Bug 1076136

Summary: Incomplete documentation for keystore options
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Martin Simka <msimka>
Component: DocumentationAssignee: Scott Mumford <smumford>
Status: CLOSED CURRENTRELEASE QA Contact: Russell Dickenson <rdickens>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.3.0CC: darran.lofthouse, hmlnarik, nziakova, smumford, twells
Target Milestone: ER3Keywords: Documentation, Triaged
Target Release: EAP 6.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Build Name: 22558, Security Guide-6.3-1 Build Date: 13-03-2014 11:10:35 Topic ID: 22638-592473 [Latest]
Last Closed: 2014-06-28 15:44:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1051640    

Description Martin Simka 2014-03-13 15:56:13 UTC 
Title: Configure the Management Console for HTTPS in Standalone mode
Title: Configure the Management Console for HTTPS in Domain mode

https://issues.jboss.org/browse/EAP6-78 Add support for PKCS11 Keystores in security realms and HornetQ

New keystore options were added in EAP 6.3.0.DR2. I didn't find them in documentation. It must be documented, please contact developers for details.
Comment 1 Darran Lofthouse 2014-05-07 17:55:57 UTC 
What we have added is PKCS#11 support according to the following documentation: -

http://docs.oracle.com/javase/7/docs/technotes/guides/security/p11guide.html

Most specifically the following section: -

http://docs.oracle.com/javase/7/docs/technotes/guides/security/p11guide.html#JSSE

What we have added is a 'provider' attribute for the key and trust store definitions in the security realms - the value specified here is passed into the relevant KeyStore.getInstance("PKCS11") calls where we initialise the key and trust stores so they can be backed by PKCS#11 implementation.

The underlying PKCS#11 configuration is outside the scope of EAP, end users are responsible for the correct installation of their PKCS#11 hardware/software and adding the required entries to the java.security policy file.  We are only facilitating the referencing of this configuration it is still their responsibility to define it correctly.
Comment 2 Scott Mumford 2014-05-08 05:04:09 UTC 
A note containing the explanation in comment 1 has been added to the 6.3.0 Security Guide.

The new content was placed in the "About Security Token Service" chapter (as that seemed relevant to the general idea of using tokens) rather than the topics specified in the description in this ticket.

If this is, for some reason, incorrect, leave a comment below and the note will be relocated.
Comment 3 Scott Mumford 2014-05-08 05:09:27 UTC 
Informal preview of the change is available here:
http://docbuilder.usersys.redhat.com/22558/#Security_Token_Server_STS
Comment 4 sgilda 2014-05-08 16:51:03 UTC 
This topic can be reviewed on DocStage here:

http://documentation-devel.engineering.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6.3/html-single/Security_Guide/index.html#Security_Token_Server_STS
Comment 5 Martin Simka 2014-05-12 08:50:51 UTC 
Scott: you are right, "About Security Token Service" chapter seems to be more relevant. 

verified during EAP 6.3.0.ER3 testing cycle
Comment 6 Nikoleta Hlavickova 2014-05-12 08:59:17 UTC 
This is a beta-blocker so must be included in beta documentation. ER3 is going to be beta and therefore changing target milestone.