1076136 – Incomplete documentation for keystore options

Bug 1076136 - Incomplete documentation for keystore options

Summary: Incomplete documentation for keystore options

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Documentation
Sub Component:
Version:	6.3.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	ER3
Target Release:	EAP 6.3.0
Assignee:	Scott Mumford
QA Contact:	Russell Dickenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	eap63-beta-blockers
TreeView+	depends on / blocked

Reported:	2014-03-13 15:56 UTC by Martin Simka
Modified:	2014-08-14 16:21 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:	Build Name: 22558, Security Guide-6.3-1 Build Date: 13-03-2014 11:10:35 Topic ID: 22638-592473 [Latest]
Last Closed:	2014-06-28 15:44:34 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Description Martin Simka 2014-03-13 15:56:13 UTC

Title: Configure the Management Console for HTTPS in Standalone mode
Title: Configure the Management Console for HTTPS in Domain mode

https://issues.jboss.org/browse/EAP6-78 Add support for PKCS11 Keystores in security realms and HornetQ

New keystore options were added in EAP 6.3.0.DR2. I didn't find them in documentation. It must be documented, please contact developers for details.

Comment 1 Darran Lofthouse 2014-05-07 17:55:57 UTC

What we have added is PKCS#11 support according to the following documentation: -

http://docs.oracle.com/javase/7/docs/technotes/guides/security/p11guide.html

Most specifically the following section: -

http://docs.oracle.com/javase/7/docs/technotes/guides/security/p11guide.html#JSSE

What we have added is a 'provider' attribute for the key and trust store definitions in the security realms - the value specified here is passed into the relevant KeyStore.getInstance("PKCS11") calls where we initialise the key and trust stores so they can be backed by PKCS#11 implementation.

The underlying PKCS#11 configuration is outside the scope of EAP, end users are responsible for the correct installation of their PKCS#11 hardware/software and adding the required entries to the java.security policy file.  We are only facilitating the referencing of this configuration it is still their responsibility to define it correctly.

Comment 2 Scott Mumford 2014-05-08 05:04:09 UTC

A note containing the explanation in comment 1 has been added to the 6.3.0 Security Guide.

The new content was placed in the "About Security Token Service" chapter (as that seemed relevant to the general idea of using tokens) rather than the topics specified in the description in this ticket.

If this is, for some reason, incorrect, leave a comment below and the note will be relocated.

Comment 3 Scott Mumford 2014-05-08 05:09:27 UTC

Informal preview of the change is available here:
http://docbuilder.usersys.redhat.com/22558/#Security_Token_Server_STS

Comment 4 sgilda 2014-05-08 16:51:03 UTC

This topic can be reviewed on DocStage here:

http://documentation-devel.engineering.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6.3/html-single/Security_Guide/index.html#Security_Token_Server_STS

Comment 5 Martin Simka 2014-05-12 08:50:51 UTC

Scott: you are right, "About Security Token Service" chapter seems to be more relevant. 

verified during EAP 6.3.0.ER3 testing cycle

Comment 6 Nikoleta Hlavickova 2014-05-12 08:59:17 UTC

This is a beta-blocker so must be included in beta documentation. ER3 is going to be beta and therefore changing target milestone.

Note You need to log in before you can comment on or make changes to this bug.