Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set generated keystore type to JKS #24148

Merged
merged 2 commits into from
Nov 3, 2022
Merged

Set generated keystore type to JKS #24148

merged 2 commits into from
Nov 3, 2022

Conversation

arjantijms
Copy link
Contributor

GlassFish generates an internal keystore using the keytool command during the build. The type of the keystore depends on the JDK being used. From JDK12 onwards it defaults to PKS12, which throws the following exceptions on JDK 11:

Integrity check failed: java.security.NoSuchAlgorithmException: Algorithm HmacPBESHA256 not available

By setting the keystore explicitly to JKS, it's supported on both 11 and 17.

@arjantijms
Some refactoring
ebfae97 
Signed-off-by: Arjan Tijms <arjan.tijms@gmail.com>
@arjantijms
Set keystore type to JKS, so it's always the same.
eb2303c 
Without setting it explicitly it depends on the JDK version used.

Signed-off-by: Arjan Tijms <arjan.tijms@gmail.com>
@arjantijms arjantijms added this to the 7.0.0 milestone Nov 2, 2022
@arjantijms arjantijms self-assigned this Nov 2, 2022
@pzygielo
Copy link
Contributor

pzygielo commented Nov 3, 2022

  1. What piece of code complains about:
Integrity check failed: java.security.NoSuchAlgorithmException: Algorithm HmacPBESHA256 not available

How can I verify that it is happy after this change?

  1. keytools, including the one from JDK11, issue
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.ks -destkeystore keystore.ks -deststoretype pkcs12".

@arjantijms
Copy link
Contributor Author

How can I verify that it is happy after this change?

Build with JDK 17, then start GlassFish and deploy a war to it using an older version of JDK 11. I used sdkman to install 11.0.2:

sdk install java 11.0.2-open

java --version
openjdk 11.0.2 2019-01-15
OpenJDK Runtime Environment 18.9 (build 11.0.2+9)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.2+9, mixed mode)

With this version the exception happens on master, and does not happen with this patch. Note that with a newer JDK 11 release the exception doesn't happen on master, e.g. with 11.0.15:

java --version
openjdk 11.0.15 2022-04-19 LTS
OpenJDK Runtime Environment Zulu11.56+19-CA (build 11.0.15+10-LTS)
OpenJDK 64-Bit Server VM Zulu11.56+19-CA (build 11.0.15+10-LTS, mixed mode)

@arjantijms
Copy link
Contributor Author

It is recommended to migrate to PKCS12 which is an industry standard format

Indeed, so once we raise the baseline to JDK 17 we should probably start using PKCS12. However, it's just an internal keystore for GF for the self-signed certificates, so the industry standard format aspect is not super important at the moment.

@pzygielo
Copy link
Contributor

pzygielo commented Nov 3, 2022

Seems related:

pkcs12 keystores created using JDK 11.0.12 or later can't be read by earlier JDK 11 versions

@arjantijms
Copy link
Contributor Author

Yes, that's the exact issue.

@arjantijms arjantijms merged commit 4152739 into eclipse-ee4j:master Nov 3, 2022
@arjantijms arjantijms deleted the set_keystore_type branch November 11, 2022 21:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dmatej dmatej dmatej approved these changes

@russgold russgold Awaiting requested review from russgold

@m0mus m0mus Awaiting requested review from m0mus

Assignees

@arjantijms arjantijms

Labels
None yet
Projects
None yet
Milestone
7.0.0
Development

Successfully merging this pull request may close these issues.
3 participants
@arjantijms @pzygielo @dmatej