Bug 1028463

Summary: Check that keystore/truststore is accessible during JSSE configuration
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Petr Kremensky <pkremens>
Component: InstallerAssignee: Thomas Hauser <thauser>
Status: CLOSED CURRENTRELEASE QA Contact: Petr Kremensky <pkremens>
Severity: low Docs Contact:
Priority: unspecified    
Version: 6.2.0CC: mtjandra
Target Milestone: CR3   
Target Release: EAP 6.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-15 16:23:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Petr Kremensky 2013-11-08 14:09:57 UTC 
Description of problem:
 We should add some validation for Keystore/Truststore URL field on JSSE configuration screen.

Version-Release number of selected component (if applicable):
 EAP 6.2.0.ER7

How reproducible:
 Always

Steps to Reproduce:
 1. Run GUI installer. Go to Post-Install configuration screen using default values.
 2. Select to Add a security-domain.
 3. Press next on Security domain configuration screen to get to JSSE screen. 
 4. Check to "add jsse option" to show other values.
 5. Choose to either "Add keystore element", or "Add truststore element" option.
 6. Enter some values to password fields and keystore/truststore URL field.

Actual results:
 keystore/truststore URL field could contain any non empty value.

Expected results:
 We should verify that URL is accessible.
Comment 1 Thomas Hauser 2013-11-14 20:02:07 UTC 
I was looking into this today. I was thinking of going beyond the "is it accessible" to actually checking the password given, to see if the keystore can be accessed through the Java KeyStore APIs. However, there seem to be a myriad of keystore types that the user could be using; 

Should I attempt to check all possible keystore types that the JRE is aware of (requires more work) 

Or should I just attempt with the type JKS, and warn if this fails? (This is already implemented and requires a little tuning, that's it, as well as localization)

Thanks,
Tom
Comment 2 Petr Kremensky 2013-11-15 14:46:52 UTC 
Hi Tom,
I guess that checking of JKS is enough.
Petr
Comment 3 Thomas Hauser 2013-11-18 14:27:34 UTC 
Check implemented. If validation fails, the user is warned that they may have entered the wrong password, but it cannot be guaranteed unless the keystore is of type JKS.
Comment 4 Petr Kremensky 2013-11-22 08:56:26 UTC 
I found an issue while testing this. The "accessibility check" itself works fine, but I found a case which can walk-around it. Truststore validation is bypassed once I enter valid keystore element.

Way to reproduce:
 1. Go to Security-domain configuration screen with JSSE configuration.
Select to "Add jsse element", "Add keystore element" and "Add truststore element".
 2. Enter valid values into Keystore password and keystore URL so the accessibility check will pass.

Now you can enter arbitrary truststore password (must match) and Truststore URL, and validation will always pass. Once you un-select "Add keystore element" option the truststore validation works as expected.
Comment 5 Miles Tjandrawidjaja 2013-11-22 15:07:53 UTC 
Validation has been updated.

http://git.app.eng.bos.redhat.com/jbossas-installer.git/commit/?h=eap-6.2&id=40c15bc29499ff8a2e1f5da9b8314abb6410a3c2
Comment 6 Petr Kremensky 2013-11-27 08:26:50 UTC 
Verified on EAP 6.2.0.CR.3.1 (re-spin caused by BZ1007833) installer.