If using a vault, when upgrading a JBoss EAP 6 instance from 6.1.0 or earlier, to 6.1.1 or later, the associated vault keystore is converted from JKS to JCEKS format.
As a result, any applications or services which use the same keystore, such as SSL, will not work after the upgrade.
This issue is caused by a fix for a security issue that is resolved in JBoss EAP 6.1.1 and later. The security fix forces older keystores to be converted from JKS format with an RSA key to JCEKS format with an AES key, and this conversion process may not be successful when upgrading.
To workaround this problem, customers can create a new vault and store the attributes there.
For more details on this issue and the workaround, refer to this Customer Portal Solution: https://access.redhat.com/support/cases/00998441/
For further details on the original security issue, refer to the Red Hat security advisory for the JBoss EAP 6.1.1 release: https://access.redhat.com/support/cases/00998441/
Description of problem:
No update was given about the changes that were occuring to peoples systems as a result of RHSA-2013-1209.
Version-Release number of selected component (if applicable):
6.1.1 and grater
How reproducible:
Steps to Reproduce:
1. Install JBoss 6.1.0 or prior (6.0)
2. Create a Vault
3. Upgrade JBoss
- A good test of this is using JBoss RPM's
Actual results:
Customer keystore get converted in place and old keystores are deleted.
Expected results:
The keystores for customers should not get deleted, they should be migrated but not deleted.
Comment 1Russell Dickenson
2014-03-06 03:33:05 UTC
Attention: Jimmy Wilson
I have marked this BZ ticket NEEDINFO from you as I'd appreciate your opinion. This issue has not yet appeared in *ANY* post-EAP 6.1.0 release notes, yet should have done. Should it appear in the EAP 6.2.2 Release Notes document?
Comment 3Russell Dickenson
2014-03-11 05:19:23 UTC
I have set the 'Target Release' field to "EAP 6.2.2" so that's the product version's Release Notes document in which it will feature. If that is incorrect, please advise.
Feedback from Filip:
--------------
In 6.2.2 Release Notes - Known Issues
Keystore conversion when upgrading from JBoss EAP 6.1.0 or earlier
The first paragraph of this issue doesn't specify, that only vault keystore is converted and others are not affected. It sounds like all keystores are automatically converted, which is misleading. Change title and first paragraph of this issue to something like this:
Vault keystore conversion when upgrading from JBoss EAP 6.1.0 or earlier
If using a vault, when upgrading a JBoss EAP 6 instance from 6.1.0 or earlier, to 6.1.1 or later, the associated vault keystore is converted from JKS to JCEKS format. As a result, any applications or services which use the same keystore, such as SSL, will not work after the upgrade.
-------------
Bug title, and release note text has been updated as suggested.
Description of problem: No update was given about the changes that were occuring to peoples systems as a result of RHSA-2013-1209. Version-Release number of selected component (if applicable): 6.1.1 and grater How reproducible: Steps to Reproduce: 1. Install JBoss 6.1.0 or prior (6.0) 2. Create a Vault 3. Upgrade JBoss - A good test of this is using JBoss RPM's Actual results: Customer keystore get converted in place and old keystores are deleted. Expected results: The keystores for customers should not get deleted, they should be migrated but not deleted.