Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-4619

SSLSupport Does Not Work With PKCS11

    XMLWordPrintable

Details

    • False
    • False
    • Documentation (Ref Guide, User Guide, etc.), Release Notes
    • Hide
      This fix changes the meaning of the `keyStoreProvider` and `trustStoreProvider` connector/acceptor URL parameters. They no longer define the "type" of store (e.g. JKS, JCEKS, PKCS12, etc.). They now define the actual provider (e.g. SunJCE, SUN, SunJSSE, etc.). The *new* `keyStoreType` and `trustStoreType` parameters define the type of store. This change **will break** any existing client that is setting either `keyStoreProvider` or `trustStoreProvider` upon upgrade. Client URLs should be updated to use `keyStoreType` and `trustStoreType` instead of `keyStoreProvider` or `trustStoreProvider` respectively.
      Show
      This fix changes the meaning of the `keyStoreProvider` and `trustStoreProvider` connector/acceptor URL parameters. They no longer define the "type" of store (e.g. JKS, JCEKS, PKCS12, etc.). They now define the actual provider (e.g. SunJCE, SUN, SunJSSE, etc.). The *new* `keyStoreType` and `trustStoreType` parameters define the type of store. This change **will break** any existing client that is setting either `keyStoreProvider` or `trustStoreProvider` upon upgrade. Client URLs should be updated to use `keyStoreType` and `trustStoreType` instead of `keyStoreProvider` or `trustStoreProvider` respectively.
    • Hide

      I was able to reproduce this with the embedded (JBoss EAP) broker by following the instructions at https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html/how_to_configure_server_security/securing_the_server_and_its_interfaces#configure_ssl_fips_nss_database to create an nss db to use as a PKCS11 provder (no hard token / reader needed), then configuring my server as shown in the attachments (standalone-full.xml, standalone.conf, java.security, nss_pkcs11_fips.cfg). I did deviate a bit from the instruction as I had certs and ca certs already that I imported into nssdb via pk12util.

      Show
      I was able to reproduce this with the embedded (JBoss EAP) broker by following the instructions at https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html/how_to_configure_server_security/securing_the_server_and_its_interfaces#configure_ssl_fips_nss_database to create an nss db to use as a PKCS11 provder (no hard token / reader needed), then configuring my server as shown in the attachments (standalone-full.xml, standalone.conf, java.security, nss_pkcs11_fips.cfg). I did deviate a bit from the instruction as I had certs and ca certs already that I imported into nssdb via pk12util.

    Description

      The SSLSupport class expects the keyStore / trustStore path to be null when configuring PKCS11; however the java standard is to use a path of "NONE". This results in URL conversion and other errors when attempting to configure a PKCS11 SSL provider.

      Attachments

        1. standalone-full.xml
          34 kB
        2. standalone.conf
          3 kB
        3. reproducer.zip
          19 kB
        4. PKCS12-broker.tar.gz
          9 kB
        5. PKCS11-broker.tar.gz
          9 kB
        6. nss_pkcs11_fips.cfg
          0.1 kB
        7. java.security
          40 kB
        8. ENTMQ-4619.diff
          84 kB
        9. EAP-7.4-standalone-full.xml
          34 kB

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. ENTMQBR-4917 [LTS] SSLSupport Does Not Work With PKCS11

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-20971 SSLSupport Does Not Work With PKCS11 for Messaging when Using Legacy / Netty Remote Acceptor

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              rhn-support-jbertram Justin Bertram
              rhn-support-dhawkins Duane Hawkins
              Mikhail Krutov Mikhail Krutov
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: