1. glassfish
  2. GLASSFISH-3055

Load balancer fails on hardware SSL accelerators (T2000 etc)


    • Type: Bug Bug
    • Status: Open
    • Priority: Minor Minor
    • Resolution: Unresolved
    • Affects Version/s: 9.1pe
    • Fix Version/s: not determined
    • Component/s: load_balancer
    • Labels:
    • Environment:

      Operating System: Solaris
      Platform: Sun

    • Issuezilla Id:


      The Load Balancer plugin for Glassfish doesn't work in Apache when using Sun's
      PKCS11 crypto device.

      ie. Set Apache's httpd.conf to have SSLCryptoDevice pkcs11, and fails to initialize:

      [Thu May 24 15:00:46 2007] [notice] Initializing lbplugin BuildId: A692342-271111

      [Thu May 24 15:00:51 2007] [alert] ERROR:NSS could not be initialized; The issue
      may be missing security DB files under /opt/apache/sec_db_files; Please ensure
      that secmod.db, key3.db and cert7.db files are present under
      /opt/apache/sec_db_files; Refer documentation for more details; Aborting Plugin
      initialization ...

      [Thu May 24 15:00:51 2007] [notice] Apache/2.0.55 (Unix) mod_ssl/2.0.55
      OpenSSL/0.9.7d configured – resuming normal operations

      This works fine when not using the SSLCryptoDevice directive.
      ie: when using Apache's builtin SSL engine.

      One implication is that its not possible to use the SSL hardware accelerator on
      T1000 and T2000 servers, as they require Apache to use the pkcs11
      SSLCryptoDevice setting. This is a pretty major drawback for running Glassfish
      on these boxes since their SSL engine is pretty poor, hence the builtin SSL
      accelerator, which should be used.

      Could this (just) be a problem with the NSS database file provided not having
      referencs to the pkcs11 device?

      The error message is also erroneous as it complains about cert7.db, which I
      believe was replaced with cert8.db long ago.


        No work has yet been logged on this issue.


          • Assignee:
          • Votes:
            0 Vote for this issue
            0 Start watching this issue


            • Created: