-
Bug
-
Resolution: Won't Do
-
Blocker
-
None
-
None
-
None
We hit a KeyManagerFactory related synchronization issue in org.jboss.as.domain.management.security.AbstractKeyManagerService.createKeyManagers(boolean) method on IBM JDK. The issue occurs if there are more security realms with SSL identities in EAP and they have keystores with different passwords.
As the ApplicationRealm (in EAP 7.1) has preconfigured ssl identity configuration, the risk customers will hit this when they add their own security realm with a ssl identity is big. The frequency we hit this issue is more than 10% cases on our machines.
Our debugging suggests the problem is located in IBM JDK implementation of javax.net.ssl.KeyManagerFactorySpi (class com.ibm.jsse2.ae$a).
The workflow:
- user calls keyManagerFactory.init(keyStore, keystorePassword) which invokes com.ibm.jsse2.ae$a.engineInit(Keystore keyStore, char[] password)
- the password (from the second method parameter) is stored into static field com.ibm.jsse2.ae.d and in the next step the field is used as parameter for creating new object new com.ibm.jsse2.aw(keyStore, d)
- the previous step is not synchronized and when more threads call keyManagerFactory.init() with different passwords, wrong password may be used for retrieving a key from keystore.
Possible workaround
We could workaround this issue on EAP side (until it's fixed in the JDK) by synchronizing keyManagerFactory.init() call in AbstractKeyManagerService.createKeyManagers(boolean) when IBM JDK is used.
- clones
-
JBEAP-7523 KeyManager synchronization issue when using IBM JDK
- Closed