glassfish
  1. glassfish
  2. GLASSFISH-18175

The key-store, trust-store element in ssl protocol element are not working

    Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: not determined
    • Component/s: security
    • Labels:
      None

      Description

      Specifying the keystore and truststore in ssl protocol element in domain.xml are not working.
      One still pick up the keystore and truststore from jvm options.

      A sample xml snapshot is as follows:
      <protocol security-enabled="true" name="ssl-listener">
      <http default-virtual-server="server">
      <file-cache></file-cache>
      </http>
      <ssl key-store="/opscenter/security/keystore/keystore" ssl3-tls-ciphers="+SSL_RSA_WITH_RC4_128_MD5,+SSL_RSA_WITH_RC4_128_SHA" classname="com.sun.enterprise.security.ssl.GlassfishSSLImpl" trust-store="/opscenter/security/keystore/truststore_gf" cert-nickname="s1as"></ssl>
      </protocol>

      I notice the following in debugger:
      GlassfishSSLImpl#getServerSocketFactory() --> new GlassfishServerSocketFactory()
      and we have GlassfishServerSocketFactory#getKeyManagers as follows:

              if (sslUtils == null) {
                  initSSLUtils();
              }
              String keystoreFile = (String) attributes.get("keystore");
              if (logger.isLoggable(Level.FINE)) {
                  logger.log(Level.FINE, "Keystore file= {0}", keystoreFile);
              }
      
              String keystoreType = (String) attributes.get("keystoreType");
              if (logger.isLoggable(Level.FINE)) {
                  logger.log(Level.FINE, "Keystore type= {0}", keystoreType);
              }
              KeyManager[] kMgrs = sslUtils.getKeyManagers(algorithm);
              if (keyAlias != null && keyAlias.length() > 0 && kMgrs != null) {
                  for (int i = 0; i < kMgrs.length; i++) {
                      kMgrs[i] = new J2EEKeyManager((X509KeyManager) kMgrs[i], keyAlias);
                  }
              }
              return kMgrs;
          }
      

      (a) I notice that the keystoreFile are correctly pick up from protocol ssl element.
      (b) the keystoreFile above is computed but "not" used in the computation of key managers
      (c) The key managers are dervied from SSLUtils which is looked up from habitat.
      However, we have
      SSLUtils is scoped by Singleton.class
      (ii) inside SSLUtils, the key managers are computed from SecuritySupportImpl.java
      (iii) SecuritySupportImpl is also Singleton scoped
      also, #initJKS method only get keystores info from jvm options

        Activity

          People

          • Assignee:
            JeffTancill
            Reporter:
            Shing Wai Chan
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated: