Bug 1043586
Summary: | Vault keystore conversion when upgrading from JBoss EAP 6.1.0 or earlier | ||
---|---|---|---|
Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | Eric Rich <erich> |
Component: | Documentation | Assignee: | Lucas Costi <lcosti> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Russell Dickenson <rdickens> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.1.1 | CC: | fbogyai, jawilson, twells |
Target Milestone: | GA | Keywords: | Documentation, Triaged |
Target Release: | EAP 6.2.2 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Known Issue | |
Doc Text: |
If using a vault, when upgrading a JBoss EAP 6 instance from 6.1.0 or earlier, to 6.1.1 or later, the associated vault keystore is converted from JKS to JCEKS format.
As a result, any applications or services which use the same keystore, such as SSL, will not work after the upgrade.
This issue is caused by a fix for a security issue that is resolved in JBoss EAP 6.1.1 and later. The security fix forces older keystores to be converted from JKS format with an RSA key to JCEKS format with an AES key, and this conversion process may not be successful when upgrading.
To workaround this problem, customers can create a new vault and store the attributes there.
For more details on this issue and the workaround, refer to this Customer Portal Solution: https://access.redhat.com/support/cases/00998441/
For further details on the original security issue, refer to the Red Hat security advisory for the JBoss EAP 6.1.1 release: https://access.redhat.com/support/cases/00998441/
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2014-06-02 12:50:40 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1080045 | ||
Bug Blocks: |
Description
Eric Rich
2013-12-16 17:55:10 UTC
Attention: Jimmy Wilson I have marked this BZ ticket NEEDINFO from you as I'd appreciate your opinion. This issue has not yet appeared in *ANY* post-EAP 6.1.0 release notes, yet should have done. Should it appear in the EAP 6.2.2 Release Notes document? I have set the 'Target Release' field to "EAP 6.2.2" so that's the product version's Release Notes document in which it will feature. If that is incorrect, please advise. *** Bug 1080045 has been marked as a duplicate of this bug. *** Feedback from Filip: -------------- In 6.2.2 Release Notes - Known Issues Keystore conversion when upgrading from JBoss EAP 6.1.0 or earlier The first paragraph of this issue doesn't specify, that only vault keystore is converted and others are not affected. It sounds like all keystores are automatically converted, which is misleading. Change title and first paragraph of this issue to something like this: Vault keystore conversion when upgrading from JBoss EAP 6.1.0 or earlier If using a vault, when upgrading a JBoss EAP 6 instance from 6.1.0 or earlier, to 6.1.1 or later, the associated vault keystore is converted from JKS to JCEKS format. As a result, any applications or services which use the same keystore, such as SSL, will not work after the upgrade. ------------- Bug title, and release note text has been updated as suggested. Ready for review (Revision 6.2.2-4): http://documentation-devel.engineering.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6.2/html-single/6.2.2_Release_Notes/index.html#Known_Issues15 Clearing the needinfo flag. |