Bug 500877

Summary: Unable to start/run JAVA applications using NSS-3.12.3
Product: Red Hat Enterprise Linux 5 Reporter: Christina Fu <cfu>
Component: nssAssignee: Elio Maldonado Batiz <emaldona>
Status: CLOSED CURRENTRELEASE QA Contact: BaseOS QE <qe-baseos-auto>
Severity: high Docs Contact:
Priority: urgent    
Version: 5.3CC: ckannan, cward, emaldona, jplans, kengert, rcritten, shaines, syeghiay
Target Milestone: rcKeywords: ZStream
Target Release: 5.3.z   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nss-3.12.7-2.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-03-03 20:17:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 500454    
Bug Blocks: 223279, 455305, 499052, 502201, 506973    

Description Christina Fu 2009-05-14 16:06:25 UTC 
Description of problem:
I updated to nss-3.12.3 packages on RHEL5.3, along with the nspr-4.7.4 packages.  All my JAVA based servers/tools that use nss stops to work.

The following error was observed across all applications I tried:

CryptoManager.iitialize() failed:java.lang.SecurityException: Unable to set security policy 

Another issue is:
 when ECC keys are genearted for SSL server cert, it fails to connect.

So, run a RHCS CA with nss with the first issue fixed.  Select ECC to be generated for all certs (including the SSL server cert).  After that, clients (like browser) fails to connect to https port backed by the ECC SSL server.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Kai Engert (:kaie) (inactive account) 2009-05-14 16:53:24 UTC 
cfu, RHEL 5.3 does not yet have nss 3.12.3

Is part of your request that you need nss 3.12.3 delivered to your existing RHEL 5.3 based customers (can't wait for RHEL 5.4)
Comment 2 Kai Engert (:kaie) (inactive account) 2009-05-14 16:55:46 UTC 
Scott, do you know why we can't request 5.3.z? flag in this bug?
In my understanding cfu wants this for 5.3 customers.
Comment 3 Scott Haines 2009-05-14 18:36:23 UTC 
Hey Kai, no reason we can't.  Setting 5.3.z and 5.4 to '?'.
Comment 4 Scott Haines 2009-05-18 15:42:24 UTC 
Setting devel_ack to '+'.  Fix critical to the delivery of Certificate System v8 in June.
Comment 12 Kai Engert (:kaie) (inactive account) 2009-06-04 22:28:48 UTC 
*** Bug 504057 has been marked as a duplicate of this bug. ***
Comment 13 Chandrasekar Kannan 2009-07-13 13:34:44 UTC 
With the nss build thats part of the errata nss-3.12.3.99, RHCS QE has verified the following to work ok:

1 - All sanity tests documented in the RHCS QE test plans - OK
2 - Starting up RHCS on RHEL 5.3(up2date) - OK
3 - Functional/Load tests on RHCS on RHEL 5.3 with nss-3.12.3.99 with keys
    stored on netHSM 2000 - OK
4 - Setting up RHCS on RHEL 5.3 with nss-3.12.3.99 with ECC on nethsm2000 - OK
5 - Setting up RHCS on RHEL 5.3 with nss-3.12.3.99 with ECC via certicom - OK.

Since the above mentioned tests have PASSED, I consider this bug as VERIFIED.
Comment 16 Chris Ward 2010-01-27 10:07:41 UTC 
Chandrasekar, could you please re-test with the 5.5 version, nss-3.12.3-5.el5 from 

https://errata.devel.redhat.com/errata/show/8598 ?