[ARTEMIS-3081] Cannot override the default Java key/truststore system properties - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.5.0, 2.16.0
Fix Version/s: 2.17.0
Component/s: None
Labels:
- pull-request-available
Environment:

Hide

In our case the application uses the default Java truststore location at $JAVA_HOME/lib/security/jssecacerts, and only supplies its password in javax.net.ssl.trustStorePassword, and then uses a dedicated truststore for Artemis. Defining both org.apache.activemq.ssl.trustStore and org.apache.activemq.ssl.trustStorePassword now makes Artemis use the dedicated truststore (javax.net.ssl.trustStore is not set as we use the
default location, so the second choice org.apache.activemq.ssl.trustStore applies), but with the Java default truststore password (first choice javax.net.ssl.trustStorePassword applies instead of the second choice because it is set for the default truststore). Obviously, this does not work unless both passwords are identical!

Show
In our case the application uses the default Java truststore location at $JAVA_HOME/lib/security/jssecacerts , and only supplies its password in javax.net.ssl.trustStorePassword , and then uses a dedicated truststore for Artemis. Defining both org.apache.activemq.ssl.trustStore and org.apache.activemq.ssl.trustStorePassword now makes Artemis use the dedicated truststore ( javax.net.ssl.trustStore is not set as we use the default location, so the second choice org.apache.activemq.ssl.trustStore applies), but with the Java default truststore password (first choice javax.net.ssl.trustStorePassword applies instead of the second choice because it is set for the default truststore). Obviously, this does not work unless both passwords are identical!

Description

If an application wants to use a special key/truststore for Artemis but have the remainder of the application use the default Java store, the

org.apache.activemq.ssl.keyStore

needs to take precedence over Java's

javax.net.ssl.keyStore

However, the current implementation takes the first non-null value from

System.getProperty(JAVAX_KEYSTORE_PATH_PROP_NAME)
System.getProperty(ACTIVEMQ_KEYSTORE_PATH_PROP_NAME)
keyStorePath

So if the default Java property is set, no override is possible.

Attachments

Issue Links

relates to

ARTEMIS-2932 Configuration of SSL/TLS

Reopened

links to

GitHub Pull Request #3416

Activity

People

Assignee:: Unassigned

Reporter:: Ingo Karkat

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 22/Jan/21 08:38

Updated:: 09/Feb/21 21:23

Resolved:: 03/Feb/21 17:38

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

2h 10m