Bug 1043586 - Vault keystore conversion when upgrading from JBoss EAP 6.1.0 or earlier
Summary: Vault keystore conversion when upgrading from JBoss EAP 6.1.0 or earlier
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Documentation
Version: 6.1.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: GA
: EAP 6.2.2
Assignee: Lucas Costi
QA Contact: Russell Dickenson
URL:
Whiteboard:
: 1080045 (view as bug list)
Depends On: 1080045
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-12-16 17:55 UTC by Eric Rich
Modified: 2018-12-03 20:57 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
If using a vault, when upgrading a JBoss EAP 6 instance from 6.1.0 or earlier, to 6.1.1 or later, the associated vault keystore is converted from JKS to JCEKS format. As a result, any applications or services which use the same keystore, such as SSL, will not work after the upgrade. This issue is caused by a fix for a security issue that is resolved in JBoss EAP 6.1.1 and later. The security fix forces older keystores to be converted from JKS format with an RSA key to JCEKS format with an AES key, and this conversion process may not be successful when upgrading. To workaround this problem, customers can create a new vault and store the attributes there. For more details on this issue and the workaround, refer to this Customer Portal Solution: https://access.redhat.com/support/cases/00998441/ For further details on the original security issue, refer to the Red Hat security advisory for the JBoss EAP 6.1.1 release: https://access.redhat.com/support/cases/00998441/
Clone Of:
Environment:
Last Closed: 2014-06-02 12:50:40 UTC
Type: Bug


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 485623 0 None None None Never

Description Eric Rich 2013-12-16 17:55:10 UTC
Description of problem:

No update was given about the changes that were occuring to peoples systems as a result of RHSA-2013-1209. 

Version-Release number of selected component (if applicable):
6.1.1 and grater

How reproducible:
   Steps to Reproduce:
    1. Install JBoss 6.1.0 or prior (6.0)
    2. Create a Vault 
    3. Upgrade JBoss
  - A good test of this is using JBoss RPM's

Actual results:
Customer keystore get converted in place and old keystores are deleted. 

Expected results:
The keystores for customers should not get deleted, they should be migrated but not deleted.

Comment 1 Russell Dickenson 2014-03-06 03:33:05 UTC
Attention: Jimmy Wilson

I have marked this BZ ticket NEEDINFO from you as I'd appreciate your opinion. This issue has not yet appeared in *ANY* post-EAP 6.1.0 release notes, yet should have done. Should it appear in the EAP 6.2.2 Release Notes document?

Comment 3 Russell Dickenson 2014-03-11 05:19:23 UTC
I have set the 'Target Release' field to "EAP 6.2.2" so that's the product version's Release Notes document in which it will feature. If that is incorrect, please advise.

Comment 4 Lucas Costi 2014-03-24 23:08:49 UTC
*** Bug 1080045 has been marked as a duplicate of this bug. ***

Comment 5 Lucas Costi 2014-03-24 23:15:07 UTC
Feedback from Filip:

--------------
In 6.2.2 Release Notes - Known Issues 
Keystore conversion when upgrading from JBoss EAP 6.1.0 or earlier

The first paragraph of this issue doesn't specify, that only vault keystore is converted and others are not affected. It sounds like all keystores are automatically converted, which is misleading. Change title and first paragraph of this issue to something like this:

Vault keystore conversion when upgrading from JBoss EAP 6.1.0 or earlier

If using a vault, when upgrading a JBoss EAP 6 instance from 6.1.0 or earlier, to 6.1.1 or later, the associated vault keystore is converted from JKS to JCEKS format. As a result, any applications or services which use the same keystore, such as SSL, will not work after the upgrade.
-------------

Bug title, and release note text has been updated as suggested.

Comment 7 Jimmy Wilson 2014-09-30 08:12:04 UTC
Clearing the needinfo flag.


Note You need to log in before you can comment on or make changes to this bug.