Hide Forgot
Created attachment 811214 [details] instructions to recreate problem Description of problem: PicketBox 4.0.17.SP2 prevents initialization of a PKCS11 keystore. This is fixed in PicketBox 4.0.19.Final and this should be available for EAP 6.2. The specific issue is in the method JBossJSSESecurityDomain.loadKeyAndTrustStore at line 460 which has: 460 is = null; 461 try 462 { 463 if ((!"PKCS11".equalsIgnoreCase(keyStoreType) || !"PKCS11IMPLKS".equalsIgnoreCase(keyStoreType)) 464 && keyStoreURL != null) 465 { 466 is = keyStoreURL.openStream(); 467 } 468 else 469 throw PicketBoxMessages.MESSAGES.invalidKeyStoreType(keyStoreType); 470 471 keyStore.load(is, keyStorePassword); which, for PKCS11 keystores, will always throw the exception. PicketBox 4.0.19.Final contains the fix: 460 is = null; 461 try 462 { 463 if ((!"PKCS11".equalsIgnoreCase(keyStoreType) && !"PKCS11IMPLKS".equalsIgnoreCase(keyStoreType))) 464 { 465 // not a PKCS11 keystore: we need a URL 466 if (keyStoreURL != null) 467 is = keyStoreURL.openStream(); 468 else 469 throw PicketBoxMessages.MESSAGES.invalidNullKeyStoreURL(keyStoreType); 470 } 471 472 keyStore.load(is, keyStorePassword); which correctly loads the PKCS11 keystore. Version-Release number of selected component (if applicable): EAP 6.1.1 and earlier How reproducible: Configure a security-domain using Certificate that references a PKCS11 keystore. Detailed instructions attached. Actual results: Exception always thrown with PKCS11 keystore Expected results: PKCS11 keystore should be loaded
Rich, Thank you for opening this ticket. NSS has recently been added as one of our client's requirements and is now becoming a standard use for federal agencies. Thanks for finding that we cannot define a PKCS11 security domain using PicketBox 4.0.17.SP2 in EAP 6.1.1, which means a FIPS 140-2 vault implementation can not implemented. While 6.1.1 is able to support NSS for HTTPS connector, we discovered that two way SSL using PKCS11 between hosts and domain controller is also not supported in 6.1.1 so it would be great to see this support in EAP 6.2. If this bug is fixed in 6.2 we will definitely be implementing it for our client. Thanks!
This is going to be a requirement for all future Public sector customers as well. (In reply to Toufic Arabi from comment #1) > Rich, > > Thank you for opening this ticket. NSS has recently been added as one of our > client's requirements and is now becoming a standard use for federal > agencies. Thanks for finding that we cannot define a PKCS11 security domain > using PicketBox 4.0.17.SP2 in EAP 6.1.1, which means a FIPS 140-2 vault > implementation can not implemented. While 6.1.1 is able to support NSS for > HTTPS connector, we discovered that two way SSL using PKCS11 between hosts > and domain controller is also not supported in 6.1.1 so it would be great to > see this support in EAP 6.2. If this bug is fixed in 6.2 we will definitely > be implementing it for our client. > > Thanks!
Verified in EAP 6.2.0.CR3