You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@cloudstack.apache.org by Laszlo Hornyak <la...@gmail.com> on 2013/11/10 15:55:16 UTC

SSL and JCE

Hi Sahmed and list,

I ran into some failing tests this weekend related to the patch
0076307863e9155273d9e4c14282de429388c9e9 apparently jenkins fails for the
same reason. I did a short investigation and it turned out that in order to
run the tests correctly, one has to download the sun jce policy files and
put it in the jdk replacing the original policies.

Questions:
- Is there a more convenient deployment process? :-) It would be very
useful for the jenkins environment as well.
- I gave it a try and patched the oracle jdk 1.7 with the same plugin, it
did not work. Do you know a way to make it work again with jdk 1.7?

Thank you,
Laszlo

-- 

EOF

Re: SSL and JCE

Posted by Laszlo Hornyak <la...@gmail.com>.

Yes, the _content_ of the jar files are different. It is kind of misleading.


On Tue, Nov 12, 2013 at 4:13 PM, Mike Tutkowski <
mike.tutkowski@solidfire.com> wrote:

> I had the two JAR files in my <JAVA_HOME>/jre/lib/security, as well, and
> the tests were failing. When I replaced them with the ones I downloaded
> from Oracle, the tests passed.
>
>
> On Mon, Nov 11, 2013 at 11:05 PM, Koushik Das <koushik.das@citrix.com
> >wrote:
>
> > I see the JCE extensions in jdk 1.7 as well. They are present under
> > <java_home>/jre/lib/security. But still I see a test failure. Is there
> any
> > other configuration that is required?
> >
> > Running org.apache.cloudstack.network.lb.CertServiceTest
> > Tests run: 2, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 1.456 sec
> > <<< FAILURE!
> >
> > -Koushik
> >
> > On 12-Nov-2013, at 11:19 AM, Prasanna Santhanam <ts...@apache.org>
> >  wrote:
> >
> > > My MacOSX 1.6 jdk seems to have the crypto extensions jce builtin and
> > > the build+test works. JDK 1.7 install does not have them though.
> > >
> > > The JCE kit seems to carry a BCL which is not ASF friendly [1]. But
> > > this being part of the Java install and not the project it should be
> > > okay IMO if we note it in our wiki on building the project.
> > >
> > > As for legal aspects - I found this which might be of some relevance.
> > > http://markmail.org/message/evtkc656gewrkruf
> > >
> > > [1] http://www.apache.org/legal/3party.html#transition-examples
> > >
> > > On Mon, Nov 11, 2013 at 10:45:12PM +0100, Laszlo Hornyak wrote:
> > >> Hi,
> > >>
> > >> That is a good question, I do not know for sure, but this package
> needs
> > to
> > >> be signed by oracle, it is not redistributable and has teritorial
> import
> > >> restrictions, so it could be problematic :-( I hope it is not. Guys,
> can
> > >> someone help us here?
> > >>
> > >>
> > >> On Mon, Nov 11, 2013 at 10:21 PM, Syed Ahmed <sa...@cloudops.com>
> > wrote:
> > >>
> > >>> Hi Laszlo,
> > >>>
> > >>> The CertService uses BouncyCastle for certificate parsing and
> > validation.
> > >>> The JCE extension provides the API for using BouncyCastle as the
> > provider.
> > >>> So, JCE is required. I know that BouncyCastle is added in CS. Would
> it
> > be
> > >>> possible to add JCE as a dependency too?
> > >>>
> > >>> Thanks,
> > >>> -Syed
> > >>>
> > >>>
> > >>> On 13-11-10 09:55 AM, Laszlo Hornyak wrote:
> > >>>
> > >>>> Hi Sahmed and list,
> > >>>>
> > >>>> I ran into some failing tests this weekend related to the patch
> > >>>> 0076307863e9155273d9e4c14282de429388c9e9 apparently jenkins fails
> for
> > >>>> the same reason. I did a short investigation and it turned out that
> in
> > >>>> order to run the tests correctly, one has to download the sun jce
> > policy
> > >>>> files and put it in the jdk replacing the original policies.
> > >>>>
> > >>>> Questions:
> > >>>> - Is there a more convenient deployment process? :-) It would be
> very
> > >>>> useful for the jenkins environment as well.
> > >>>> - I gave it a try and patched the oracle jdk 1.7 with the same
> > plugin, it
> > >>>> did not work. Do you know a way to make it work again with jdk 1.7?
> > >>>>
> > >>>> Thank you,
> > >>>> Laszlo
> > >>>>
> > >>>> --
> > >>>>
> > >>>> EOF
> > >>>>
> > >>>
> > >>>
> > >>
> > >>
> > >> --
> > >>
> > >> EOF
> > >
> > > --
> > > Prasanna.,
> > >
> > > ------------------------
> > > Powered by BigRock.com
> > >
> >
> >
>
>
> --
> *Mike Tutkowski*
> *Senior CloudStack Developer, SolidFire Inc.*
> e: mike.tutkowski@solidfire.com
> o: 303.746.7302
> Advancing the way the world uses the
> cloud<http://solidfire.com/solution/overview/?video=play>
> *™*
>



-- 

EOF

Re: SSL and JCE

Posted by Mike Tutkowski <mi...@solidfire.com>.

I had the two JAR files in my <JAVA_HOME>/jre/lib/security, as well, and
the tests were failing. When I replaced them with the ones I downloaded
from Oracle, the tests passed.


On Mon, Nov 11, 2013 at 11:05 PM, Koushik Das <ko...@citrix.com>wrote:

> I see the JCE extensions in jdk 1.7 as well. They are present under
> <java_home>/jre/lib/security. But still I see a test failure. Is there any
> other configuration that is required?
>
> Running org.apache.cloudstack.network.lb.CertServiceTest
> Tests run: 2, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 1.456 sec
> <<< FAILURE!
>
> -Koushik
>
> On 12-Nov-2013, at 11:19 AM, Prasanna Santhanam <ts...@apache.org>
>  wrote:
>
> > My MacOSX 1.6 jdk seems to have the crypto extensions jce builtin and
> > the build+test works. JDK 1.7 install does not have them though.
> >
> > The JCE kit seems to carry a BCL which is not ASF friendly [1]. But
> > this being part of the Java install and not the project it should be
> > okay IMO if we note it in our wiki on building the project.
> >
> > As for legal aspects - I found this which might be of some relevance.
> > http://markmail.org/message/evtkc656gewrkruf
> >
> > [1] http://www.apache.org/legal/3party.html#transition-examples
> >
> > On Mon, Nov 11, 2013 at 10:45:12PM +0100, Laszlo Hornyak wrote:
> >> Hi,
> >>
> >> That is a good question, I do not know for sure, but this package needs
> to
> >> be signed by oracle, it is not redistributable and has teritorial import
> >> restrictions, so it could be problematic :-( I hope it is not. Guys, can
> >> someone help us here?
> >>
> >>
> >> On Mon, Nov 11, 2013 at 10:21 PM, Syed Ahmed <sa...@cloudops.com>
> wrote:
> >>
> >>> Hi Laszlo,
> >>>
> >>> The CertService uses BouncyCastle for certificate parsing and
> validation.
> >>> The JCE extension provides the API for using BouncyCastle as the
> provider.
> >>> So, JCE is required. I know that BouncyCastle is added in CS. Would it
> be
> >>> possible to add JCE as a dependency too?
> >>>
> >>> Thanks,
> >>> -Syed
> >>>
> >>>
> >>> On 13-11-10 09:55 AM, Laszlo Hornyak wrote:
> >>>
> >>>> Hi Sahmed and list,
> >>>>
> >>>> I ran into some failing tests this weekend related to the patch
> >>>> 0076307863e9155273d9e4c14282de429388c9e9 apparently jenkins fails for
> >>>> the same reason. I did a short investigation and it turned out that in
> >>>> order to run the tests correctly, one has to download the sun jce
> policy
> >>>> files and put it in the jdk replacing the original policies.
> >>>>
> >>>> Questions:
> >>>> - Is there a more convenient deployment process? :-) It would be very
> >>>> useful for the jenkins environment as well.
> >>>> - I gave it a try and patched the oracle jdk 1.7 with the same
> plugin, it
> >>>> did not work. Do you know a way to make it work again with jdk 1.7?
> >>>>
> >>>> Thank you,
> >>>> Laszlo
> >>>>
> >>>> --
> >>>>
> >>>> EOF
> >>>>
> >>>
> >>>
> >>
> >>
> >> --
> >>
> >> EOF
> >
> > --
> > Prasanna.,
> >
> > ------------------------
> > Powered by BigRock.com
> >
>
>


-- 
*Mike Tutkowski*
*Senior CloudStack Developer, SolidFire Inc.*
e: mike.tutkowski@solidfire.com
o: 303.746.7302
Advancing the way the world uses the
cloud<http://solidfire.com/solution/overview/?video=play>
*™*

Re: SSL and JCE

Posted by Laszlo Hornyak <la...@gmail.com>.

OpenJDK 6: working ok
OpenJDK 7: working ok
Oracle JDK 6: JCE install required
Oracle JDK 7: ?  - did those jce policy files work for anyone in oracle jdk
1.7?

I believe it is not really user-friendly, but acceptable both from legal
(not a lawyer) and usability perspective if we tell the system
administrator that if he/she is using Oracle JDK AND want to use encryption
with more than X (128 afaik - not much) bit encryption, then it will
require the Oracle JCE policies installed in the JDK. It is true that JCE
policies are not redistributable, but the same is true for Oracle JDK.
These are not distributed with ACS and are part of the java runtime
environment.
Anyway, this should be clearly documented in the product documentation.

Tests: I am just testing a patch that detects the JDK vendor as much as
possible and it skips the tests if the environment is not OpenJDK. It can
be overridden by build parameters. I will need some feedback on this since
I do not have all java versions on my laptop and I could not test with all
possible scenarios.

Thank you,
Laszlo

On Tue, Nov 12, 2013 at 3:17 PM, Chip Childers <ch...@apache.org>wrote:

> IMO - having this as a requirement for a build is a bit of an issue.
> First, we can't distribute it (obviously).  Second, it's a bit of an
> esoteric requirement if you are using a JDK that doesn't include it
> automatically.  This will lead to confusion.
>
> Is there a way that we can re-work the tests to accomplish a similar (or
> close-enough) goal without this added dependency?
>
> -chip
>
> On Tue, Nov 12, 2013 at 08:23:10AM +0100, Laszlo Hornyak wrote:
> > It seems OpenJDK 6 and 7 are ok. Oracle jdk 6 needs JCE, oracle jdk 7 may
> > need another extension (the JCE for jdk6 did not work for me).
> > I would recommend that we @Ignore the failing tests, add some assumption
> or
> > move them to a special test group which is not executed by default.
> >
> >
> > On Tue, Nov 12, 2013 at 7:28 AM, Koushik Das <ko...@citrix.com>
> wrote:
> >
> > > The following tests are failing in my environment even with the JCE
> > > extensions.
> > >
> > >         /* Test7: If no chain is given, the certificate should be self
> > > signed. Else, uploadShould Fail */
> > >         runUploadSslCertNoChain();
> > >
> > >         /* Test8: Chain is given but does not have root certificate */
> > >         runUploadSslCertNoRootCert();
> > >
> > >         /* Test9: The chain given is not the correct chain for the
> > > certificate */
> > >         runUploadSslCertBadChain();
> > >
> > >         /* Test12: Given a certificate signed by a CA and a valid CA
> > > chain, upload should succeed */
> > >         runUploadSslCertWithCAChain();
> > >
> > >
> > >
> > >
> > > On 12-Nov-2013, at 11:35 AM, Koushik Das <ko...@citrix.com>
> wrote:
> > >
> > > > I see the JCE extensions in jdk 1.7 as well. They are present under
> > > <java_home>/jre/lib/security. But still I see a test failure. Is there
> any
> > > other configuration that is required?
> > > >
> > > > Running org.apache.cloudstack.network.lb.CertServiceTest
> > > > Tests run: 2, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 1.456
> > > sec <<< FAILURE!
> > > >
> > > > -Koushik
> > > >
> > > > On 12-Nov-2013, at 11:19 AM, Prasanna Santhanam <ts...@apache.org>
> > > > wrote:
> > > >
> > > >> My MacOSX 1.6 jdk seems to have the crypto extensions jce builtin
> and
> > > >> the build+test works. JDK 1.7 install does not have them though.
> > > >>
> > > >> The JCE kit seems to carry a BCL which is not ASF friendly [1]. But
> > > >> this being part of the Java install and not the project it should be
> > > >> okay IMO if we note it in our wiki on building the project.
> > > >>
> > > >> As for legal aspects - I found this which might be of some
> relevance.
> > > >> http://markmail.org/message/evtkc656gewrkruf
> > > >>
> > > >> [1] http://www.apache.org/legal/3party.html#transition-examples
> > > >>
> > > >> On Mon, Nov 11, 2013 at 10:45:12PM +0100, Laszlo Hornyak wrote:
> > > >>> Hi,
> > > >>>
> > > >>> That is a good question, I do not know for sure, but this package
> > > needs to
> > > >>> be signed by oracle, it is not redistributable and has teritorial
> > > import
> > > >>> restrictions, so it could be problematic :-( I hope it is not.
> Guys,
> > > can
> > > >>> someone help us here?
> > > >>>
> > > >>>
> > > >>> On Mon, Nov 11, 2013 at 10:21 PM, Syed Ahmed <sa...@cloudops.com>
> > > wrote:
> > > >>>
> > > >>>> Hi Laszlo,
> > > >>>>
> > > >>>> The CertService uses BouncyCastle for certificate parsing and
> > > validation.
> > > >>>> The JCE extension provides the API for using BouncyCastle as the
> > > provider.
> > > >>>> So, JCE is required. I know that BouncyCastle is added in CS.
> Would
> > > it be
> > > >>>> possible to add JCE as a dependency too?
> > > >>>>
> > > >>>> Thanks,
> > > >>>> -Syed
> > > >>>>
> > > >>>>
> > > >>>> On 13-11-10 09:55 AM, Laszlo Hornyak wrote:
> > > >>>>
> > > >>>>> Hi Sahmed and list,
> > > >>>>>
> > > >>>>> I ran into some failing tests this weekend related to the patch
> > > >>>>> 0076307863e9155273d9e4c14282de429388c9e9 apparently jenkins
> fails for
> > > >>>>> the same reason. I did a short investigation and it turned out
> that
> > > in
> > > >>>>> order to run the tests correctly, one has to download the sun jce
> > > policy
> > > >>>>> files and put it in the jdk replacing the original policies.
> > > >>>>>
> > > >>>>> Questions:
> > > >>>>> - Is there a more convenient deployment process? :-) It would be
> very
> > > >>>>> useful for the jenkins environment as well.
> > > >>>>> - I gave it a try and patched the oracle jdk 1.7 with the same
> > > plugin, it
> > > >>>>> did not work. Do you know a way to make it work again with jdk
> 1.7?
> > > >>>>>
> > > >>>>> Thank you,
> > > >>>>> Laszlo
> > > >>>>>
> > > >>>>> --
> > > >>>>>
> > > >>>>> EOF
> > > >>>>>
> > > >>>>
> > > >>>>
> > > >>>
> > > >>>
> > > >>> --
> > > >>>
> > > >>> EOF
> > > >>
> > > >> --
> > > >> Prasanna.,
> > > >>
> > > >> ------------------------
> > > >> Powered by BigRock.com
> > > >>
> > > >
> > >
> > >
> >
> >
> > --
> >
> > EOF
>



-- 

EOF

Re: SSL and JCE

Posted by Syed Ahmed <sa...@cloudops.com>.

The test don't do anything fancy with encryption. They just create a 
command object and pass it to the certificate service which does 
certificate validation. If the tests are failing because of a JCE 
dependency, the management server should also fail when those commands 
are sent over the API. So @ignore should make the build succeed but the 
functionality may not work.

Thanks,
-Syed

On 13-11-12 09:17 AM, Chip Childers wrote:
> IMO - having this as a requirement for a build is a bit of an issue.
> First, we can't distribute it (obviously).  Second, it's a bit of an
> esoteric requirement if you are using a JDK that doesn't include it
> automatically.  This will lead to confusion.
>
> Is there a way that we can re-work the tests to accomplish a similar (or
> close-enough) goal without this added dependency?
>
> -chip
>
> On Tue, Nov 12, 2013 at 08:23:10AM +0100, Laszlo Hornyak wrote:
>> It seems OpenJDK 6 and 7 are ok. Oracle jdk 6 needs JCE, oracle jdk 7 may
>> need another extension (the JCE for jdk6 did not work for me).
>> I would recommend that we @Ignore the failing tests, add some assumption or
>> move them to a special test group which is not executed by default.
>>
>>
>> On Tue, Nov 12, 2013 at 7:28 AM, Koushik Das <ko...@citrix.com> wrote:
>>
>>> The following tests are failing in my environment even with the JCE
>>> extensions.
>>>
>>>          /* Test7: If no chain is given, the certificate should be self
>>> signed. Else, uploadShould Fail */
>>>          runUploadSslCertNoChain();
>>>
>>>          /* Test8: Chain is given but does not have root certificate */
>>>          runUploadSslCertNoRootCert();
>>>
>>>          /* Test9: The chain given is not the correct chain for the
>>> certificate */
>>>          runUploadSslCertBadChain();
>>>
>>>          /* Test12: Given a certificate signed by a CA and a valid CA
>>> chain, upload should succeed */
>>>          runUploadSslCertWithCAChain();
>>>
>>>
>>>
>>>
>>> On 12-Nov-2013, at 11:35 AM, Koushik Das <ko...@citrix.com> wrote:
>>>
>>>> I see the JCE extensions in jdk 1.7 as well. They are present under
>>> <java_home>/jre/lib/security. But still I see a test failure. Is there any
>>> other configuration that is required?
>>>> Running org.apache.cloudstack.network.lb.CertServiceTest
>>>> Tests run: 2, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 1.456
>>> sec <<< FAILURE!
>>>> -Koushik
>>>>
>>>> On 12-Nov-2013, at 11:19 AM, Prasanna Santhanam <ts...@apache.org>
>>>> wrote:
>>>>
>>>>> My MacOSX 1.6 jdk seems to have the crypto extensions jce builtin and
>>>>> the build+test works. JDK 1.7 install does not have them though.
>>>>>
>>>>> The JCE kit seems to carry a BCL which is not ASF friendly [1]. But
>>>>> this being part of the Java install and not the project it should be
>>>>> okay IMO if we note it in our wiki on building the project.
>>>>>
>>>>> As for legal aspects - I found this which might be of some relevance.
>>>>> http://markmail.org/message/evtkc656gewrkruf
>>>>>
>>>>> [1] http://www.apache.org/legal/3party.html#transition-examples
>>>>>
>>>>> On Mon, Nov 11, 2013 at 10:45:12PM +0100, Laszlo Hornyak wrote:
>>>>>> Hi,
>>>>>>
>>>>>> That is a good question, I do not know for sure, but this package
>>> needs to
>>>>>> be signed by oracle, it is not redistributable and has teritorial
>>> import
>>>>>> restrictions, so it could be problematic :-( I hope it is not. Guys,
>>> can
>>>>>> someone help us here?
>>>>>>
>>>>>>
>>>>>> On Mon, Nov 11, 2013 at 10:21 PM, Syed Ahmed <sa...@cloudops.com>
>>> wrote:
>>>>>>> Hi Laszlo,
>>>>>>>
>>>>>>> The CertService uses BouncyCastle for certificate parsing and
>>> validation.
>>>>>>> The JCE extension provides the API for using BouncyCastle as the
>>> provider.
>>>>>>> So, JCE is required. I know that BouncyCastle is added in CS. Would
>>> it be
>>>>>>> possible to add JCE as a dependency too?
>>>>>>>
>>>>>>> Thanks,
>>>>>>> -Syed
>>>>>>>
>>>>>>>
>>>>>>> On 13-11-10 09:55 AM, Laszlo Hornyak wrote:
>>>>>>>
>>>>>>>> Hi Sahmed and list,
>>>>>>>>
>>>>>>>> I ran into some failing tests this weekend related to the patch
>>>>>>>> 0076307863e9155273d9e4c14282de429388c9e9 apparently jenkins fails for
>>>>>>>> the same reason. I did a short investigation and it turned out that
>>> in
>>>>>>>> order to run the tests correctly, one has to download the sun jce
>>> policy
>>>>>>>> files and put it in the jdk replacing the original policies.
>>>>>>>>
>>>>>>>> Questions:
>>>>>>>> - Is there a more convenient deployment process? :-) It would be very
>>>>>>>> useful for the jenkins environment as well.
>>>>>>>> - I gave it a try and patched the oracle jdk 1.7 with the same
>>> plugin, it
>>>>>>>> did not work. Do you know a way to make it work again with jdk 1.7?
>>>>>>>>
>>>>>>>> Thank you,
>>>>>>>> Laszlo
>>>>>>>>
>>>>>>>> --
>>>>>>>>
>>>>>>>> EOF
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> EOF
>>>>> --
>>>>> Prasanna.,
>>>>>
>>>>> ------------------------
>>>>> Powered by BigRock.com
>>>>>
>>>
>>
>> -- 
>>
>> EOF

Re: SSL and JCE

Posted by Chip Childers <ch...@apache.org>.

IMO - having this as a requirement for a build is a bit of an issue.
First, we can't distribute it (obviously).  Second, it's a bit of an
esoteric requirement if you are using a JDK that doesn't include it
automatically.  This will lead to confusion.

Is there a way that we can re-work the tests to accomplish a similar (or
close-enough) goal without this added dependency?

-chip

On Tue, Nov 12, 2013 at 08:23:10AM +0100, Laszlo Hornyak wrote:
> It seems OpenJDK 6 and 7 are ok. Oracle jdk 6 needs JCE, oracle jdk 7 may
> need another extension (the JCE for jdk6 did not work for me).
> I would recommend that we @Ignore the failing tests, add some assumption or
> move them to a special test group which is not executed by default.
> 
> 
> On Tue, Nov 12, 2013 at 7:28 AM, Koushik Das <ko...@citrix.com> wrote:
> 
> > The following tests are failing in my environment even with the JCE
> > extensions.
> >
> >         /* Test7: If no chain is given, the certificate should be self
> > signed. Else, uploadShould Fail */
> >         runUploadSslCertNoChain();
> >
> >         /* Test8: Chain is given but does not have root certificate */
> >         runUploadSslCertNoRootCert();
> >
> >         /* Test9: The chain given is not the correct chain for the
> > certificate */
> >         runUploadSslCertBadChain();
> >
> >         /* Test12: Given a certificate signed by a CA and a valid CA
> > chain, upload should succeed */
> >         runUploadSslCertWithCAChain();
> >
> >
> >
> >
> > On 12-Nov-2013, at 11:35 AM, Koushik Das <ko...@citrix.com> wrote:
> >
> > > I see the JCE extensions in jdk 1.7 as well. They are present under
> > <java_home>/jre/lib/security. But still I see a test failure. Is there any
> > other configuration that is required?
> > >
> > > Running org.apache.cloudstack.network.lb.CertServiceTest
> > > Tests run: 2, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 1.456
> > sec <<< FAILURE!
> > >
> > > -Koushik
> > >
> > > On 12-Nov-2013, at 11:19 AM, Prasanna Santhanam <ts...@apache.org>
> > > wrote:
> > >
> > >> My MacOSX 1.6 jdk seems to have the crypto extensions jce builtin and
> > >> the build+test works. JDK 1.7 install does not have them though.
> > >>
> > >> The JCE kit seems to carry a BCL which is not ASF friendly [1]. But
> > >> this being part of the Java install and not the project it should be
> > >> okay IMO if we note it in our wiki on building the project.
> > >>
> > >> As for legal aspects - I found this which might be of some relevance.
> > >> http://markmail.org/message/evtkc656gewrkruf
> > >>
> > >> [1] http://www.apache.org/legal/3party.html#transition-examples
> > >>
> > >> On Mon, Nov 11, 2013 at 10:45:12PM +0100, Laszlo Hornyak wrote:
> > >>> Hi,
> > >>>
> > >>> That is a good question, I do not know for sure, but this package
> > needs to
> > >>> be signed by oracle, it is not redistributable and has teritorial
> > import
> > >>> restrictions, so it could be problematic :-( I hope it is not. Guys,
> > can
> > >>> someone help us here?
> > >>>
> > >>>
> > >>> On Mon, Nov 11, 2013 at 10:21 PM, Syed Ahmed <sa...@cloudops.com>
> > wrote:
> > >>>
> > >>>> Hi Laszlo,
> > >>>>
> > >>>> The CertService uses BouncyCastle for certificate parsing and
> > validation.
> > >>>> The JCE extension provides the API for using BouncyCastle as the
> > provider.
> > >>>> So, JCE is required. I know that BouncyCastle is added in CS. Would
> > it be
> > >>>> possible to add JCE as a dependency too?
> > >>>>
> > >>>> Thanks,
> > >>>> -Syed
> > >>>>
> > >>>>
> > >>>> On 13-11-10 09:55 AM, Laszlo Hornyak wrote:
> > >>>>
> > >>>>> Hi Sahmed and list,
> > >>>>>
> > >>>>> I ran into some failing tests this weekend related to the patch
> > >>>>> 0076307863e9155273d9e4c14282de429388c9e9 apparently jenkins fails for
> > >>>>> the same reason. I did a short investigation and it turned out that
> > in
> > >>>>> order to run the tests correctly, one has to download the sun jce
> > policy
> > >>>>> files and put it in the jdk replacing the original policies.
> > >>>>>
> > >>>>> Questions:
> > >>>>> - Is there a more convenient deployment process? :-) It would be very
> > >>>>> useful for the jenkins environment as well.
> > >>>>> - I gave it a try and patched the oracle jdk 1.7 with the same
> > plugin, it
> > >>>>> did not work. Do you know a way to make it work again with jdk 1.7?
> > >>>>>
> > >>>>> Thank you,
> > >>>>> Laszlo
> > >>>>>
> > >>>>> --
> > >>>>>
> > >>>>> EOF
> > >>>>>
> > >>>>
> > >>>>
> > >>>
> > >>>
> > >>> --
> > >>>
> > >>> EOF
> > >>
> > >> --
> > >> Prasanna.,
> > >>
> > >> ------------------------
> > >> Powered by BigRock.com
> > >>
> > >
> >
> >
> 
> 
> -- 
> 
> EOF

Re: SSL and JCE

Posted by Laszlo Hornyak <la...@gmail.com>.

It seems OpenJDK 6 and 7 are ok. Oracle jdk 6 needs JCE, oracle jdk 7 may
need another extension (the JCE for jdk6 did not work for me).
I would recommend that we @Ignore the failing tests, add some assumption or
move them to a special test group which is not executed by default.


On Tue, Nov 12, 2013 at 7:28 AM, Koushik Das <ko...@citrix.com> wrote:

> The following tests are failing in my environment even with the JCE
> extensions.
>
>         /* Test7: If no chain is given, the certificate should be self
> signed. Else, uploadShould Fail */
>         runUploadSslCertNoChain();
>
>         /* Test8: Chain is given but does not have root certificate */
>         runUploadSslCertNoRootCert();
>
>         /* Test9: The chain given is not the correct chain for the
> certificate */
>         runUploadSslCertBadChain();
>
>         /* Test12: Given a certificate signed by a CA and a valid CA
> chain, upload should succeed */
>         runUploadSslCertWithCAChain();
>
>
>
>
> On 12-Nov-2013, at 11:35 AM, Koushik Das <ko...@citrix.com> wrote:
>
> > I see the JCE extensions in jdk 1.7 as well. They are present under
> <java_home>/jre/lib/security. But still I see a test failure. Is there any
> other configuration that is required?
> >
> > Running org.apache.cloudstack.network.lb.CertServiceTest
> > Tests run: 2, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 1.456
> sec <<< FAILURE!
> >
> > -Koushik
> >
> > On 12-Nov-2013, at 11:19 AM, Prasanna Santhanam <ts...@apache.org>
> > wrote:
> >
> >> My MacOSX 1.6 jdk seems to have the crypto extensions jce builtin and
> >> the build+test works. JDK 1.7 install does not have them though.
> >>
> >> The JCE kit seems to carry a BCL which is not ASF friendly [1]. But
> >> this being part of the Java install and not the project it should be
> >> okay IMO if we note it in our wiki on building the project.
> >>
> >> As for legal aspects - I found this which might be of some relevance.
> >> http://markmail.org/message/evtkc656gewrkruf
> >>
> >> [1] http://www.apache.org/legal/3party.html#transition-examples
> >>
> >> On Mon, Nov 11, 2013 at 10:45:12PM +0100, Laszlo Hornyak wrote:
> >>> Hi,
> >>>
> >>> That is a good question, I do not know for sure, but this package
> needs to
> >>> be signed by oracle, it is not redistributable and has teritorial
> import
> >>> restrictions, so it could be problematic :-( I hope it is not. Guys,
> can
> >>> someone help us here?
> >>>
> >>>
> >>> On Mon, Nov 11, 2013 at 10:21 PM, Syed Ahmed <sa...@cloudops.com>
> wrote:
> >>>
> >>>> Hi Laszlo,
> >>>>
> >>>> The CertService uses BouncyCastle for certificate parsing and
> validation.
> >>>> The JCE extension provides the API for using BouncyCastle as the
> provider.
> >>>> So, JCE is required. I know that BouncyCastle is added in CS. Would
> it be
> >>>> possible to add JCE as a dependency too?
> >>>>
> >>>> Thanks,
> >>>> -Syed
> >>>>
> >>>>
> >>>> On 13-11-10 09:55 AM, Laszlo Hornyak wrote:
> >>>>
> >>>>> Hi Sahmed and list,
> >>>>>
> >>>>> I ran into some failing tests this weekend related to the patch
> >>>>> 0076307863e9155273d9e4c14282de429388c9e9 apparently jenkins fails for
> >>>>> the same reason. I did a short investigation and it turned out that
> in
> >>>>> order to run the tests correctly, one has to download the sun jce
> policy
> >>>>> files and put it in the jdk replacing the original policies.
> >>>>>
> >>>>> Questions:
> >>>>> - Is there a more convenient deployment process? :-) It would be very
> >>>>> useful for the jenkins environment as well.
> >>>>> - I gave it a try and patched the oracle jdk 1.7 with the same
> plugin, it
> >>>>> did not work. Do you know a way to make it work again with jdk 1.7?
> >>>>>
> >>>>> Thank you,
> >>>>> Laszlo
> >>>>>
> >>>>> --
> >>>>>
> >>>>> EOF
> >>>>>
> >>>>
> >>>>
> >>>
> >>>
> >>> --
> >>>
> >>> EOF
> >>
> >> --
> >> Prasanna.,
> >>
> >> ------------------------
> >> Powered by BigRock.com
> >>
> >
>
>


-- 

EOF

Re: SSL and JCE

Posted by Koushik Das <ko...@citrix.com>.

The following tests are failing in my environment even with the JCE extensions.

        /* Test7: If no chain is given, the certificate should be self signed. Else, uploadShould Fail */
        runUploadSslCertNoChain();

        /* Test8: Chain is given but does not have root certificate */
        runUploadSslCertNoRootCert();

        /* Test9: The chain given is not the correct chain for the certificate */
        runUploadSslCertBadChain();

        /* Test12: Given a certificate signed by a CA and a valid CA chain, upload should succeed */
        runUploadSslCertWithCAChain();




On 12-Nov-2013, at 11:35 AM, Koushik Das <ko...@citrix.com> wrote:

> I see the JCE extensions in jdk 1.7 as well. They are present under <java_home>/jre/lib/security. But still I see a test failure. Is there any other configuration that is required?
> 
> Running org.apache.cloudstack.network.lb.CertServiceTest
> Tests run: 2, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 1.456 sec <<< FAILURE!
> 
> -Koushik
> 
> On 12-Nov-2013, at 11:19 AM, Prasanna Santhanam <ts...@apache.org>
> wrote:
> 
>> My MacOSX 1.6 jdk seems to have the crypto extensions jce builtin and
>> the build+test works. JDK 1.7 install does not have them though.
>> 
>> The JCE kit seems to carry a BCL which is not ASF friendly [1]. But
>> this being part of the Java install and not the project it should be
>> okay IMO if we note it in our wiki on building the project.
>> 
>> As for legal aspects - I found this which might be of some relevance.  
>> http://markmail.org/message/evtkc656gewrkruf
>> 
>> [1] http://www.apache.org/legal/3party.html#transition-examples
>> 
>> On Mon, Nov 11, 2013 at 10:45:12PM +0100, Laszlo Hornyak wrote:
>>> Hi,
>>> 
>>> That is a good question, I do not know for sure, but this package needs to
>>> be signed by oracle, it is not redistributable and has teritorial import
>>> restrictions, so it could be problematic :-( I hope it is not. Guys, can
>>> someone help us here?
>>> 
>>> 
>>> On Mon, Nov 11, 2013 at 10:21 PM, Syed Ahmed <sa...@cloudops.com> wrote:
>>> 
>>>> Hi Laszlo,
>>>> 
>>>> The CertService uses BouncyCastle for certificate parsing and validation.
>>>> The JCE extension provides the API for using BouncyCastle as the provider.
>>>> So, JCE is required. I know that BouncyCastle is added in CS. Would it be
>>>> possible to add JCE as a dependency too?
>>>> 
>>>> Thanks,
>>>> -Syed
>>>> 
>>>> 
>>>> On 13-11-10 09:55 AM, Laszlo Hornyak wrote:
>>>> 
>>>>> Hi Sahmed and list,
>>>>> 
>>>>> I ran into some failing tests this weekend related to the patch
>>>>> 0076307863e9155273d9e4c14282de429388c9e9 apparently jenkins fails for
>>>>> the same reason. I did a short investigation and it turned out that in
>>>>> order to run the tests correctly, one has to download the sun jce policy
>>>>> files and put it in the jdk replacing the original policies.
>>>>> 
>>>>> Questions:
>>>>> - Is there a more convenient deployment process? :-) It would be very
>>>>> useful for the jenkins environment as well.
>>>>> - I gave it a try and patched the oracle jdk 1.7 with the same plugin, it
>>>>> did not work. Do you know a way to make it work again with jdk 1.7?
>>>>> 
>>>>> Thank you,
>>>>> Laszlo
>>>>> 
>>>>> --
>>>>> 
>>>>> EOF
>>>>> 
>>>> 
>>>> 
>>> 
>>> 
>>> -- 
>>> 
>>> EOF
>> 
>> -- 
>> Prasanna.,
>> 
>> ------------------------
>> Powered by BigRock.com
>> 
>

Re: SSL and JCE

Posted by Koushik Das <ko...@citrix.com>.

I see the JCE extensions in jdk 1.7 as well. They are present under <java_home>/jre/lib/security. But still I see a test failure. Is there any other configuration that is required?

Running org.apache.cloudstack.network.lb.CertServiceTest
Tests run: 2, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 1.456 sec <<< FAILURE!

-Koushik

On 12-Nov-2013, at 11:19 AM, Prasanna Santhanam <ts...@apache.org>
 wrote:

> My MacOSX 1.6 jdk seems to have the crypto extensions jce builtin and
> the build+test works. JDK 1.7 install does not have them though.
> 
> The JCE kit seems to carry a BCL which is not ASF friendly [1]. But
> this being part of the Java install and not the project it should be
> okay IMO if we note it in our wiki on building the project.
> 
> As for legal aspects - I found this which might be of some relevance.  
> http://markmail.org/message/evtkc656gewrkruf
> 
> [1] http://www.apache.org/legal/3party.html#transition-examples
> 
> On Mon, Nov 11, 2013 at 10:45:12PM +0100, Laszlo Hornyak wrote:
>> Hi,
>> 
>> That is a good question, I do not know for sure, but this package needs to
>> be signed by oracle, it is not redistributable and has teritorial import
>> restrictions, so it could be problematic :-( I hope it is not. Guys, can
>> someone help us here?
>> 
>> 
>> On Mon, Nov 11, 2013 at 10:21 PM, Syed Ahmed <sa...@cloudops.com> wrote:
>> 
>>> Hi Laszlo,
>>> 
>>> The CertService uses BouncyCastle for certificate parsing and validation.
>>> The JCE extension provides the API for using BouncyCastle as the provider.
>>> So, JCE is required. I know that BouncyCastle is added in CS. Would it be
>>> possible to add JCE as a dependency too?
>>> 
>>> Thanks,
>>> -Syed
>>> 
>>> 
>>> On 13-11-10 09:55 AM, Laszlo Hornyak wrote:
>>> 
>>>> Hi Sahmed and list,
>>>> 
>>>> I ran into some failing tests this weekend related to the patch
>>>> 0076307863e9155273d9e4c14282de429388c9e9 apparently jenkins fails for
>>>> the same reason. I did a short investigation and it turned out that in
>>>> order to run the tests correctly, one has to download the sun jce policy
>>>> files and put it in the jdk replacing the original policies.
>>>> 
>>>> Questions:
>>>> - Is there a more convenient deployment process? :-) It would be very
>>>> useful for the jenkins environment as well.
>>>> - I gave it a try and patched the oracle jdk 1.7 with the same plugin, it
>>>> did not work. Do you know a way to make it work again with jdk 1.7?
>>>> 
>>>> Thank you,
>>>> Laszlo
>>>> 
>>>> --
>>>> 
>>>> EOF
>>>> 
>>> 
>>> 
>> 
>> 
>> -- 
>> 
>> EOF
> 
> -- 
> Prasanna.,
> 
> ------------------------
> Powered by BigRock.com
>

Re: SSL and JCE

Posted by Prasanna Santhanam <ts...@apache.org>.

My MacOSX 1.6 jdk seems to have the crypto extensions jce builtin and
the build+test works. JDK 1.7 install does not have them though.

The JCE kit seems to carry a BCL which is not ASF friendly [1]. But
this being part of the Java install and not the project it should be
okay IMO if we note it in our wiki on building the project.

As for legal aspects - I found this which might be of some relevance.  
http://markmail.org/message/evtkc656gewrkruf

[1] http://www.apache.org/legal/3party.html#transition-examples

On Mon, Nov 11, 2013 at 10:45:12PM +0100, Laszlo Hornyak wrote:
> Hi,
> 
> That is a good question, I do not know for sure, but this package needs to
> be signed by oracle, it is not redistributable and has teritorial import
> restrictions, so it could be problematic :-( I hope it is not. Guys, can
> someone help us here?
> 
> 
> On Mon, Nov 11, 2013 at 10:21 PM, Syed Ahmed <sa...@cloudops.com> wrote:
> 
> > Hi Laszlo,
> >
> > The CertService uses BouncyCastle for certificate parsing and validation.
> > The JCE extension provides the API for using BouncyCastle as the provider.
> > So, JCE is required. I know that BouncyCastle is added in CS. Would it be
> > possible to add JCE as a dependency too?
> >
> > Thanks,
> > -Syed
> >
> >
> > On 13-11-10 09:55 AM, Laszlo Hornyak wrote:
> >
> >> Hi Sahmed and list,
> >>
> >> I ran into some failing tests this weekend related to the patch
> >> 0076307863e9155273d9e4c14282de429388c9e9 apparently jenkins fails for
> >> the same reason. I did a short investigation and it turned out that in
> >> order to run the tests correctly, one has to download the sun jce policy
> >> files and put it in the jdk replacing the original policies.
> >>
> >> Questions:
> >> - Is there a more convenient deployment process? :-) It would be very
> >> useful for the jenkins environment as well.
> >> - I gave it a try and patched the oracle jdk 1.7 with the same plugin, it
> >> did not work. Do you know a way to make it work again with jdk 1.7?
> >>
> >> Thank you,
> >> Laszlo
> >>
> >> --
> >>
> >> EOF
> >>
> >
> >
> 
> 
> -- 
> 
> EOF

-- 
Prasanna.,

------------------------
Powered by BigRock.com

Re: SSL and JCE

Posted by Laszlo Hornyak <la...@gmail.com>.

Hi,

That is a good question, I do not know for sure, but this package needs to
be signed by oracle, it is not redistributable and has teritorial import
restrictions, so it could be problematic :-( I hope it is not. Guys, can
someone help us here?


On Mon, Nov 11, 2013 at 10:21 PM, Syed Ahmed <sa...@cloudops.com> wrote:

> Hi Laszlo,
>
> The CertService uses BouncyCastle for certificate parsing and validation.
> The JCE extension provides the API for using BouncyCastle as the provider.
> So, JCE is required. I know that BouncyCastle is added in CS. Would it be
> possible to add JCE as a dependency too?
>
> Thanks,
> -Syed
>
>
> On 13-11-10 09:55 AM, Laszlo Hornyak wrote:
>
>> Hi Sahmed and list,
>>
>> I ran into some failing tests this weekend related to the patch
>> 0076307863e9155273d9e4c14282de429388c9e9 apparently jenkins fails for
>> the same reason. I did a short investigation and it turned out that in
>> order to run the tests correctly, one has to download the sun jce policy
>> files and put it in the jdk replacing the original policies.
>>
>> Questions:
>> - Is there a more convenient deployment process? :-) It would be very
>> useful for the jenkins environment as well.
>> - I gave it a try and patched the oracle jdk 1.7 with the same plugin, it
>> did not work. Do you know a way to make it work again with jdk 1.7?
>>
>> Thank you,
>> Laszlo
>>
>> --
>>
>> EOF
>>
>
>


-- 

EOF

Re: SSL and JCE

Posted by Syed Ahmed <sa...@cloudops.com>.

Hi Laszlo,

The CertService uses BouncyCastle for certificate parsing and 
validation. The JCE extension provides the API for using BouncyCastle as 
the provider. So, JCE is required. I know that BouncyCastle is added in 
CS. Would it be possible to add JCE as a dependency too?

Thanks,
-Syed

On 13-11-10 09:55 AM, Laszlo Hornyak wrote:
> Hi Sahmed and list,
>
> I ran into some failing tests this weekend related to the patch 
> 0076307863e9155273d9e4c14282de429388c9e9 apparently jenkins fails for 
> the same reason. I did a short investigation and it turned out that in 
> order to run the tests correctly, one has to download the sun jce 
> policy files and put it in the jdk replacing the original policies.
>
> Questions:
> - Is there a more convenient deployment process? :-) It would be very 
> useful for the jenkins environment as well.
> - I gave it a try and patched the oracle jdk 1.7 with the same plugin, 
> it did not work. Do you know a way to make it work again with jdk 1.7?
>
> Thank you,
> Laszlo
>
> -- 
>
> EOF