax.net.ssl.trustStorePassword
   applies instead of the second choice because it is set for the default
   truststore). Obviously, this does not work unless both passwords are
   identical!)


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


Issue Time Tracking
-------------------

    Worklog Id:     (was: 547121)
    Time Spent: 1h 40m  (was: 1.5h)

> Cannot override the default Java key/truststore properties
> ----------------------------------------------------------
>
>                 Key: ARTEMIS-3081
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-3081
>             Project: ActiveMQ Artemis
>          Issue Type: Bug
>    Affects Versions: 2.5.0, 2.16.0
>         Environment: In our case the application uses the default Java truststore location at {{$JAVA_HOME/lib/security/jssecacerts}}, and only supplies its password in {{javax.net.ssl.trustStorePassword}}, and then uses a dedicated truststore for Artemis. Defining both {{org.apache.activemq.ssl.trustStore}} and {{org.apache.activemq.ssl.trustStorePassword}} now makes Artemis use the dedicated truststore ({{javax.net.ssl.trustStore}} is not set as we use the
>  default location, so the second choice {{org.apache.activemq.ssl.trustStore}} applies), but with the Java default truststore password (first choice {{javax.net.ssl.trustStorePassword}} applies  instead of the second choice because it is set for the default truststore). Obviously, this does  not work unless both passwords are identical!
>            Reporter: Ingo Karkat
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 1h 40m
>  Remaining Estimate: 0h
>
> If an application wants to use a special key/truststore for Artemis but have the remainder of the application use the default Java store, the
> {code:java}
> org.apache.activemq.ssl.keyStore{code}
> needs to take precedence over Java's
> {code:java}
> javax.net.ssl.keyStore{code}
> However, the current implementation takes the first non-null value from
> {code:java}
> System.getProperty(JAVAX_KEYSTORE_PATH_PROP_NAME)
> System.getProperty(ACTIVEMQ_KEYSTORE_PATH_PROP_NAME)
> keyStorePath{code}
> So if the default Java property is set, no override is possible.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)