You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by "Emmanuel Lecharny (JIRA)" <ji...@apache.org> on 2018/08/08 09:44:00 UTC

[jira] [Commented] (DIRSERVER-2242) Keystore change from JKS to PKCS12

    [ https://issues.apache.org/jira/browse/DIRSERVER-2242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16572947#comment-16572947 ] 

Emmanuel Lecharny commented on DIRSERVER-2242:
----------------------------------------------

We use the {{KeyStore.getInstance()}} method in three places :

* {{ReplicationTrustManager}} ( {{KeyStore.getInstance( "JKS" )}} )
* {{LdapServer}} ( {{KeyStore.getInstance( KeyStore.getDefaultType() )}} )
* {{HttpServer}} ( {{KeyStore.getInstance( KeyStore.getDefaultType() )}} )

and in four tests (one with "JKS" )

We *could use {{KeyStore.getInstance( "JKS" )}} everywhere, but that would be problematic in the long run. What we could do is to add a configuration parameter in the server ({{ads-keystoreType}}) that would store the flavor we want to use, with a default value of {{JKS}}, and {{default}} would result to {{KeyStore.getDefaultType() }}. Some other values might be set. That would probably be the best option.

That will not fix the KeyStore migration issue though... At this point, the only good solution would be to ask users to create a new KeyStore with their certificates... Not exactly user-friendly :/

> Keystore change from JKS to PKCS12
> ----------------------------------
>
>                 Key: DIRSERVER-2242
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-2242
>             Project: Directory ApacheDS
>          Issue Type: Improvement
>            Reporter: Stefan Seelmann
>            Priority: Major
>
> Until Java 8 the default key store was JKS, since Java 9 the default is PKCS12.
> In the server code when we use key stores there is a mix of
>  * KeyStore.getInstance( KeyStore.getDefaultType() );
>  * KeyStore.getInstance( "JKS" );
> This needs to be cleaned up.
> There is also the question if an automatic migration from existing JKS stores in existing installations .to PKCS12 is possible
> Workaround is to change default keystore to JKS (property keystore.type in $JAVA_HOME/conf/security/java.security)
>  Reference: http://openjdk.java.net/jeps/229



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)