1043586 – Vault keystore conversion when upgrading from JBoss EAP 6.1.0 or earlier

Bug 1043586 - Vault keystore conversion when upgrading from JBoss EAP 6.1.0 or earlier

Summary: Vault keystore conversion when upgrading from JBoss EAP 6.1.0 or earlier

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Documentation
Sub Component:
Version:	6.1.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	GA
Target Release:	EAP 6.2.2
Assignee:	Lucas Costi
QA Contact:	Russell Dickenson
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1080045 (view as bug list)
Depends On:	1080045
Blocks:
TreeView+	depends on / blocked

Reported:	2013-12-16 17:55 UTC by Eric Rich
Modified:	2018-12-03 20:57 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Known Issue
Doc Text:	If using a vault, when upgrading a JBoss EAP 6 instance from 6.1.0 or earlier, to 6.1.1 or later, the associated vault keystore is converted from JKS to JCEKS format. As a result, any applications or services which use the same keystore, such as SSL, will not work after the upgrade. This issue is caused by a fix for a security issue that is resolved in JBoss EAP 6.1.1 and later. The security fix forces older keystores to be converted from JKS format with an RSA key to JCEKS format with an AES key, and this conversion process may not be successful when upgrading. To workaround this problem, customers can create a new vault and store the attributes there. For more details on this issue and the workaround, refer to this Customer Portal Solution: https://access.redhat.com/support/cases/00998441/ For further details on the original security issue, refer to the Red Hat security advisory for the JBoss EAP 6.1.1 release: https://access.redhat.com/support/cases/00998441/
Clone Of:
Environment:
Last Closed:	2014-06-02 12:50:40 UTC
Type:	Bug

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	485623	0	None	None	None	Never

Description Eric Rich 2013-12-16 17:55:10 UTC

Description of problem:

No update was given about the changes that were occuring to peoples systems as a result of RHSA-2013-1209. 

Version-Release number of selected component (if applicable):
6.1.1 and grater

How reproducible:
   Steps to Reproduce:
    1. Install JBoss 6.1.0 or prior (6.0)
    2. Create a Vault 
    3. Upgrade JBoss
  - A good test of this is using JBoss RPM's

Actual results:
Customer keystore get converted in place and old keystores are deleted. 

Expected results:
The keystores for customers should not get deleted, they should be migrated but not deleted.

Comment 1 Russell Dickenson 2014-03-06 03:33:05 UTC

Attention: Jimmy Wilson

I have marked this BZ ticket NEEDINFO from you as I'd appreciate your opinion. This issue has not yet appeared in *ANY* post-EAP 6.1.0 release notes, yet should have done. Should it appear in the EAP 6.2.2 Release Notes document?

Comment 3 Russell Dickenson 2014-03-11 05:19:23 UTC

I have set the 'Target Release' field to "EAP 6.2.2" so that's the product version's Release Notes document in which it will feature. If that is incorrect, please advise.

Comment 4 Lucas Costi 2014-03-24 23:08:49 UTC

*** Bug 1080045 has been marked as a duplicate of this bug. ***

Comment 5 Lucas Costi 2014-03-24 23:15:07 UTC

Feedback from Filip:

--------------
In 6.2.2 Release Notes - Known Issues 
Keystore conversion when upgrading from JBoss EAP 6.1.0 or earlier

The first paragraph of this issue doesn't specify, that only vault keystore is converted and others are not affected. It sounds like all keystores are automatically converted, which is misleading. Change title and first paragraph of this issue to something like this:

Vault keystore conversion when upgrading from JBoss EAP 6.1.0 or earlier

If using a vault, when upgrading a JBoss EAP 6 instance from 6.1.0 or earlier, to 6.1.1 or later, the associated vault keystore is converted from JKS to JCEKS format. As a result, any applications or services which use the same keystore, such as SSL, will not work after the upgrade.
-------------

Bug title, and release note text has been updated as suggested.

Comment 6 Lucas Costi 2014-03-26 05:53:29 UTC

Ready for review (Revision 6.2.2-4):

http://documentation-devel.engineering.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6.2/html-single/6.2.2_Release_Notes/index.html#Known_Issues15

Comment 7 Jimmy Wilson 2014-09-30 08:12:04 UTC

Clearing the needinfo flag.

Note You need to log in before you can comment on or make changes to this bug.