You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "Zakharov, Vasily M" <va...@intel.com> on 2008/01/15 16:49:31 UTC
How to change KeyStore type?
Hi, all,
Is there a way to change the geronimo-default keystore
from JKS to, say, PKCS12 without patching the
org.apache.geronimo.security.keystore.FileKeystore* classes?
That way of patching sources is suggested at GERONIMO-2015,
and it works, but it's probably not the best idea.
I see the reasons of not making PKCS12 a default keystore type,
but what about making it possible to change keystore type
using config.xml, without source recompilation?
I've browsed through the configuration options of geronimo-security
gbean, a found no way for that. Should I provide a patch for
that to be possible, would that be appropriate?
Thank you!
Vasily Zakharov
Intel ESSD
---
Re: How to change KeyStore type?
Posted by Donald Woods <dw...@apache.org>.
Sounds like the change should only be made in 2.1, as this is a new
"feature".
-Donald
Vamsavardhana Reddy wrote:
> Here is an essence of the fix that went in to trunk (2.1):
> o Allow creation of all possible keystore types supported. Keystore type
> is no longer restricted to JKS.
> o Added a type parameter to create keystore methods.
> o Keystores portlet will now allow creating and managing all types of
> keystores.
> o This revision will simplify the configuration changes required to run
> G on a JVM that does not support JKS keystores (for e.g., Harmony).
> o Allow selecting any keystore type supported by the JVM in Tomcat HTTPS
> Connector pages.
>
> As this "feature" required some interface changes, for e.g.
> KeystoreManager, KeystoreInstance etc., I would like to hear from others
> on considering this for branches\2.0 as it may break compatibility.
>
> ++Vamsi
>
>
>
> On Jan 21, 2008 11:21 PM, Zakharov, Vasily M
> <vasily.m.zakharov@intel.com <ma...@intel.com>> wrote:
>
> Vamsi,
>
>
>
> Thanks for the detailed analysis. The problem indeed looks non-trivial.
>
>
>
> Step 1. This looks pretty simple, and I'm now creating a patch for
> that. This change seems very important to me, how about getting it
> to v2.0.3/2.1?
>
>
>
> Step 2. This change also seems very important, but less critical
> than the first one, and it requires essential interface changes, so
> I tend to agree it certainly should wait till 2.1 or later.
>
>
>
> As of pitfalls, they seem unavoidable. Sure we want compatibility,
> but any compatibility has its limits. I suppose that changing JDK
> under a particular running installation of Geronimo is not a feature
> in great demand, and in a rare case when such a change would be
> necessary, a keystore conversion could be done manually (e.g.
> JKS<->PKCS12 conversion can be done in Sun, PKCS12<->BKS conversion
> can be done in Harmony etc.)
>
>
>
> Vasily
>
>
>
> ------------------------------------------------------------------------
>
> *From:* Vamsavardhana Reddy [mailto:c1vamsi1c@gmail.com
> <ma...@gmail.com>]
> *Sent:* Monday, January 21, 2008 8:23 PM
>
> *To:* dev@geronimo.apache.org <ma...@geronimo.apache.org>
> *Subject:* Re: How to change KeyStore type?
>
>
>
> Providing a keystoreType attribute does not seem to be a big deal.
> But, if the Keystores portlet has to allow creating all types of
> keystores, it gets really messy. Here is one more observation.
> *IBMJDK does not allow storing an empty PKCS12 keystore to disk. *
>
> This prevents creating an empty PKCS12 keystore and then adding
> which ever keys and certificates the user wants to.
>
> Here is the approach I want to take.
> Step 1. Provide a keystoreType attribute in FileKeystoreInstance.
> Step 2. Update KeyStores portlet to allow creation of all keystore
> types that the JDK allows to store an empty keystore to disk.
>
> Step 1 will allow the users to replace a keystore file of one type
> with that of another type, change the keystoreType in config.xml
> and get the server running.
> Step 2 will allow users to manage all keystore types using Keystores
> portlet and there is no hard-coding of any keystoreType except for
> geronimo-default keystore which is JKS.
>
> Now to some pitfalls.
> 1. If keystore type other than JKS is in use, the user may not be
> able to switch JDK's for reasons like PKCS12 keystore created using
> IBMJDK are not readble using SUNJDK.
> 2. Though IBMJDK does not allow creating an empty PKCS12 (and a few
> other types) keystore as a starting point for managing a PKCS12
> keystore, the users can always add a PKCS12 keystore to
> var/security/keystores and the gbean definition to config.xml. This
> will make the keystore manageable through KeyStores portlet as long
> as the keystore is not empty.
>
> This will require a change in
> org.apache.geronimo.management.geronimo.KeystoreManager interface,
> etc. I doubt if we can consider this change for branches\2.0.
>
> Comments?
>
> ++Vamsi
>
> On Jan 18, 2008 1:37 AM, Zakharov, Vasily M
> <vasily.m.zakharov@intel.com <ma...@intel.com>>
> wrote:
>
>
> Yes, sure, I fully agree.
>
> I've filed GERONIMO-3757 for this issue and now thinking of the patch to
> the trunk that would provide the necessary customization - unless any
> objections arise.
>
> As of GERONIMO-2015, I think we may close it, as there're objective
> reasons (stated there by Vamsavardhana Reddy) to not move from JKS on
> Sun.
>
> Vasily
>
>
>
> -----Original Message-----
> From: Alexey Petrenko [mailto: alexey.a.petrenko@gmail.com
> <ma...@gmail.com>]
> Sent: Wednesday, January 16, 2008 1:37 PM
> To: dev@geronimo.apache.org <ma...@geronimo.apache.org>
> Subject: Re: How to change KeyStore type?
>
> I think we should add PKCS12 to Geronimo.
> If we afraid of possible incompatibilities and not full support of JKS
> or PKCS12 why not to let user choose what keystore to use?
> We can specify keystore in configs or choose type from available on
> current VM.
>
> SY, Alexey
>
> 2008/1/15, Zakharov, Vasily M <vasily.m.zakharov@intel.com
> <ma...@intel.com>>:
> > Hi, all,
> >
> > Is there a way to change the geronimo-default keystore
> > from JKS to, say, PKCS12 without patching the
> > org.apache.geronimo.security.keystore.FileKeystore* classes?
> >
> > That way of patching sources is suggested at GERONIMO-2015,
> > and it works, but it's probably not the best idea.
> >
> > I see the reasons of not making PKCS12 a default keystore type,
> > but what about making it possible to change keystore type
> > using config.xml, without source recompilation?
> >
> > I've browsed through the configuration options of geronimo-security
> > gbean, a found no way for that. Should I provide a patch for
> > that to be possible, would that be appropriate?
> >
> > Thank you!
> >
> > Vasily Zakharov
> > Intel ESSD
> >
> >
> >
> > ---
> >
> >
>
>
>
>
RE: How to change KeyStore type?
Posted by "Zakharov, Vasily M" <va...@intel.com>.
Vamsi,
Thanks a lot for the patch!
I'm voting for getting the change into the nearest release, as it allows
Geronimo to run on Harmony and maybe other VMs - current release can't
do that, and adding this feature is a good bonus to Geronimo flexibility
and compatibility.
Thanks,
Vasily
________________________________
From: Vamsavardhana Reddy [mailto:c1vamsi1c@gmail.com]
Sent: Monday, January 28, 2008 4:23 PM
To: dev@geronimo.apache.org
Subject: Re: How to change KeyStore type?
Here is an essence of the fix that went in to trunk (2.1):
o Allow creation of all possible keystore types supported. Keystore type
is no longer restricted to JKS.
o Added a type parameter to create keystore methods.
o Keystores portlet will now allow creating and managing all types of
keystores.
o This revision will simplify the configuration changes required to run
G on a JVM that does not support JKS keystores (for e.g., Harmony).
o Allow selecting any keystore type supported by the JVM in Tomcat HTTPS
Connector pages.
As this "feature" required some interface changes, for e.g.
KeystoreManager, KeystoreInstance etc., I would like to hear from others
on considering this for branches\2.0 as it may break compatibility.
++Vamsi
On Jan 21, 2008 11:21 PM, Zakharov, Vasily M
<va...@intel.com> wrote:
Vamsi,
Thanks for the detailed analysis. The problem indeed looks non-trivial.
Step 1. This looks pretty simple, and I'm now creating a patch for that.
This change seems very important to me, how about getting it to
v2.0.3/2.1?
Step 2. This change also seems very important, but less critical than
the first one, and it requires essential interface changes, so I tend to
agree it certainly should wait till 2.1 or later.
As of pitfalls, they seem unavoidable. Sure we want compatibility, but
any compatibility has its limits. I suppose that changing JDK under a
particular running installation of Geronimo is not a feature in great
demand, and in a rare case when such a change would be necessary, a
keystore conversion could be done manually (e.g. JKS<->PKCS12 conversion
can be done in Sun, PKCS12<->BKS conversion can be done in Harmony etc.)
Vasily
________________________________
From: Vamsavardhana Reddy [mailto:c1vamsi1c@gmail.com]
Sent: Monday, January 21, 2008 8:23 PM
To: dev@geronimo.apache.org
Subject: Re: How to change KeyStore type?
Providing a keystoreType attribute does not seem to be a big deal. But,
if the Keystores portlet has to allow creating all types of keystores,
it gets really messy. Here is one more observation.
IBMJDK does not allow storing an empty PKCS12 keystore to disk.
This prevents creating an empty PKCS12 keystore and then adding which
ever keys and certificates the user wants to.
Here is the approach I want to take.
Step 1. Provide a keystoreType attribute in FileKeystoreInstance.
Step 2. Update KeyStores portlet to allow creation of all keystore
types that the JDK allows to store an empty keystore to disk.
Step 1 will allow the users to replace a keystore file of one type with
that of another type, change the keystoreType in config.xml and get the
server running.
Step 2 will allow users to manage all keystore types using Keystores
portlet and there is no hard-coding of any keystoreType except for
geronimo-default keystore which is JKS.
Now to some pitfalls.
1. If keystore type other than JKS is in use, the user may not be able
to switch JDK's for reasons like PKCS12 keystore created using IBMJDK
are not readble using SUNJDK.
2. Though IBMJDK does not allow creating an empty PKCS12 (and a few
other types) keystore as a starting point for managing a PKCS12
keystore, the users can always add a PKCS12 keystore to
var/security/keystores and the gbean definition to config.xml. This
will make the keystore manageable through KeyStores portlet as long as
the keystore is not empty.
This will require a change in
org.apache.geronimo.management.geronimo.KeystoreManager interface, etc.
I doubt if we can consider this change for branches\2.0.
Comments?
++Vamsi
On Jan 18, 2008 1:37 AM, Zakharov, Vasily M
<va...@intel.com> wrote:
Yes, sure, I fully agree.
I've filed GERONIMO-3757 for this issue and now thinking of the patch to
the trunk that would provide the necessary customization - unless any
objections arise.
As of GERONIMO-2015, I think we may close it, as there're objective
reasons (stated there by Vamsavardhana Reddy) to not move from JKS on
Sun.
Vasily
-----Original Message-----
From: Alexey Petrenko [mailto: alexey.a.petrenko@gmail.com]
Sent: Wednesday, January 16, 2008 1:37 PM
To: dev@geronimo.apache.org
Subject: Re: How to change KeyStore type?
I think we should add PKCS12 to Geronimo.
If we afraid of possible incompatibilities and not full support of JKS
or PKCS12 why not to let user choose what keystore to use?
We can specify keystore in configs or choose type from available on
current VM.
SY, Alexey
2008/1/15, Zakharov, Vasily M <va...@intel.com>:
> Hi, all,
>
> Is there a way to change the geronimo-default keystore
> from JKS to, say, PKCS12 without patching the
> org.apache.geronimo.security.keystore.FileKeystore* classes?
>
> That way of patching sources is suggested at GERONIMO-2015,
> and it works, but it's probably not the best idea.
>
> I see the reasons of not making PKCS12 a default keystore type,
> but what about making it possible to change keystore type
> using config.xml, without source recompilation?
>
> I've browsed through the configuration options of geronimo-security
> gbean, a found no way for that. Should I provide a patch for
> that to be possible, would that be appropriate?
>
> Thank you!
>
> Vasily Zakharov
> Intel ESSD
>
>
>
> ---
>
>
Re: How to change KeyStore type?
Posted by Vamsavardhana Reddy <c1...@gmail.com>.
Here is an essence of the fix that went in to trunk (2.1):
o Allow creation of all possible keystore types supported. Keystore type is
no longer restricted to JKS.
o Added a type parameter to create keystore methods.
o Keystores portlet will now allow creating and managing all types of
keystores.
o This revision will simplify the configuration changes required to run G on
a JVM that does not support JKS keystores (for e.g., Harmony).
o Allow selecting any keystore type supported by the JVM in Tomcat HTTPS
Connector pages.
As this "feature" required some interface changes, for e.g. KeystoreManager,
KeystoreInstance etc., I would like to hear from others on considering this
for branches\2.0 as it may break compatibility.
++Vamsi
On Jan 21, 2008 11:21 PM, Zakharov, Vasily M <va...@intel.com>
wrote:
> Vamsi,
>
>
>
> Thanks for the detailed analysis. The problem indeed looks non-trivial.
>
>
>
> Step 1. This looks pretty simple, and I'm now creating a patch for that.
> This change seems very important to me, how about getting it to v2.0.3
> /2.1?
>
>
>
> Step 2. This change also seems very important, but less critical than the
> first one, and it requires essential interface changes, so I tend to agree
> it certainly should wait till 2.1 or later.
>
>
>
> As of pitfalls, they seem unavoidable. Sure we want compatibility, but any
> compatibility has its limits. I suppose that changing JDK under a particular
> running installation of Geronimo is not a feature in great demand, and in a
> rare case when such a change would be necessary, a keystore conversion could
> be done manually (e.g. JKS<->PKCS12 conversion can be done in Sun,
> PKCS12<->BKS conversion can be done in Harmony etc.)
>
>
>
> Vasily
>
>
> ------------------------------
>
> *From:* Vamsavardhana Reddy [mailto:c1vamsi1c@gmail.com]
> *Sent:* Monday, January 21, 2008 8:23 PM
>
> *To:* dev@geronimo.apache.org
> *Subject:* Re: How to change KeyStore type?
>
>
>
> Providing a keystoreType attribute does not seem to be a big deal. But,
> if the Keystores portlet has to allow creating all types of keystores, it
> gets really messy. Here is one more observation.
> *IBMJDK does not allow storing an empty PKCS12 keystore to disk. *
>
> This prevents creating an empty PKCS12 keystore and then adding which ever
> keys and certificates the user wants to.
>
> Here is the approach I want to take.
> Step 1. Provide a keystoreType attribute in FileKeystoreInstance.
> Step 2. Update KeyStores portlet to allow creation of all keystore types
> that the JDK allows to store an empty keystore to disk.
>
> Step 1 will allow the users to replace a keystore file of one type with
> that of another type, change the keystoreType in config.xml and get the
> server running.
> Step 2 will allow users to manage all keystore types using Keystores
> portlet and there is no hard-coding of any keystoreType except for
> geronimo-default keystore which is JKS.
>
> Now to some pitfalls.
> 1. If keystore type other than JKS is in use, the user may not be able to
> switch JDK's for reasons like PKCS12 keystore created using IBMJDK are not
> readble using SUNJDK.
> 2. Though IBMJDK does not allow creating an empty PKCS12 (and a few other
> types) keystore as a starting point for managing a PKCS12 keystore, the
> users can always add a PKCS12 keystore to var/security/keystores and the
> gbean definition to config.xml. This will make the keystore manageable
> through KeyStores portlet as long as the keystore is not empty.
>
> This will require a change in
> org.apache.geronimo.management.geronimo.KeystoreManager interface, etc. I
> doubt if we can consider this change for branches\2.0.
>
> Comments?
>
> ++Vamsi
>
> On Jan 18, 2008 1:37 AM, Zakharov, Vasily M <va...@intel.com>
> wrote:
>
>
> Yes, sure, I fully agree.
>
> I've filed GERONIMO-3757 for this issue and now thinking of the patch to
> the trunk that would provide the necessary customization - unless any
> objections arise.
>
> As of GERONIMO-2015, I think we may close it, as there're objective
> reasons (stated there by Vamsavardhana Reddy) to not move from JKS on
> Sun.
>
> Vasily
>
>
>
> -----Original Message-----
> From: Alexey Petrenko [mailto: alexey.a.petrenko@gmail.com]
> Sent: Wednesday, January 16, 2008 1:37 PM
> To: dev@geronimo.apache.org
> Subject: Re: How to change KeyStore type?
>
> I think we should add PKCS12 to Geronimo.
> If we afraid of possible incompatibilities and not full support of JKS
> or PKCS12 why not to let user choose what keystore to use?
> We can specify keystore in configs or choose type from available on
> current VM.
>
> SY, Alexey
>
> 2008/1/15, Zakharov, Vasily M <va...@intel.com>:
> > Hi, all,
> >
> > Is there a way to change the geronimo-default keystore
> > from JKS to, say, PKCS12 without patching the
> > org.apache.geronimo.security.keystore.FileKeystore* classes?
> >
> > That way of patching sources is suggested at GERONIMO-2015,
> > and it works, but it's probably not the best idea.
> >
> > I see the reasons of not making PKCS12 a default keystore type,
> > but what about making it possible to change keystore type
> > using config.xml, without source recompilation?
> >
> > I've browsed through the configuration options of geronimo-security
> > gbean, a found no way for that. Should I provide a patch for
> > that to be possible, would that be appropriate?
> >
> > Thank you!
> >
> > Vasily Zakharov
> > Intel ESSD
> >
> >
> >
> > ---
> >
> >
>
>
>
RE: How to change KeyStore type?
Posted by "Zakharov, Vasily M" <va...@intel.com>.
Vamsi,
Thanks for the detailed analysis. The problem indeed looks non-trivial.
Step 1. This looks pretty simple, and I'm now creating a patch for that.
This change seems very important to me, how about getting it to
v2.0.3/2.1?
Step 2. This change also seems very important, but less critical than
the first one, and it requires essential interface changes, so I tend to
agree it certainly should wait till 2.1 or later.
As of pitfalls, they seem unavoidable. Sure we want compatibility, but
any compatibility has its limits. I suppose that changing JDK under a
particular running installation of Geronimo is not a feature in great
demand, and in a rare case when such a change would be necessary, a
keystore conversion could be done manually (e.g. JKS<->PKCS12 conversion
can be done in Sun, PKCS12<->BKS conversion can be done in Harmony etc.)
Vasily
________________________________
From: Vamsavardhana Reddy [mailto:c1vamsi1c@gmail.com]
Sent: Monday, January 21, 2008 8:23 PM
To: dev@geronimo.apache.org
Subject: Re: How to change KeyStore type?
Providing a keystoreType attribute does not seem to be a big deal. But,
if the Keystores portlet has to allow creating all types of keystores,
it gets really messy. Here is one more observation.
IBMJDK does not allow storing an empty PKCS12 keystore to disk.
This prevents creating an empty PKCS12 keystore and then adding which
ever keys and certificates the user wants to.
Here is the approach I want to take.
Step 1. Provide a keystoreType attribute in FileKeystoreInstance.
Step 2. Update KeyStores portlet to allow creation of all keystore
types that the JDK allows to store an empty keystore to disk.
Step 1 will allow the users to replace a keystore file of one type with
that of another type, change the keystoreType in config.xml and get the
server running.
Step 2 will allow users to manage all keystore types using Keystores
portlet and there is no hard-coding of any keystoreType except for
geronimo-default keystore which is JKS.
Now to some pitfalls.
1. If keystore type other than JKS is in use, the user may not be able
to switch JDK's for reasons like PKCS12 keystore created using IBMJDK
are not readble using SUNJDK.
2. Though IBMJDK does not allow creating an empty PKCS12 (and a few
other types) keystore as a starting point for managing a PKCS12
keystore, the users can always add a PKCS12 keystore to
var/security/keystores and the gbean definition to config.xml. This
will make the keystore manageable through KeyStores portlet as long as
the keystore is not empty.
This will require a change in
org.apache.geronimo.management.geronimo.KeystoreManager interface, etc.
I doubt if we can consider this change for branches\2.0.
Comments?
++Vamsi
On Jan 18, 2008 1:37 AM, Zakharov, Vasily M
<va...@intel.com> wrote:
Yes, sure, I fully agree.
I've filed GERONIMO-3757 for this issue and now thinking of the patch to
the trunk that would provide the necessary customization - unless any
objections arise.
As of GERONIMO-2015, I think we may close it, as there're objective
reasons (stated there by Vamsavardhana Reddy) to not move from JKS on
Sun.
Vasily
-----Original Message-----
From: Alexey Petrenko [mailto: alexey.a.petrenko@gmail.com]
Sent: Wednesday, January 16, 2008 1:37 PM
To: dev@geronimo.apache.org
Subject: Re: How to change KeyStore type?
I think we should add PKCS12 to Geronimo.
If we afraid of possible incompatibilities and not full support of JKS
or PKCS12 why not to let user choose what keystore to use?
We can specify keystore in configs or choose type from available on
current VM.
SY, Alexey
2008/1/15, Zakharov, Vasily M <va...@intel.com>:
> Hi, all,
>
> Is there a way to change the geronimo-default keystore
> from JKS to, say, PKCS12 without patching the
> org.apache.geronimo.security.keystore.FileKeystore* classes?
>
> That way of patching sources is suggested at GERONIMO-2015,
> and it works, but it's probably not the best idea.
>
> I see the reasons of not making PKCS12 a default keystore type,
> but what about making it possible to change keystore type
> using config.xml, without source recompilation?
>
> I've browsed through the configuration options of geronimo-security
> gbean, a found no way for that. Should I provide a patch for
> that to be possible, would that be appropriate?
>
> Thank you!
>
> Vasily Zakharov
> Intel ESSD
>
>
>
> ---
>
>
Re: How to change KeyStore type?
Posted by Vamsavardhana Reddy <c1...@gmail.com>.
Providing a keystoreType attribute does not seem to be a big deal. But, if
the Keystores portlet has to allow creating all types of keystores, it gets
really messy. Here is one more observation.
*IBMJDK does not allow storing an empty PKCS12 keystore to disk.*
This prevents creating an empty PKCS12 keystore and then adding which ever
keys and certificates the user wants to.
Here is the approach I want to take.
Step 1. Provide a keystoreType attribute in FileKeystoreInstance.
Step 2. Update KeyStores portlet to allow creation of all keystore types
that the JDK allows to store an empty keystore to disk.
Step 1 will allow the users to replace a keystore file of one type with that
of another type, change the keystoreType in config.xml and get the server
running.
Step 2 will allow users to manage all keystore types using Keystores portlet
and there is no hard-coding of any keystoreType except for geronimo-default
keystore which is JKS.
Now to some pitfalls.
1. If keystore type other than JKS is in use, the user may not be able to
switch JDK's for reasons like PKCS12 keystore created using IBMJDK are not
readble using SUNJDK.
2. Though IBMJDK does not allow creating an empty PKCS12 (and a few other
types) keystore as a starting point for managing a PKCS12 keystore, the
users can always add a PKCS12 keystore to var/security/keystores and the
gbean definition to config.xml. This will make the keystore manageable
through KeyStores portlet as long as the keystore is not empty.
This will require a change in
org.apache.geronimo.management.geronimo.KeystoreManager interface, etc. I
doubt if we can consider this change for branches\2.0.
Comments?
++Vamsi
On Jan 18, 2008 1:37 AM, Zakharov, Vasily M <va...@intel.com>
wrote:
>
> Yes, sure, I fully agree.
>
> I've filed GERONIMO-3757 for this issue and now thinking of the patch to
> the trunk that would provide the necessary customization - unless any
> objections arise.
>
> As of GERONIMO-2015, I think we may close it, as there're objective
> reasons (stated there by Vamsavardhana Reddy) to not move from JKS on
> Sun.
>
> Vasily
>
>
> -----Original Message-----
> From: Alexey Petrenko [mailto:alexey.a.petrenko@gmail.com]
> Sent: Wednesday, January 16, 2008 1:37 PM
> To: dev@geronimo.apache.org
> Subject: Re: How to change KeyStore type?
>
> I think we should add PKCS12 to Geronimo.
> If we afraid of possible incompatibilities and not full support of JKS
> or PKCS12 why not to let user choose what keystore to use?
> We can specify keystore in configs or choose type from available on
> current VM.
>
> SY, Alexey
>
> 2008/1/15, Zakharov, Vasily M <va...@intel.com>:
> > Hi, all,
> >
> > Is there a way to change the geronimo-default keystore
> > from JKS to, say, PKCS12 without patching the
> > org.apache.geronimo.security.keystore.FileKeystore* classes?
> >
> > That way of patching sources is suggested at GERONIMO-2015,
> > and it works, but it's probably not the best idea.
> >
> > I see the reasons of not making PKCS12 a default keystore type,
> > but what about making it possible to change keystore type
> > using config.xml, without source recompilation?
> >
> > I've browsed through the configuration options of geronimo-security
> > gbean, a found no way for that. Should I provide a patch for
> > that to be possible, would that be appropriate?
> >
> > Thank you!
> >
> > Vasily Zakharov
> > Intel ESSD
> >
> >
> >
> > ---
> >
> >
>
RE: How to change KeyStore type?
Posted by "Zakharov, Vasily M" <va...@intel.com>.
Yes, sure, I fully agree.
I've filed GERONIMO-3757 for this issue and now thinking of the patch to
the trunk that would provide the necessary customization - unless any
objections arise.
As of GERONIMO-2015, I think we may close it, as there're objective
reasons (stated there by Vamsavardhana Reddy) to not move from JKS on
Sun.
Vasily
-----Original Message-----
From: Alexey Petrenko [mailto:alexey.a.petrenko@gmail.com]
Sent: Wednesday, January 16, 2008 1:37 PM
To: dev@geronimo.apache.org
Subject: Re: How to change KeyStore type?
I think we should add PKCS12 to Geronimo.
If we afraid of possible incompatibilities and not full support of JKS
or PKCS12 why not to let user choose what keystore to use?
We can specify keystore in configs or choose type from available on
current VM.
SY, Alexey
2008/1/15, Zakharov, Vasily M <va...@intel.com>:
> Hi, all,
>
> Is there a way to change the geronimo-default keystore
> from JKS to, say, PKCS12 without patching the
> org.apache.geronimo.security.keystore.FileKeystore* classes?
>
> That way of patching sources is suggested at GERONIMO-2015,
> and it works, but it's probably not the best idea.
>
> I see the reasons of not making PKCS12 a default keystore type,
> but what about making it possible to change keystore type
> using config.xml, without source recompilation?
>
> I've browsed through the configuration options of geronimo-security
> gbean, a found no way for that. Should I provide a patch for
> that to be possible, would that be appropriate?
>
> Thank you!
>
> Vasily Zakharov
> Intel ESSD
>
>
>
> ---
>
>
Re: How to change KeyStore type?
Posted by Alexey Petrenko <al...@gmail.com>.
I think we should add PKCS12 to Geronimo.
If we afraid of possible incompatibilities and not full support of JKS
or PKCS12 why not to let user choose what keystore to use?
We can specify keystore in configs or choose type from available on current VM.
SY, Alexey
2008/1/15, Zakharov, Vasily M <va...@intel.com>:
> Hi, all,
>
> Is there a way to change the geronimo-default keystore
> from JKS to, say, PKCS12 without patching the
> org.apache.geronimo.security.keystore.FileKeystore* classes?
>
> That way of patching sources is suggested at GERONIMO-2015,
> and it works, but it's probably not the best idea.
>
> I see the reasons of not making PKCS12 a default keystore type,
> but what about making it possible to change keystore type
> using config.xml, without source recompilation?
>
> I've browsed through the configuration options of geronimo-security
> gbean, a found no way for that. Should I provide a patch for
> that to be possible, would that be appropriate?
>
> Thank you!
>
> Vasily Zakharov
> Intel ESSD
>
>
>
> ---
>
>