Bug 444260
Summary: | GlassFish installation fails adding cert to keystore | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Thomas Fitzsimmons <fitzsim> |
Component: | java-1.6.0-openjdk | Assignee: | Thomas Fitzsimmons <fitzsim> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 9 | CC: | csm, langel, overholt |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | 1.6.0.0-0.15.b09.fc9 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-06-13 02:20:49 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 448497 | ||
Bug Blocks: | 385291 |
Description
Thomas Fitzsimmons
2008-04-26 06:25:59 UTC
I think supporting writable CertBundle key store is a good way to handle this. It isn't trying to store private keys in the store, it seems, so in this case it might work fine. It's very simple to write one of these files: it's just each certificate in base-64, delimited by BEGIN and END CERTIFICATE lines. One concern is that these files can contain "comments" -- information between END and BEGIN markers, which is ignored -- which won't be preserved if you re-write the file. I'd be a little concerned about that software tries to install random certificates in the *system* certificate bundle, though. You do that, and all of a sudden your system accepts certificates from some random, unverified entity. One alternative might be to generate a JKS store from the system certificate bundle, then pass *that* JKS store to glassfish, if it's possible to do that. The root problem is that Fedora 9's OpenJDK 6 packages define javax.net.ssl.trustStore by default. GlassFish allows this property to override its default trust store (~/.asadmintruststore). The lookup code is in glassfish/jmx-remote/rjmx-impl/src/java/com/sun/enterprise/admin/jmx/remote/https/AsadminTruststore.java: private static final String ASADMIN_TRUSTSTORE = ".asadmintruststore"; [...] public static final String CLIENT_TRUSTSTORE_PROPERTY = "javax.net.ssl.trustStore"; public static final String CLIENT_TRUSTSTORE_PASSWORD_PROPERTY = "javax.net.ssl.trustStorePassword"; public static File getAsadminTruststore() { String location = System.getProperty(CLIENT_TRUSTSTORE_PROPERTY); if (location == null) { return new File(System.getProperty("user.home") + File.separator + ASADMIN_TRUSTSTORE); } else { return new File(location); } } GlassFish assumes the store type is JKS, so keytool operations fail on the CertBundle store. Changing version to '9' as part of upcoming Fedora 9 GA. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Will be in next release and rawhide within the next few days. Closing.. I tested this patch against the GlassFish installation (as run by the NetBeans installer) and confirmed that it works. I also tested installing a package through Eclipse's update manager, which verifies the repository certificate against the JDK cacerts file. This check was failing. I confirmed that my patch fixes it. java-1.6.0-openjdk-1.6.0.0-0.15.b09.fc9 has been submitted as an update for Fedora 9 java-1.6.0-openjdk-1.6.0.0-0.15.b09.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. java-1.6.0-openjdk-1.6.0.0-0.15.b09.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. |