You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "Nikolay Chugunov (JIRA)" <de...@geronimo.apache.org> on 2006/05/12 16:56:08 UTC
[jira] Created: (GERONIMO-2015) Let's replace JKS to PKCS12 key
store type
Let's replace JKS to PKCS12 key store type
------------------------------------------
Key: GERONIMO-2015
URL: http://issues.apache.org/jira/browse/GERONIMO-2015
Project: Geronimo
Type: Improvement
Security: public (Regular issues)
Components: security
Reporter: Nikolay Chugunov
Hello
Let's replace JKS to PKCS12 key store type; because PKCS12 is widely used key store and Geronimo may not work on non-Sun VMs.
To fix this problem I have created the patch for Geronimo sources.
In brief the patch (attached) replaces JKS to PKCS12 key store type in configurations files.
PKCS12 format of key store file is not java-specific and can be created and read by other programs, e.g. Internet Explorer. In addition PKCS12 exists in Bouncy Castle (http://www.bouncycastle.org) security provider, while JKS is Sun specific key store and does not exist in Bouncy Castle.
Also it is needed to replace JKS to PKCS12 keystore file (attached) to assemblies/j2ee-tomcat-server/src/var/security, assemblies/j2ee-installer/src/var/security, assemblies/j2ee-jetty-server/src/var/security directories. Key store file was generating using JKSToPKCS12 class (attached). This class transfers key and certificate of Geronimo from JKS to PKCS12.
After I apply this patch to Geronimo 1.0 sources and build Geronimo I can login to Geronimo console over https.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
Re: [jira] Commented: (GERONIMO-2015) Let's replace JKS to PKCS12 key store type
Posted by Vamsavardhana Reddy <c1...@gmail.com>.
KeyStore jks = KeyStore.getInstance("JKS");
KeyStore pkcs12 = KeyStore.getInstance("PKCS12");
FileInputStream fin = new FileInputStream(inFile);
jks.load(fin, password);
fin.close();
System.out.println("Loaded input keystore "+inFile);
pkcs12.load(null, null);
for(Enumeration e = jks.aliases(); e.hasMoreElements(); ) {
String alias = (String) e.nextElement();
if(jks.isCertificateEntry(alias)) {
pkcs12.setCertificateEntry(alias, jks.getCertificate
(alias));
} else {
pkcs12.setKeyEntry(alias, jks.getKey(alias, password),
password, jks.getCertificateChain(alias));
}
}
FileOutputStream fout = new FileOutputStream(outFile);
pkcs12.store(fout, password);
fout.close();
On 10/17/06, Nikolay Chugunov (JIRA) <de...@geronimo.apache.org> wrote:
>
> [
> http://issues.apache.org/jira/browse/GERONIMO-2015?page=comments#action_12442965]
>
> Nikolay Chugunov commented on GERONIMO-2015:
> --------------------------------------------
>
> Vamsavardhana,
> Could you send code, you have written above
>
> > Let's replace JKS to PKCS12 key store type
> > ------------------------------------------
> >
> > Key: GERONIMO-2015
> > URL: http://issues.apache.org/jira/browse/GERONIMO-2015
> > Project: Geronimo
> > Issue Type: Improvement
> > Security Level: public(Regular issues)
> > Components: security
> > Reporter: Nikolay Chugunov
> > Fix For: 1.2
> >
> > Attachments: jksToPKCS12-1.1.1.patch, JKSToPKCS12.java,
> jksToPKCS12.patch, keystore
> >
> >
> > Hello
> > Let's replace JKS to PKCS12 key store type; because PKCS12 is widely
> used key store and Geronimo may not work on non-Sun VMs.
> > To fix this problem I have created the patch for Geronimo sources.
> > In brief the patch (attached) replaces JKS to PKCS12 key store type in
> configurations files.
> > PKCS12 format of key store file is not java-specific and can be created
> and read by other programs, e.g. Internet Explorer. In addition PKCS12
> exists in Bouncy Castle (http://www.bouncycastle.org) security provider,
> while JKS is Sun specific key store and does not exist in Bouncy Castle.
> > Also it is needed to replace JKS to PKCS12 keystore file (attached) to
> assemblies/j2ee-tomcat-server/src/var/security,
> assemblies/j2ee-installer/src/var/security,
> assemblies/j2ee-jetty-server/src/var/security directories. Key store file
> was generating using JKSToPKCS12 class (attached). This class transfers key
> and certificate of Geronimo from JKS to PKCS12.
> > After I apply this patch to Geronimo 1.0 sources and build Geronimo I
> can login to Geronimo console over https.
>
> --
> This message is automatically generated by JIRA.
> -
> If you think it was sent incorrectly contact one of the administrators:
> http://issues.apache.org/jira/secure/Administrators.jspa
> -
> For more information on JIRA, see: http://www.atlassian.com/software/jira
>
>
>
[jira] Updated: (GERONIMO-2015) Let's replace JKS to PKCS12 key
store type
Posted by "Nikolay Chugunov (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-2015?page=all ]
Nikolay Chugunov updated GERONIMO-2015:
---------------------------------------
Attachment: jksToPKCS12.patch
> Let's replace JKS to PKCS12 key store type
> ------------------------------------------
>
> Key: GERONIMO-2015
> URL: http://issues.apache.org/jira/browse/GERONIMO-2015
> Project: Geronimo
> Type: Improvement
> Security: public(Regular issues)
> Components: security
> Reporter: Nikolay Chugunov
> Attachments: JKSToPKCS12.java, jksToPKCS12.patch, keystore
>
> Hello
> Let's replace JKS to PKCS12 key store type; because PKCS12 is widely used key store and Geronimo may not work on non-Sun VMs.
> To fix this problem I have created the patch for Geronimo sources.
> In brief the patch (attached) replaces JKS to PKCS12 key store type in configurations files.
> PKCS12 format of key store file is not java-specific and can be created and read by other programs, e.g. Internet Explorer. In addition PKCS12 exists in Bouncy Castle (http://www.bouncycastle.org) security provider, while JKS is Sun specific key store and does not exist in Bouncy Castle.
> Also it is needed to replace JKS to PKCS12 keystore file (attached) to assemblies/j2ee-tomcat-server/src/var/security, assemblies/j2ee-installer/src/var/security, assemblies/j2ee-jetty-server/src/var/security directories. Key store file was generating using JKSToPKCS12 class (attached). This class transfers key and certificate of Geronimo from JKS to PKCS12.
> After I apply this patch to Geronimo 1.0 sources and build Geronimo I can login to Geronimo console over https.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-2015) Let's replace JKS to PKCS12 key
store type
Posted by "Nikolay Chugunov (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-2015?page=all ]
Nikolay Chugunov updated GERONIMO-2015:
---------------------------------------
Attachment: keystore
> Let's replace JKS to PKCS12 key store type
> ------------------------------------------
>
> Key: GERONIMO-2015
> URL: http://issues.apache.org/jira/browse/GERONIMO-2015
> Project: Geronimo
> Type: Improvement
> Security: public(Regular issues)
> Components: security
> Reporter: Nikolay Chugunov
> Attachments: JKSToPKCS12.java, keystore
>
> Hello
> Let's replace JKS to PKCS12 key store type; because PKCS12 is widely used key store and Geronimo may not work on non-Sun VMs.
> To fix this problem I have created the patch for Geronimo sources.
> In brief the patch (attached) replaces JKS to PKCS12 key store type in configurations files.
> PKCS12 format of key store file is not java-specific and can be created and read by other programs, e.g. Internet Explorer. In addition PKCS12 exists in Bouncy Castle (http://www.bouncycastle.org) security provider, while JKS is Sun specific key store and does not exist in Bouncy Castle.
> Also it is needed to replace JKS to PKCS12 keystore file (attached) to assemblies/j2ee-tomcat-server/src/var/security, assemblies/j2ee-installer/src/var/security, assemblies/j2ee-jetty-server/src/var/security directories. Key store file was generating using JKSToPKCS12 class (attached). This class transfers key and certificate of Geronimo from JKS to PKCS12.
> After I apply this patch to Geronimo 1.0 sources and build Geronimo I can login to Geronimo console over https.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-2015) Let's replace JKS to PKCS12 key
store type
Posted by "Nikolay Chugunov (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-2015?page=comments#action_12442937 ]
Nikolay Chugunov commented on GERONIMO-2015:
--------------------------------------------
Vamsavardhana,
As following from your stack trace JKSToPKCS12 class should invoke setCertificateEntry method. But it does't not exist in the class.
I verify that the class works fine on 1.4.
> Let's replace JKS to PKCS12 key store type
> ------------------------------------------
>
> Key: GERONIMO-2015
> URL: http://issues.apache.org/jira/browse/GERONIMO-2015
> Project: Geronimo
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: security
> Reporter: Nikolay Chugunov
> Fix For: 1.2
>
> Attachments: jksToPKCS12-1.1.1.patch, JKSToPKCS12.java, jksToPKCS12.patch, keystore
>
>
> Hello
> Let's replace JKS to PKCS12 key store type; because PKCS12 is widely used key store and Geronimo may not work on non-Sun VMs.
> To fix this problem I have created the patch for Geronimo sources.
> In brief the patch (attached) replaces JKS to PKCS12 key store type in configurations files.
> PKCS12 format of key store file is not java-specific and can be created and read by other programs, e.g. Internet Explorer. In addition PKCS12 exists in Bouncy Castle (http://www.bouncycastle.org) security provider, while JKS is Sun specific key store and does not exist in Bouncy Castle.
> Also it is needed to replace JKS to PKCS12 keystore file (attached) to assemblies/j2ee-tomcat-server/src/var/security, assemblies/j2ee-installer/src/var/security, assemblies/j2ee-jetty-server/src/var/security directories. Key store file was generating using JKSToPKCS12 class (attached). This class transfers key and certificate of Geronimo from JKS to PKCS12.
> After I apply this patch to Geronimo 1.0 sources and build Geronimo I can login to Geronimo console over https.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-2015) Let's replace JKS to PKCS12 key
store type
Posted by "Nikolay Chugunov (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-2015?page=comments#action_12442965 ]
Nikolay Chugunov commented on GERONIMO-2015:
--------------------------------------------
Vamsavardhana,
Could you send code, you have written above
> Let's replace JKS to PKCS12 key store type
> ------------------------------------------
>
> Key: GERONIMO-2015
> URL: http://issues.apache.org/jira/browse/GERONIMO-2015
> Project: Geronimo
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: security
> Reporter: Nikolay Chugunov
> Fix For: 1.2
>
> Attachments: jksToPKCS12-1.1.1.patch, JKSToPKCS12.java, jksToPKCS12.patch, keystore
>
>
> Hello
> Let's replace JKS to PKCS12 key store type; because PKCS12 is widely used key store and Geronimo may not work on non-Sun VMs.
> To fix this problem I have created the patch for Geronimo sources.
> In brief the patch (attached) replaces JKS to PKCS12 key store type in configurations files.
> PKCS12 format of key store file is not java-specific and can be created and read by other programs, e.g. Internet Explorer. In addition PKCS12 exists in Bouncy Castle (http://www.bouncycastle.org) security provider, while JKS is Sun specific key store and does not exist in Bouncy Castle.
> Also it is needed to replace JKS to PKCS12 keystore file (attached) to assemblies/j2ee-tomcat-server/src/var/security, assemblies/j2ee-installer/src/var/security, assemblies/j2ee-jetty-server/src/var/security directories. Key store file was generating using JKSToPKCS12 class (attached). This class transfers key and certificate of Geronimo from JKS to PKCS12.
> After I apply this patch to Geronimo 1.0 sources and build Geronimo I can login to Geronimo console over https.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-2015) Let's replace JKS to PKCS12 key
store type
Posted by "Nellya Udovichenko (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-2015?page=comments#action_12427223 ]
Nellya Udovichenko commented on GERONIMO-2015:
----------------------------------------------
Both JKS and PKCS12 keystore formats are supported by both Sun and IBM JDKs.
See 'Additional Keystore Formats (PKCS12)'
http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#KeystoreFormats
and end of 'Introduction'
http://www-128.ibm.com/developerworks/java/jdk/security/50/secguides/JceDocs/api_users_guide.html#JceKeystore
Adding changeable keystore type parameter and supporting PKCS12 would be woundeful
and important compatibility feature for working with non-Sun JDKs at 1.x versions.
Of course, we may leave JKS as default keystore type for compatibility with older versions.
And later, e. g. in 2.0 we may make PKCS12 a default keystore - it would be a good gradual change.
> Let's replace JKS to PKCS12 key store type
> ------------------------------------------
>
> Key: GERONIMO-2015
> URL: http://issues.apache.org/jira/browse/GERONIMO-2015
> Project: Geronimo
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: security
> Reporter: Nikolay Chugunov
> Fix For: 1.2
>
> Attachments: JKSToPKCS12.java, jksToPKCS12.patch, keystore
>
>
> Hello
> Let's replace JKS to PKCS12 key store type; because PKCS12 is widely used key store and Geronimo may not work on non-Sun VMs.
> To fix this problem I have created the patch for Geronimo sources.
> In brief the patch (attached) replaces JKS to PKCS12 key store type in configurations files.
> PKCS12 format of key store file is not java-specific and can be created and read by other programs, e.g. Internet Explorer. In addition PKCS12 exists in Bouncy Castle (http://www.bouncycastle.org) security provider, while JKS is Sun specific key store and does not exist in Bouncy Castle.
> Also it is needed to replace JKS to PKCS12 keystore file (attached) to assemblies/j2ee-tomcat-server/src/var/security, assemblies/j2ee-installer/src/var/security, assemblies/j2ee-jetty-server/src/var/security directories. Key store file was generating using JKSToPKCS12 class (attached). This class transfers key and certificate of Geronimo from JKS to PKCS12.
> After I apply this patch to Geronimo 1.0 sources and build Geronimo I can login to Geronimo console over https.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-2015) Let's replace JKS to PKCS12 key
store type
Posted by "Jeff Genender (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-2015?page=comments#action_12427277 ]
Jeff Genender commented on GERONIMO-2015:
-----------------------------------------
I am open to this patch and making it a default if we get more input from others that this should be the default. Thank you for your work so far. Can others please comment on this?
> Let's replace JKS to PKCS12 key store type
> ------------------------------------------
>
> Key: GERONIMO-2015
> URL: http://issues.apache.org/jira/browse/GERONIMO-2015
> Project: Geronimo
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: security
> Reporter: Nikolay Chugunov
> Fix For: 1.2
>
> Attachments: JKSToPKCS12.java, jksToPKCS12.patch, keystore
>
>
> Hello
> Let's replace JKS to PKCS12 key store type; because PKCS12 is widely used key store and Geronimo may not work on non-Sun VMs.
> To fix this problem I have created the patch for Geronimo sources.
> In brief the patch (attached) replaces JKS to PKCS12 key store type in configurations files.
> PKCS12 format of key store file is not java-specific and can be created and read by other programs, e.g. Internet Explorer. In addition PKCS12 exists in Bouncy Castle (http://www.bouncycastle.org) security provider, while JKS is Sun specific key store and does not exist in Bouncy Castle.
> Also it is needed to replace JKS to PKCS12 keystore file (attached) to assemblies/j2ee-tomcat-server/src/var/security, assemblies/j2ee-installer/src/var/security, assemblies/j2ee-jetty-server/src/var/security directories. Key store file was generating using JKSToPKCS12 class (attached). This class transfers key and certificate of Geronimo from JKS to PKCS12.
> After I apply this patch to Geronimo 1.0 sources and build Geronimo I can login to Geronimo console over https.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-2015) Let's replace JKS to PKCS12 key
store type
Posted by "Nikolay Chugunov (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-2015?page=comments#action_12427259 ]
Nikolay Chugunov commented on GERONIMO-2015:
--------------------------------------------
We may stop discussing about moving this bug to 2.0, because 2.0 version does not exists in this JIRA :)
> Let's replace JKS to PKCS12 key store type
> ------------------------------------------
>
> Key: GERONIMO-2015
> URL: http://issues.apache.org/jira/browse/GERONIMO-2015
> Project: Geronimo
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: security
> Reporter: Nikolay Chugunov
> Fix For: 1.2
>
> Attachments: JKSToPKCS12.java, jksToPKCS12.patch, keystore
>
>
> Hello
> Let's replace JKS to PKCS12 key store type; because PKCS12 is widely used key store and Geronimo may not work on non-Sun VMs.
> To fix this problem I have created the patch for Geronimo sources.
> In brief the patch (attached) replaces JKS to PKCS12 key store type in configurations files.
> PKCS12 format of key store file is not java-specific and can be created and read by other programs, e.g. Internet Explorer. In addition PKCS12 exists in Bouncy Castle (http://www.bouncycastle.org) security provider, while JKS is Sun specific key store and does not exist in Bouncy Castle.
> Also it is needed to replace JKS to PKCS12 keystore file (attached) to assemblies/j2ee-tomcat-server/src/var/security, assemblies/j2ee-installer/src/var/security, assemblies/j2ee-jetty-server/src/var/security directories. Key store file was generating using JKSToPKCS12 class (attached). This class transfers key and certificate of Geronimo from JKS to PKCS12.
> After I apply this patch to Geronimo 1.0 sources and build Geronimo I can login to Geronimo console over https.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Closed: (GERONIMO-2015) Let's replace JKS to PKCS12 key
store type
Posted by "Alexey Petrenko (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-2015?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alexey Petrenko closed GERONIMO-2015.
-------------------------------------
Resolution: Won't Fix
Changing default key store from JKS to PKCS12 or something else will be too strong move at the moment.
It makes much more sense to make this feature configurable.
> Let's replace JKS to PKCS12 key store type
> ------------------------------------------
>
> Key: GERONIMO-2015
> URL: https://issues.apache.org/jira/browse/GERONIMO-2015
> Project: Geronimo
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: security
> Reporter: Nikolay Chugunov
> Assignee: Alexey Petrenko
> Fix For: Wish List
>
> Attachments: jksToPKCS12-1.1.1.patch, JKSToPKCS12.java, jksToPKCS12.patch, keystore
>
>
> Hello
> Let's replace JKS to PKCS12 key store type; because PKCS12 is widely used key store and Geronimo may not work on non-Sun VMs.
> To fix this problem I have created the patch for Geronimo sources.
> In brief the patch (attached) replaces JKS to PKCS12 key store type in configurations files.
> PKCS12 format of key store file is not java-specific and can be created and read by other programs, e.g. Internet Explorer. In addition PKCS12 exists in Bouncy Castle (http://www.bouncycastle.org) security provider, while JKS is Sun specific key store and does not exist in Bouncy Castle.
> Also it is needed to replace JKS to PKCS12 keystore file (attached) to assemblies/j2ee-tomcat-server/src/var/security, assemblies/j2ee-installer/src/var/security, assemblies/j2ee-jetty-server/src/var/security directories. Key store file was generating using JKSToPKCS12 class (attached). This class transfers key and certificate of Geronimo from JKS to PKCS12.
> After I apply this patch to Geronimo 1.0 sources and build Geronimo I can login to Geronimo console over https.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-2015) Let's replace JKS to PKCS12 key
store type
Posted by "David Jencks (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-2015?page=comments#action_12433715 ]
David Jencks commented on GERONIMO-2015:
----------------------------------------
The patch doesn't work with trunk any more since we are trying to use a keystore gbean wherever possible rather than using "embedded" keystore information. Would it be possible to come up with a new patch that changes what the keystore gbean is using?
Whatever default we pick (I don't know enough to give intelligent advice on which is more appropriate) I wonder if we can make it easy to switch back and forth.
> Let's replace JKS to PKCS12 key store type
> ------------------------------------------
>
> Key: GERONIMO-2015
> URL: http://issues.apache.org/jira/browse/GERONIMO-2015
> Project: Geronimo
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: security
> Reporter: Nikolay Chugunov
> Fix For: 1.2
>
> Attachments: JKSToPKCS12.java, jksToPKCS12.patch, keystore
>
>
> Hello
> Let's replace JKS to PKCS12 key store type; because PKCS12 is widely used key store and Geronimo may not work on non-Sun VMs.
> To fix this problem I have created the patch for Geronimo sources.
> In brief the patch (attached) replaces JKS to PKCS12 key store type in configurations files.
> PKCS12 format of key store file is not java-specific and can be created and read by other programs, e.g. Internet Explorer. In addition PKCS12 exists in Bouncy Castle (http://www.bouncycastle.org) security provider, while JKS is Sun specific key store and does not exist in Bouncy Castle.
> Also it is needed to replace JKS to PKCS12 keystore file (attached) to assemblies/j2ee-tomcat-server/src/var/security, assemblies/j2ee-installer/src/var/security, assemblies/j2ee-jetty-server/src/var/security directories. Key store file was generating using JKSToPKCS12 class (attached). This class transfers key and certificate of Geronimo from JKS to PKCS12.
> After I apply this patch to Geronimo 1.0 sources and build Geronimo I can login to Geronimo console over https.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-2015) Let's replace JKS to PKCS12 key
store type
Posted by "Vamsavardhana Reddy (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-2015?page=all ]
Vamsavardhana Reddy updated GERONIMO-2015:
------------------------------------------
Fix Version/s: 2.0
(was: 1.2)
> Let's replace JKS to PKCS12 key store type
> ------------------------------------------
>
> Key: GERONIMO-2015
> URL: http://issues.apache.org/jira/browse/GERONIMO-2015
> Project: Geronimo
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: security
> Reporter: Nikolay Chugunov
> Fix For: 2.0
>
> Attachments: jksToPKCS12-1.1.1.patch, JKSToPKCS12.java, jksToPKCS12.patch, keystore
>
>
> Hello
> Let's replace JKS to PKCS12 key store type; because PKCS12 is widely used key store and Geronimo may not work on non-Sun VMs.
> To fix this problem I have created the patch for Geronimo sources.
> In brief the patch (attached) replaces JKS to PKCS12 key store type in configurations files.
> PKCS12 format of key store file is not java-specific and can be created and read by other programs, e.g. Internet Explorer. In addition PKCS12 exists in Bouncy Castle (http://www.bouncycastle.org) security provider, while JKS is Sun specific key store and does not exist in Bouncy Castle.
> Also it is needed to replace JKS to PKCS12 keystore file (attached) to assemblies/j2ee-tomcat-server/src/var/security, assemblies/j2ee-installer/src/var/security, assemblies/j2ee-jetty-server/src/var/security directories. Key store file was generating using JKSToPKCS12 class (attached). This class transfers key and certificate of Geronimo from JKS to PKCS12.
> After I apply this patch to Geronimo 1.0 sources and build Geronimo I can login to Geronimo console over https.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-2015) Let's replace JKS to PKCS12 key
store type
Posted by "Nikolay Chugunov (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-2015?page=all ]
Nikolay Chugunov updated GERONIMO-2015:
---------------------------------------
Attachment: JKSToPKCS12.java
> Let's replace JKS to PKCS12 key store type
> ------------------------------------------
>
> Key: GERONIMO-2015
> URL: http://issues.apache.org/jira/browse/GERONIMO-2015
> Project: Geronimo
> Type: Improvement
> Security: public(Regular issues)
> Components: security
> Reporter: Nikolay Chugunov
> Attachments: JKSToPKCS12.java, keystore
>
> Hello
> Let's replace JKS to PKCS12 key store type; because PKCS12 is widely used key store and Geronimo may not work on non-Sun VMs.
> To fix this problem I have created the patch for Geronimo sources.
> In brief the patch (attached) replaces JKS to PKCS12 key store type in configurations files.
> PKCS12 format of key store file is not java-specific and can be created and read by other programs, e.g. Internet Explorer. In addition PKCS12 exists in Bouncy Castle (http://www.bouncycastle.org) security provider, while JKS is Sun specific key store and does not exist in Bouncy Castle.
> Also it is needed to replace JKS to PKCS12 keystore file (attached) to assemblies/j2ee-tomcat-server/src/var/security, assemblies/j2ee-installer/src/var/security, assemblies/j2ee-jetty-server/src/var/security directories. Key store file was generating using JKSToPKCS12 class (attached). This class transfers key and certificate of Geronimo from JKS to PKCS12.
> After I apply this patch to Geronimo 1.0 sources and build Geronimo I can login to Geronimo console over https.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-2015) Let's replace JKS to PKCS12 key
store type
Posted by "Nellya Udovichenko (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-2015?page=all ]
Nellya Udovichenko updated GERONIMO-2015:
-----------------------------------------
Attachment: jksToPKCS12-1.1.1.patch
> Let's replace JKS to PKCS12 key store type
> ------------------------------------------
>
> Key: GERONIMO-2015
> URL: http://issues.apache.org/jira/browse/GERONIMO-2015
> Project: Geronimo
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: security
> Reporter: Nikolay Chugunov
> Fix For: 1.2
>
> Attachments: jksToPKCS12-1.1.1.patch, JKSToPKCS12.java, jksToPKCS12.patch, keystore
>
>
> Hello
> Let's replace JKS to PKCS12 key store type; because PKCS12 is widely used key store and Geronimo may not work on non-Sun VMs.
> To fix this problem I have created the patch for Geronimo sources.
> In brief the patch (attached) replaces JKS to PKCS12 key store type in configurations files.
> PKCS12 format of key store file is not java-specific and can be created and read by other programs, e.g. Internet Explorer. In addition PKCS12 exists in Bouncy Castle (http://www.bouncycastle.org) security provider, while JKS is Sun specific key store and does not exist in Bouncy Castle.
> Also it is needed to replace JKS to PKCS12 keystore file (attached) to assemblies/j2ee-tomcat-server/src/var/security, assemblies/j2ee-installer/src/var/security, assemblies/j2ee-jetty-server/src/var/security directories. Key store file was generating using JKSToPKCS12 class (attached). This class transfers key and certificate of Geronimo from JKS to PKCS12.
> After I apply this patch to Geronimo 1.0 sources and build Geronimo I can login to Geronimo console over https.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-2015) Let's replace JKS to PKCS12 key
store type
Posted by "Jeff Genender (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-2015?page=comments#action_12425854 ]
Jeff Genender commented on GERONIMO-2015:
-----------------------------------------
I would like to see more input on this. Most of the Java app servers seem to default to JKS. Why shouldn't we follow the standard?
> Let's replace JKS to PKCS12 key store type
> ------------------------------------------
>
> Key: GERONIMO-2015
> URL: http://issues.apache.org/jira/browse/GERONIMO-2015
> Project: Geronimo
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: security
> Reporter: Nikolay Chugunov
> Fix For: 1.2
>
> Attachments: JKSToPKCS12.java, jksToPKCS12.patch, keystore
>
>
> Hello
> Let's replace JKS to PKCS12 key store type; because PKCS12 is widely used key store and Geronimo may not work on non-Sun VMs.
> To fix this problem I have created the patch for Geronimo sources.
> In brief the patch (attached) replaces JKS to PKCS12 key store type in configurations files.
> PKCS12 format of key store file is not java-specific and can be created and read by other programs, e.g. Internet Explorer. In addition PKCS12 exists in Bouncy Castle (http://www.bouncycastle.org) security provider, while JKS is Sun specific key store and does not exist in Bouncy Castle.
> Also it is needed to replace JKS to PKCS12 keystore file (attached) to assemblies/j2ee-tomcat-server/src/var/security, assemblies/j2ee-installer/src/var/security, assemblies/j2ee-jetty-server/src/var/security directories. Key store file was generating using JKSToPKCS12 class (attached). This class transfers key and certificate of Geronimo from JKS to PKCS12.
> After I apply this patch to Geronimo 1.0 sources and build Geronimo I can login to Geronimo console over https.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-2015) Let's replace JKS to PKCS12 key
store type
Posted by "Donald Woods (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-2015?page=all ]
Donald Woods updated GERONIMO-2015:
-----------------------------------
Fix Version: 1.2
OK, setting the Fix version to 1.2 so it will be considered....
> Let's replace JKS to PKCS12 key store type
> ------------------------------------------
>
> Key: GERONIMO-2015
> URL: http://issues.apache.org/jira/browse/GERONIMO-2015
> Project: Geronimo
> Type: Improvement
> Security: public(Regular issues)
> Components: security
> Reporter: Nikolay Chugunov
> Fix For: 1.2
> Attachments: JKSToPKCS12.java, jksToPKCS12.patch, keystore
>
> Hello
> Let's replace JKS to PKCS12 key store type; because PKCS12 is widely used key store and Geronimo may not work on non-Sun VMs.
> To fix this problem I have created the patch for Geronimo sources.
> In brief the patch (attached) replaces JKS to PKCS12 key store type in configurations files.
> PKCS12 format of key store file is not java-specific and can be created and read by other programs, e.g. Internet Explorer. In addition PKCS12 exists in Bouncy Castle (http://www.bouncycastle.org) security provider, while JKS is Sun specific key store and does not exist in Bouncy Castle.
> Also it is needed to replace JKS to PKCS12 keystore file (attached) to assemblies/j2ee-tomcat-server/src/var/security, assemblies/j2ee-installer/src/var/security, assemblies/j2ee-jetty-server/src/var/security directories. Key store file was generating using JKSToPKCS12 class (attached). This class transfers key and certificate of Geronimo from JKS to PKCS12.
> After I apply this patch to Geronimo 1.0 sources and build Geronimo I can login to Geronimo console over https.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-2015) Let's replace JKS to PKCS12 key
store type
Posted by "Nikolay Chugunov (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-2015?page=comments#action_12383376 ]
Nikolay Chugunov commented on GERONIMO-2015:
--------------------------------------------
PKCS12 is world standart for storing keys and I propose switch to it. PKCS12 support exists in Sun and Bouncy Castle (BC) provider. This patch can work without BC library.
> Let's replace JKS to PKCS12 key store type
> ------------------------------------------
>
> Key: GERONIMO-2015
> URL: http://issues.apache.org/jira/browse/GERONIMO-2015
> Project: Geronimo
> Type: Improvement
> Security: public(Regular issues)
> Components: security
> Reporter: Nikolay Chugunov
> Attachments: JKSToPKCS12.java, jksToPKCS12.patch, keystore
>
> Hello
> Let's replace JKS to PKCS12 key store type; because PKCS12 is widely used key store and Geronimo may not work on non-Sun VMs.
> To fix this problem I have created the patch for Geronimo sources.
> In brief the patch (attached) replaces JKS to PKCS12 key store type in configurations files.
> PKCS12 format of key store file is not java-specific and can be created and read by other programs, e.g. Internet Explorer. In addition PKCS12 exists in Bouncy Castle (http://www.bouncycastle.org) security provider, while JKS is Sun specific key store and does not exist in Bouncy Castle.
> Also it is needed to replace JKS to PKCS12 keystore file (attached) to assemblies/j2ee-tomcat-server/src/var/security, assemblies/j2ee-installer/src/var/security, assemblies/j2ee-jetty-server/src/var/security directories. Key store file was generating using JKSToPKCS12 class (attached). This class transfers key and certificate of Geronimo from JKS to PKCS12.
> After I apply this patch to Geronimo 1.0 sources and build Geronimo I can login to Geronimo console over https.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-2015) Let's replace JKS to PKCS12 key
store type
Posted by "Prasad Kashyap (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-2015?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Prasad Kashyap updated GERONIMO-2015:
-------------------------------------
Fix Version/s: (was: 2.0-M5)
2.0
> Let's replace JKS to PKCS12 key store type
> ------------------------------------------
>
> Key: GERONIMO-2015
> URL: https://issues.apache.org/jira/browse/GERONIMO-2015
> Project: Geronimo
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: security
> Reporter: Nikolay Chugunov
> Fix For: 2.0
>
> Attachments: jksToPKCS12-1.1.1.patch, JKSToPKCS12.java, jksToPKCS12.patch, keystore
>
>
> Hello
> Let's replace JKS to PKCS12 key store type; because PKCS12 is widely used key store and Geronimo may not work on non-Sun VMs.
> To fix this problem I have created the patch for Geronimo sources.
> In brief the patch (attached) replaces JKS to PKCS12 key store type in configurations files.
> PKCS12 format of key store file is not java-specific and can be created and read by other programs, e.g. Internet Explorer. In addition PKCS12 exists in Bouncy Castle (http://www.bouncycastle.org) security provider, while JKS is Sun specific key store and does not exist in Bouncy Castle.
> Also it is needed to replace JKS to PKCS12 keystore file (attached) to assemblies/j2ee-tomcat-server/src/var/security, assemblies/j2ee-installer/src/var/security, assemblies/j2ee-jetty-server/src/var/security directories. Key store file was generating using JKSToPKCS12 class (attached). This class transfers key and certificate of Geronimo from JKS to PKCS12.
> After I apply this patch to Geronimo 1.0 sources and build Geronimo I can login to Geronimo console over https.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-2015) Let's replace JKS to PKCS12 key
store type
Posted by "Vasily Zakharov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-2015?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12560060#action_12560060 ]
Vasily Zakharov commented on GERONIMO-2015:
-------------------------------------------
As it seems unpractical to change default keystore type from JKS to something else, I think this issue may be resolved (as Won't Fix or Invalid), and closed.
The question of having a chance to customize the keystore type in configuration file is in fact a separate issue, so I filed GERONIMO-3757 for that.
> Let's replace JKS to PKCS12 key store type
> ------------------------------------------
>
> Key: GERONIMO-2015
> URL: https://issues.apache.org/jira/browse/GERONIMO-2015
> Project: Geronimo
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: security
> Reporter: Nikolay Chugunov
> Assignee: Alexey Petrenko
> Fix For: Wish List
>
> Attachments: jksToPKCS12-1.1.1.patch, JKSToPKCS12.java, jksToPKCS12.patch, keystore
>
>
> Hello
> Let's replace JKS to PKCS12 key store type; because PKCS12 is widely used key store and Geronimo may not work on non-Sun VMs.
> To fix this problem I have created the patch for Geronimo sources.
> In brief the patch (attached) replaces JKS to PKCS12 key store type in configurations files.
> PKCS12 format of key store file is not java-specific and can be created and read by other programs, e.g. Internet Explorer. In addition PKCS12 exists in Bouncy Castle (http://www.bouncycastle.org) security provider, while JKS is Sun specific key store and does not exist in Bouncy Castle.
> Also it is needed to replace JKS to PKCS12 keystore file (attached) to assemblies/j2ee-tomcat-server/src/var/security, assemblies/j2ee-installer/src/var/security, assemblies/j2ee-jetty-server/src/var/security directories. Key store file was generating using JKSToPKCS12 class (attached). This class transfers key and certificate of Geronimo from JKS to PKCS12.
> After I apply this patch to Geronimo 1.0 sources and build Geronimo I can login to Geronimo console over https.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-2015) Let's replace JKS to PKCS12 key
store type
Posted by "Alexey Petrenko (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-2015?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12559433#action_12559433 ]
Alexey Petrenko commented on GERONIMO-2015:
-------------------------------------------
If we afraid of possible incompatibilities and not full support of JKS or PKCS12 why not to let user choose?
We can specify keystore in configs or choose type from available on current VM.
> Let's replace JKS to PKCS12 key store type
> ------------------------------------------
>
> Key: GERONIMO-2015
> URL: https://issues.apache.org/jira/browse/GERONIMO-2015
> Project: Geronimo
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: security
> Reporter: Nikolay Chugunov
> Fix For: Wish List
>
> Attachments: jksToPKCS12-1.1.1.patch, JKSToPKCS12.java, jksToPKCS12.patch, keystore
>
>
> Hello
> Let's replace JKS to PKCS12 key store type; because PKCS12 is widely used key store and Geronimo may not work on non-Sun VMs.
> To fix this problem I have created the patch for Geronimo sources.
> In brief the patch (attached) replaces JKS to PKCS12 key store type in configurations files.
> PKCS12 format of key store file is not java-specific and can be created and read by other programs, e.g. Internet Explorer. In addition PKCS12 exists in Bouncy Castle (http://www.bouncycastle.org) security provider, while JKS is Sun specific key store and does not exist in Bouncy Castle.
> Also it is needed to replace JKS to PKCS12 keystore file (attached) to assemblies/j2ee-tomcat-server/src/var/security, assemblies/j2ee-installer/src/var/security, assemblies/j2ee-jetty-server/src/var/security directories. Key store file was generating using JKSToPKCS12 class (attached). This class transfers key and certificate of Geronimo from JKS to PKCS12.
> After I apply this patch to Geronimo 1.0 sources and build Geronimo I can login to Geronimo console over https.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-2015) Let's replace JKS to PKCS12 key
store type
Posted by "Vasily Zakharov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-2015?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12557664#action_12557664 ]
Vasily Zakharov commented on GERONIMO-2015:
-------------------------------------------
What is the current situation with this issue?
It was targeted at v2.0, but now v2.0.2 is already out there.
It looks like parts of the proposed functionality are already there, and otherwise the patches are obsolete as they don't use the keystore gbean.
Is it worth providing newer patches on this, are there any plans to integrate them?
For now, Geronimo still doesn't start if JKS implementation is not available, e. g. on Harmony.
> Let's replace JKS to PKCS12 key store type
> ------------------------------------------
>
> Key: GERONIMO-2015
> URL: https://issues.apache.org/jira/browse/GERONIMO-2015
> Project: Geronimo
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: security
> Reporter: Nikolay Chugunov
> Fix For: Wish List
>
> Attachments: jksToPKCS12-1.1.1.patch, JKSToPKCS12.java, jksToPKCS12.patch, keystore
>
>
> Hello
> Let's replace JKS to PKCS12 key store type; because PKCS12 is widely used key store and Geronimo may not work on non-Sun VMs.
> To fix this problem I have created the patch for Geronimo sources.
> In brief the patch (attached) replaces JKS to PKCS12 key store type in configurations files.
> PKCS12 format of key store file is not java-specific and can be created and read by other programs, e.g. Internet Explorer. In addition PKCS12 exists in Bouncy Castle (http://www.bouncycastle.org) security provider, while JKS is Sun specific key store and does not exist in Bouncy Castle.
> Also it is needed to replace JKS to PKCS12 keystore file (attached) to assemblies/j2ee-tomcat-server/src/var/security, assemblies/j2ee-installer/src/var/security, assemblies/j2ee-jetty-server/src/var/security directories. Key store file was generating using JKSToPKCS12 class (attached). This class transfers key and certificate of Geronimo from JKS to PKCS12.
> After I apply this patch to Geronimo 1.0 sources and build Geronimo I can login to Geronimo console over https.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-2015) Let's replace JKS to PKCS12 key
store type
Posted by "Vamsavardhana Reddy (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-2015?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12557675#action_12557675 ]
Vamsavardhana Reddy commented on GERONIMO-2015:
-----------------------------------------------
Sun's PKCS12 implementation does not allow storing trusted certificate entries in a keystore. This will be a problem if one wants to configure ClientAuth for HTTPS, etc.
> Let's replace JKS to PKCS12 key store type
> ------------------------------------------
>
> Key: GERONIMO-2015
> URL: https://issues.apache.org/jira/browse/GERONIMO-2015
> Project: Geronimo
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: security
> Reporter: Nikolay Chugunov
> Fix For: Wish List
>
> Attachments: jksToPKCS12-1.1.1.patch, JKSToPKCS12.java, jksToPKCS12.patch, keystore
>
>
> Hello
> Let's replace JKS to PKCS12 key store type; because PKCS12 is widely used key store and Geronimo may not work on non-Sun VMs.
> To fix this problem I have created the patch for Geronimo sources.
> In brief the patch (attached) replaces JKS to PKCS12 key store type in configurations files.
> PKCS12 format of key store file is not java-specific and can be created and read by other programs, e.g. Internet Explorer. In addition PKCS12 exists in Bouncy Castle (http://www.bouncycastle.org) security provider, while JKS is Sun specific key store and does not exist in Bouncy Castle.
> Also it is needed to replace JKS to PKCS12 keystore file (attached) to assemblies/j2ee-tomcat-server/src/var/security, assemblies/j2ee-installer/src/var/security, assemblies/j2ee-jetty-server/src/var/security directories. Key store file was generating using JKSToPKCS12 class (attached). This class transfers key and certificate of Geronimo from JKS to PKCS12.
> After I apply this patch to Geronimo 1.0 sources and build Geronimo I can login to Geronimo console over https.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-2015) Let's replace JKS to PKCS12 key
store type
Posted by "Vamsavardhana Reddy (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-2015?page=comments#action_12442944 ]
Vamsavardhana Reddy commented on GERONIMO-2015:
-----------------------------------------------
I have written a simple java class to translate a JKS keystore to PKCS12 keystore. The class would iterate thru all key entries in JKS keystore and call setKeyEntry on the PKCS12 keystore. Then it will iterate thru all certificate entries in the JKS keystore and call setCertificateEntry() on the PKCS12 keystore. The Exception I logged above means that setCertificateEntry() on a PKCS12 keystore is not supported in Sun JDK 142. To reproduce the exception, invoke setCertificateEntry() method on a PKCS12 keystore KeyStore object in Sun JDK 1.4.2.
> Let's replace JKS to PKCS12 key store type
> ------------------------------------------
>
> Key: GERONIMO-2015
> URL: http://issues.apache.org/jira/browse/GERONIMO-2015
> Project: Geronimo
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: security
> Reporter: Nikolay Chugunov
> Fix For: 1.2
>
> Attachments: jksToPKCS12-1.1.1.patch, JKSToPKCS12.java, jksToPKCS12.patch, keystore
>
>
> Hello
> Let's replace JKS to PKCS12 key store type; because PKCS12 is widely used key store and Geronimo may not work on non-Sun VMs.
> To fix this problem I have created the patch for Geronimo sources.
> In brief the patch (attached) replaces JKS to PKCS12 key store type in configurations files.
> PKCS12 format of key store file is not java-specific and can be created and read by other programs, e.g. Internet Explorer. In addition PKCS12 exists in Bouncy Castle (http://www.bouncycastle.org) security provider, while JKS is Sun specific key store and does not exist in Bouncy Castle.
> Also it is needed to replace JKS to PKCS12 keystore file (attached) to assemblies/j2ee-tomcat-server/src/var/security, assemblies/j2ee-installer/src/var/security, assemblies/j2ee-jetty-server/src/var/security directories. Key store file was generating using JKSToPKCS12 class (attached). This class transfers key and certificate of Geronimo from JKS to PKCS12.
> After I apply this patch to Geronimo 1.0 sources and build Geronimo I can login to Geronimo console over https.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-2015) Let's replace JKS to PKCS12 key
store type
Posted by "Nellya Udovichenko (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-2015?page=comments#action_12426550 ]
Nellya Udovichenko commented on GERONIMO-2015:
----------------------------------------------
JKS is Sun proprietary keystore format implementation. Therefore, it isn't supported by non-Sun VMs.
PKCS12 is the keystore standard too and it isn't Sun dependent.
Yes, many application servers have JKS as their default keystore type. But they support PKCS12 also,
and you can choose the keystore more suitable to you because the keystore type isn't hardcoded.
And for example, WebSphere application server 6.1 has PKCS12 as its default keystore format.
> Let's replace JKS to PKCS12 key store type
> ------------------------------------------
>
> Key: GERONIMO-2015
> URL: http://issues.apache.org/jira/browse/GERONIMO-2015
> Project: Geronimo
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: security
> Reporter: Nikolay Chugunov
> Fix For: 1.2
>
> Attachments: JKSToPKCS12.java, jksToPKCS12.patch, keystore
>
>
> Hello
> Let's replace JKS to PKCS12 key store type; because PKCS12 is widely used key store and Geronimo may not work on non-Sun VMs.
> To fix this problem I have created the patch for Geronimo sources.
> In brief the patch (attached) replaces JKS to PKCS12 key store type in configurations files.
> PKCS12 format of key store file is not java-specific and can be created and read by other programs, e.g. Internet Explorer. In addition PKCS12 exists in Bouncy Castle (http://www.bouncycastle.org) security provider, while JKS is Sun specific key store and does not exist in Bouncy Castle.
> Also it is needed to replace JKS to PKCS12 keystore file (attached) to assemblies/j2ee-tomcat-server/src/var/security, assemblies/j2ee-installer/src/var/security, assemblies/j2ee-jetty-server/src/var/security directories. Key store file was generating using JKSToPKCS12 class (attached). This class transfers key and certificate of Geronimo from JKS to PKCS12.
> After I apply this patch to Geronimo 1.0 sources and build Geronimo I can login to Geronimo console over https.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Assigned: (GERONIMO-2015) Let's replace JKS to PKCS12 key
store type
Posted by "Alexey Petrenko (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-2015?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alexey Petrenko reassigned GERONIMO-2015:
-----------------------------------------
Assignee: Alexey Petrenko
> Let's replace JKS to PKCS12 key store type
> ------------------------------------------
>
> Key: GERONIMO-2015
> URL: https://issues.apache.org/jira/browse/GERONIMO-2015
> Project: Geronimo
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: security
> Reporter: Nikolay Chugunov
> Assignee: Alexey Petrenko
> Fix For: Wish List
>
> Attachments: jksToPKCS12-1.1.1.patch, JKSToPKCS12.java, jksToPKCS12.patch, keystore
>
>
> Hello
> Let's replace JKS to PKCS12 key store type; because PKCS12 is widely used key store and Geronimo may not work on non-Sun VMs.
> To fix this problem I have created the patch for Geronimo sources.
> In brief the patch (attached) replaces JKS to PKCS12 key store type in configurations files.
> PKCS12 format of key store file is not java-specific and can be created and read by other programs, e.g. Internet Explorer. In addition PKCS12 exists in Bouncy Castle (http://www.bouncycastle.org) security provider, while JKS is Sun specific key store and does not exist in Bouncy Castle.
> Also it is needed to replace JKS to PKCS12 keystore file (attached) to assemblies/j2ee-tomcat-server/src/var/security, assemblies/j2ee-installer/src/var/security, assemblies/j2ee-jetty-server/src/var/security directories. Key store file was generating using JKSToPKCS12 class (attached). This class transfers key and certificate of Geronimo from JKS to PKCS12.
> After I apply this patch to Geronimo 1.0 sources and build Geronimo I can login to Geronimo console over https.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (GERONIMO-2015) Let's replace JKS to PKCS12 key
store type
Posted by "David Jencks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-2015?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Jencks updated GERONIMO-2015:
-----------------------------------
Fix Version/s: (was: 2.0)
Wish List
I think it would be great to support PKCS12 keystores but I don't know enough to implement this or check the patch.
> Let's replace JKS to PKCS12 key store type
> ------------------------------------------
>
> Key: GERONIMO-2015
> URL: https://issues.apache.org/jira/browse/GERONIMO-2015
> Project: Geronimo
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: security
> Reporter: Nikolay Chugunov
> Fix For: Wish List
>
> Attachments: jksToPKCS12-1.1.1.patch, JKSToPKCS12.java, jksToPKCS12.patch, keystore
>
>
> Hello
> Let's replace JKS to PKCS12 key store type; because PKCS12 is widely used key store and Geronimo may not work on non-Sun VMs.
> To fix this problem I have created the patch for Geronimo sources.
> In brief the patch (attached) replaces JKS to PKCS12 key store type in configurations files.
> PKCS12 format of key store file is not java-specific and can be created and read by other programs, e.g. Internet Explorer. In addition PKCS12 exists in Bouncy Castle (http://www.bouncycastle.org) security provider, while JKS is Sun specific key store and does not exist in Bouncy Castle.
> Also it is needed to replace JKS to PKCS12 keystore file (attached) to assemblies/j2ee-tomcat-server/src/var/security, assemblies/j2ee-installer/src/var/security, assemblies/j2ee-jetty-server/src/var/security directories. Key store file was generating using JKSToPKCS12 class (attached). This class transfers key and certificate of Geronimo from JKS to PKCS12.
> After I apply this patch to Geronimo 1.0 sources and build Geronimo I can login to Geronimo console over https.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-2015) Let's replace JKS to PKCS12 key
store type
Posted by "Matt Hogstrom (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-2015?page=comments#action_12427290 ]
Matt Hogstrom commented on GERONIMO-2015:
-----------------------------------------
Oops...my bad on the 2.0. I'll create one although there is no content there yet :)
I'd like to get Aaron's and DJencks input on this as they are more familiar with the security aspects than I.
One of your earlier comments indicated that JKS is not supported on IBM VMs (I didn't hear anything about JRockit and they should probably be part of the discussion as well). The earlier posts have me a bit confused about what works with what. Some say it works with BouncyCastle but BouncyCastle isn't required. Here is one about changing VMs as an issue Vamsavardhana Reddy [16/May/06 06:37 AM].
Is it possible to post a comprehensive proposal of what works with what, etc? Forgive my ignorance in the security area. I think my earlier recommendation to defer this might have been flawed.
> Let's replace JKS to PKCS12 key store type
> ------------------------------------------
>
> Key: GERONIMO-2015
> URL: http://issues.apache.org/jira/browse/GERONIMO-2015
> Project: Geronimo
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: security
> Reporter: Nikolay Chugunov
> Fix For: 1.2
>
> Attachments: JKSToPKCS12.java, jksToPKCS12.patch, keystore
>
>
> Hello
> Let's replace JKS to PKCS12 key store type; because PKCS12 is widely used key store and Geronimo may not work on non-Sun VMs.
> To fix this problem I have created the patch for Geronimo sources.
> In brief the patch (attached) replaces JKS to PKCS12 key store type in configurations files.
> PKCS12 format of key store file is not java-specific and can be created and read by other programs, e.g. Internet Explorer. In addition PKCS12 exists in Bouncy Castle (http://www.bouncycastle.org) security provider, while JKS is Sun specific key store and does not exist in Bouncy Castle.
> Also it is needed to replace JKS to PKCS12 keystore file (attached) to assemblies/j2ee-tomcat-server/src/var/security, assemblies/j2ee-installer/src/var/security, assemblies/j2ee-jetty-server/src/var/security directories. Key store file was generating using JKSToPKCS12 class (attached). This class transfers key and certificate of Geronimo from JKS to PKCS12.
> After I apply this patch to Geronimo 1.0 sources and build Geronimo I can login to Geronimo console over https.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-2015) Let's replace JKS to PKCS12 key
store type
Posted by "Donald Woods (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-2015?page=comments#action_12383391 ]
Donald Woods commented on GERONIMO-2015:
----------------------------------------
As long as we don't require any new Bouncy Castle code that has IP issues and you verify that the changes will work on Linux, Windows, Mac OS, Solaris, AIX, ... then this can be a candidate for 1.2/2.0.
BUT, this may need to wait until we fully support Java5, based on the following information I found -
The IBM 1.4.2 JVMs seem to only support PKCS11 -
http://www-128.ibm.com/developerworks/java/jdk/security/142/secguides/pkcs11implDocs/IBMJavaPKCS11ImplementationProvider.html
while the IBM 5.0 JVMs include support for PKCS12 -
http://www-128.ibm.com/developerworks/java/jdk/security/50/secguides/jsse2Docs/JSSE2RefGuide.html#KeystoreFormats
> Let's replace JKS to PKCS12 key store type
> ------------------------------------------
>
> Key: GERONIMO-2015
> URL: http://issues.apache.org/jira/browse/GERONIMO-2015
> Project: Geronimo
> Type: Improvement
> Security: public(Regular issues)
> Components: security
> Reporter: Nikolay Chugunov
> Attachments: JKSToPKCS12.java, jksToPKCS12.patch, keystore
>
> Hello
> Let's replace JKS to PKCS12 key store type; because PKCS12 is widely used key store and Geronimo may not work on non-Sun VMs.
> To fix this problem I have created the patch for Geronimo sources.
> In brief the patch (attached) replaces JKS to PKCS12 key store type in configurations files.
> PKCS12 format of key store file is not java-specific and can be created and read by other programs, e.g. Internet Explorer. In addition PKCS12 exists in Bouncy Castle (http://www.bouncycastle.org) security provider, while JKS is Sun specific key store and does not exist in Bouncy Castle.
> Also it is needed to replace JKS to PKCS12 keystore file (attached) to assemblies/j2ee-tomcat-server/src/var/security, assemblies/j2ee-installer/src/var/security, assemblies/j2ee-jetty-server/src/var/security directories. Key store file was generating using JKSToPKCS12 class (attached). This class transfers key and certificate of Geronimo from JKS to PKCS12.
> After I apply this patch to Geronimo 1.0 sources and build Geronimo I can login to Geronimo console over https.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-2015) Let's replace JKS to PKCS12 key
store type
Posted by "Vamsavardhana Reddy (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-2015?page=comments#action_12411897 ]
Vamsavardhana Reddy commented on GERONIMO-2015:
-----------------------------------------------
My experience with PKCS12 keystores... A PKCS12 keystore generated using IBM JDK is not readable by Sun's JDK and vice versa. First observed this in May 2004. May be I am missing some point.
> Let's replace JKS to PKCS12 key store type
> ------------------------------------------
>
> Key: GERONIMO-2015
> URL: http://issues.apache.org/jira/browse/GERONIMO-2015
> Project: Geronimo
> Type: Improvement
> Security: public(Regular issues)
> Components: security
> Reporter: Nikolay Chugunov
> Attachments: JKSToPKCS12.java, jksToPKCS12.patch, keystore
>
> Hello
> Let's replace JKS to PKCS12 key store type; because PKCS12 is widely used key store and Geronimo may not work on non-Sun VMs.
> To fix this problem I have created the patch for Geronimo sources.
> In brief the patch (attached) replaces JKS to PKCS12 key store type in configurations files.
> PKCS12 format of key store file is not java-specific and can be created and read by other programs, e.g. Internet Explorer. In addition PKCS12 exists in Bouncy Castle (http://www.bouncycastle.org) security provider, while JKS is Sun specific key store and does not exist in Bouncy Castle.
> Also it is needed to replace JKS to PKCS12 keystore file (attached) to assemblies/j2ee-tomcat-server/src/var/security, assemblies/j2ee-installer/src/var/security, assemblies/j2ee-jetty-server/src/var/security directories. Key store file was generating using JKSToPKCS12 class (attached). This class transfers key and certificate of Geronimo from JKS to PKCS12.
> After I apply this patch to Geronimo 1.0 sources and build Geronimo I can login to Geronimo console over https.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-2015) Let's replace JKS to PKCS12 key
store type
Posted by "Matt Hogstrom (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-2015?page=comments#action_12426986 ]
Matt Hogstrom commented on GERONIMO-2015:
-----------------------------------------
-1 for the 1.x line of the server. Users would most likely be expecting some compatibility from previous versions. I'm ok for considering this on 2.0 as users will expect significant changes. I'm also concerned about Vamsi's comment about not being able to switch VMs.
Any other input? Otherwise I'll move this to 2.0
> Let's replace JKS to PKCS12 key store type
> ------------------------------------------
>
> Key: GERONIMO-2015
> URL: http://issues.apache.org/jira/browse/GERONIMO-2015
> Project: Geronimo
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: security
> Reporter: Nikolay Chugunov
> Fix For: 1.2
>
> Attachments: JKSToPKCS12.java, jksToPKCS12.patch, keystore
>
>
> Hello
> Let's replace JKS to PKCS12 key store type; because PKCS12 is widely used key store and Geronimo may not work on non-Sun VMs.
> To fix this problem I have created the patch for Geronimo sources.
> In brief the patch (attached) replaces JKS to PKCS12 key store type in configurations files.
> PKCS12 format of key store file is not java-specific and can be created and read by other programs, e.g. Internet Explorer. In addition PKCS12 exists in Bouncy Castle (http://www.bouncycastle.org) security provider, while JKS is Sun specific key store and does not exist in Bouncy Castle.
> Also it is needed to replace JKS to PKCS12 keystore file (attached) to assemblies/j2ee-tomcat-server/src/var/security, assemblies/j2ee-installer/src/var/security, assemblies/j2ee-jetty-server/src/var/security directories. Key store file was generating using JKSToPKCS12 class (attached). This class transfers key and certificate of Geronimo from JKS to PKCS12.
> After I apply this patch to Geronimo 1.0 sources and build Geronimo I can login to Geronimo console over https.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-2015) Let's replace JKS to PKCS12 key
store type
Posted by "Donald Woods (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-2015?page=comments#action_12383265 ]
Donald Woods commented on GERONIMO-2015:
----------------------------------------
JKS keystore works fine on the 1.4.2 and 1.5.0 IBM JVMs.
As stated in an earlier posting, we cannot include the Bouncy Castle JARs as-is in Geronimo, due to IP Licensing issues found. Before including any additional BC source code in geronimo-utils, it needs to be reviewed as incoming source code to insure there are no IP issues in those files...
> Let's replace JKS to PKCS12 key store type
> ------------------------------------------
>
> Key: GERONIMO-2015
> URL: http://issues.apache.org/jira/browse/GERONIMO-2015
> Project: Geronimo
> Type: Improvement
> Security: public(Regular issues)
> Components: security
> Reporter: Nikolay Chugunov
> Attachments: JKSToPKCS12.java, jksToPKCS12.patch, keystore
>
> Hello
> Let's replace JKS to PKCS12 key store type; because PKCS12 is widely used key store and Geronimo may not work on non-Sun VMs.
> To fix this problem I have created the patch for Geronimo sources.
> In brief the patch (attached) replaces JKS to PKCS12 key store type in configurations files.
> PKCS12 format of key store file is not java-specific and can be created and read by other programs, e.g. Internet Explorer. In addition PKCS12 exists in Bouncy Castle (http://www.bouncycastle.org) security provider, while JKS is Sun specific key store and does not exist in Bouncy Castle.
> Also it is needed to replace JKS to PKCS12 keystore file (attached) to assemblies/j2ee-tomcat-server/src/var/security, assemblies/j2ee-installer/src/var/security, assemblies/j2ee-jetty-server/src/var/security directories. Key store file was generating using JKSToPKCS12 class (attached). This class transfers key and certificate of Geronimo from JKS to PKCS12.
> After I apply this patch to Geronimo 1.0 sources and build Geronimo I can login to Geronimo console over https.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-2015) Let's replace JKS to PKCS12 key
store type
Posted by "Nikolay Chugunov (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-2015?page=comments#action_12402318 ]
Nikolay Chugunov commented on GERONIMO-2015:
--------------------------------------------
Donald,
I have found that IBM 1.4.2 JVMs support PKCS12: see end of appendex A of http://www-128.ibm.com/developerworks/java/jdk/security/142/secguides/jceDocs/api_users_guide.html#AppA
> Let's replace JKS to PKCS12 key store type
> ------------------------------------------
>
> Key: GERONIMO-2015
> URL: http://issues.apache.org/jira/browse/GERONIMO-2015
> Project: Geronimo
> Type: Improvement
> Security: public(Regular issues)
> Components: security
> Reporter: Nikolay Chugunov
> Attachments: JKSToPKCS12.java, jksToPKCS12.patch, keystore
>
> Hello
> Let's replace JKS to PKCS12 key store type; because PKCS12 is widely used key store and Geronimo may not work on non-Sun VMs.
> To fix this problem I have created the patch for Geronimo sources.
> In brief the patch (attached) replaces JKS to PKCS12 key store type in configurations files.
> PKCS12 format of key store file is not java-specific and can be created and read by other programs, e.g. Internet Explorer. In addition PKCS12 exists in Bouncy Castle (http://www.bouncycastle.org) security provider, while JKS is Sun specific key store and does not exist in Bouncy Castle.
> Also it is needed to replace JKS to PKCS12 keystore file (attached) to assemblies/j2ee-tomcat-server/src/var/security, assemblies/j2ee-installer/src/var/security, assemblies/j2ee-jetty-server/src/var/security directories. Key store file was generating using JKSToPKCS12 class (attached). This class transfers key and certificate of Geronimo from JKS to PKCS12.
> After I apply this patch to Geronimo 1.0 sources and build Geronimo I can login to Geronimo console over https.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-2015) Let's replace JKS to PKCS12 key
store type
Posted by "Nellya Udovichenko (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-2015?page=comments#action_12442041 ]
Nellya Udovichenko commented on GERONIMO-2015:
----------------------------------------------
Try to verify with the updated patch for G-1.1.1. I can't get the same log.
For keystore type changing:
1) put the suitable keystore file to var/security/keystore folder;
2) for jetty - change the parameter 'keystore.type' in java.security file of your JDK;
for tomcat - add the parameter 'keystoreType' in config.xml.
> Let's replace JKS to PKCS12 key store type
> ------------------------------------------
>
> Key: GERONIMO-2015
> URL: http://issues.apache.org/jira/browse/GERONIMO-2015
> Project: Geronimo
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: security
> Reporter: Nikolay Chugunov
> Fix For: 1.2
>
> Attachments: jksToPKCS12-1.1.1.patch, JKSToPKCS12.java, jksToPKCS12.patch, keystore
>
>
> Hello
> Let's replace JKS to PKCS12 key store type; because PKCS12 is widely used key store and Geronimo may not work on non-Sun VMs.
> To fix this problem I have created the patch for Geronimo sources.
> In brief the patch (attached) replaces JKS to PKCS12 key store type in configurations files.
> PKCS12 format of key store file is not java-specific and can be created and read by other programs, e.g. Internet Explorer. In addition PKCS12 exists in Bouncy Castle (http://www.bouncycastle.org) security provider, while JKS is Sun specific key store and does not exist in Bouncy Castle.
> Also it is needed to replace JKS to PKCS12 keystore file (attached) to assemblies/j2ee-tomcat-server/src/var/security, assemblies/j2ee-installer/src/var/security, assemblies/j2ee-jetty-server/src/var/security directories. Key store file was generating using JKSToPKCS12 class (attached). This class transfers key and certificate of Geronimo from JKS to PKCS12.
> After I apply this patch to Geronimo 1.0 sources and build Geronimo I can login to Geronimo console over https.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-2015) Let's replace JKS to PKCS12 key
store type
Posted by "Vamsavardhana Reddy (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-2015?page=comments#action_12438739 ]
Vamsavardhana Reddy commented on GERONIMO-2015:
-----------------------------------------------
And Sun's JDK 1.4.2 throws the following exception on importing a trusted certificate into a PKCS12 keystore:
java.security.KeyStoreException: TrustedCertEntry not supported
at com.sun.net.ssl.internal.ssl.PKCS12KeyStore.engineSetCertificateEntry
(Unknown Source)
at java.security.KeyStore.setCertificateEntry(Unknown Source)
at JksToPkcs12KeyStoreTranslator.main(JksToPkcs12KeyStoreTranslator.java:26)
> Let's replace JKS to PKCS12 key store type
> ------------------------------------------
>
> Key: GERONIMO-2015
> URL: http://issues.apache.org/jira/browse/GERONIMO-2015
> Project: Geronimo
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: security
> Reporter: Nikolay Chugunov
> Fix For: 1.2
>
> Attachments: JKSToPKCS12.java, jksToPKCS12.patch, keystore
>
>
> Hello
> Let's replace JKS to PKCS12 key store type; because PKCS12 is widely used key store and Geronimo may not work on non-Sun VMs.
> To fix this problem I have created the patch for Geronimo sources.
> In brief the patch (attached) replaces JKS to PKCS12 key store type in configurations files.
> PKCS12 format of key store file is not java-specific and can be created and read by other programs, e.g. Internet Explorer. In addition PKCS12 exists in Bouncy Castle (http://www.bouncycastle.org) security provider, while JKS is Sun specific key store and does not exist in Bouncy Castle.
> Also it is needed to replace JKS to PKCS12 keystore file (attached) to assemblies/j2ee-tomcat-server/src/var/security, assemblies/j2ee-installer/src/var/security, assemblies/j2ee-jetty-server/src/var/security directories. Key store file was generating using JKSToPKCS12 class (attached). This class transfers key and certificate of Geronimo from JKS to PKCS12.
> After I apply this patch to Geronimo 1.0 sources and build Geronimo I can login to Geronimo console over https.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira