Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10803

External CS is missing key store location attribute

XMLWordPrintable

    • Hide

      1. Configure java to use BouncyCastleFipsProvider

      • copy bc-fips-1.0.0.jar into ${JAVA_HOME}/jre/lib/ext
      • update java.security file
        java.security
        	
        security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
        security.provider.2=sun.security.provider.Sun
        security.provider.3=sun.security.rsa.SunRsaSign
        security.provider.4=sun.security.ec.SunEC
        security.provider.5=com.sun.net.ssl.internal.ssl.Provider BCFIPS
        security.provider.6=com.sun.crypto.provider.SunJCE
        security.provider.7=sun.security.jgss.SunProvider
        security.provider.8=com.sun.security.sasl.Provider
        security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
        security.provider.10=sun.security.smartcardio.SunPCSC
        

      2. Generate secret key my-key

      keytool \
        -genseckey \
        -alias my-key \
        -keyalg AES \
        -keysize 128 \
        -keystore  /path/to/keystore.bcfks \
        -storetype BCFKS \
        -storepass  password \
        -keypass password 
      

      3. Start ./standalone.sh with this BC FIPS java

      4. Run jboss-cli.sh (with normal java)

      /subsystem=elytron/credential-store=test:add(relative-to=jboss.server.data.dir,credential-reference={clear-text="password"},implementation-properties={keyAlias=my-key,external=true,externalPath=/path/to/keystore.bcfks,keyStoreType=BCFKS},create=true,location=secretdatafile,modifiable=true)
      
      Show
      1. Configure java to use BouncyCastleFipsProvider copy bc-fips-1.0.0.jar into ${JAVA_HOME}/jre/lib/ext update java.security file java.security security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=sun.security.provider.Sun security.provider.3=sun.security.rsa.SunRsaSign security.provider.4=sun.security.ec.SunEC security.provider.5=com.sun.net.ssl.internal.ssl.Provider BCFIPS security.provider.6=com.sun.crypto.provider.SunJCE security.provider.7=sun.security.jgss.SunProvider security.provider.8=com.sun.security.sasl.Provider security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI security.provider.10=sun.security.smartcardio.SunPCSC 2. Generate secret key my-key keytool \ -genseckey \ -alias my-key \ -keyalg AES \ -keysize 128 \ -keystore /path/to/keystore.bcfks \ -storetype BCFKS \ -storepass password \ -keypass password 3. Start ./standalone.sh with this BC FIPS java 4. Run jboss-cli.sh (with normal java) /subsystem=elytron/credential-store=test:add(relative-to=jboss.server.data.dir,credential-reference={clear-text= "password" },implementation-properties={keyAlias=my-key,external= true ,externalPath=/path/to/keystore.bcfks,keyStoreType=BCFKS},create= true ,location=secretdatafile,modifiable= true )

      External Credential Store - mechanism introduced as solution for EAP7-277 is missing parameter for specifying key store location.

      This is not necessary for PKCS11 keystore, which it was designed for in first place.
      However, if we left it in this way we loose posibility to configure file based keystore types e.g. JKS, BCFKS (Bouncy Castle FIPS Key Store) ...

              pskopek@redhat.com Peter Skopek
              mchoma@redhat.com Martin Choma
              Martin Choma Martin Choma
              Martin Choma Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: