Geronimo
  1. Geronimo
  2. GERONIMO-5156

Command line utility to unlock a keystore and private key

    Details

    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.1.5, 2.2.1, 3.0.0
    • Component/s: security
    • Security Level: public (Regular issues)
    • Labels:
      None
    • Environment:

      geronimo tomcat assembly

      Description

      A command line utility to unlock a keystore and private key.

      1. 5156_21_updated.patch
        14 kB
        Ashish Jain
      2. 5156_21.patch
        2 kB
        Ashish Jain
      3. 5156_one_line_of_code.patch
        1 kB
        Ashish Jain
      4. CommandUnlockKeystore.java
        9 kB
        Ashish Jain
      5. UnlockKeystoreCommandMetaData.java
        1 kB
        Ashish Jain

        Activity

        Hide
        Rex Wang added a comment -

        closing it

        Show
        Rex Wang added a comment - closing it
        Hide
        Ivan added a comment -

        Commit the patch to trunk at revision: 920169, 2.2 branch at revision: 920170 and 2.1 branch at revision: 920171. Thanks for the patch, Ashish !

        Show
        Ivan added a comment - Commit the patch to trunk at revision: 920169, 2.2 branch at revision: 920170 and 2.1 branch at revision: 920171. Thanks for the patch, Ashish !
        Hide
        Ashish Jain added a comment -

        Ivan/Shawn, I am uploading a slightly modified patch. Kindly review it and apply.
        Thanks
        Ashish

        Show
        Ashish Jain added a comment - Ivan/Shawn, I am uploading a slightly modified patch. Kindly review it and apply. Thanks Ashish
        Hide
        Ashish Jain added a comment -

        There is a slight modification which needs to go into this. The reason being the usage of JMXSecureConnector with unlockKeystore. As of now JMXSecureConnector need keyStorePassword and trustStorePassword. for utilizing "unlockKeystore" we need keyStorePassword...So there is a conflict and unlockKeystore code can be modified to accept ""keyStoreName=<Encrypted_password>"". I will submitt a patch for this tomorrow.

        Show
        Ashish Jain added a comment - There is a slight modification which needs to go into this. The reason being the usage of JMXSecureConnector with unlockKeystore. As of now JMXSecureConnector need keyStorePassword and trustStorePassword. for utilizing "unlockKeystore" we need keyStorePassword...So there is a conflict and unlockKeystore code can be modified to accept ""keyStoreName=<Encrypted_password>"". I will submitt a patch for this tomorrow.
        Hide
        Ivan added a comment -

        Commit the changes to 2.2 branch at rev.918865 and trunk at rev.918874. Thanks for the patch, Ashish Jain !

        Show
        Ivan added a comment - Commit the changes to 2.2 branch at rev.918865 and trunk at rev.918874. Thanks for the patch, Ashish Jain !
        Hide
        Ivan added a comment -

        Use the initial style for password configuration to be consistent with other codes. commit changes to 2.1 At revision: 917437.

        Show
        Ivan added a comment - Use the initial style for password configuration to be consistent with other codes. commit changes to 2.1 At revision: 917437.
        Hide
        Ashish Jain added a comment -

        Uploading an all_in_one patch.

        Show
        Ashish Jain added a comment - Uploading an all_in_one patch.
        Hide
        Ashish Jain added a comment -

        Yes you are correct and that is the reason I had suggested this. I am also uploading an updated patch in case you need it to revert back to the original one.

        Show
        Ashish Jain added a comment - Yes you are correct and that is the reason I had suggested this. I am also uploading an updated patch in case you need it to revert back to the original one.
        Hide
        Ashish Jain added a comment -

        Hi Ivan,

        I appreciate your suggestions and code improvements made the patch. However I think a) can be taken as further improvement. The reason being the inconsistency b/w GERONIMO-4896 and GERONIMO-5148 due to changes you have made to GERONIMO-5156.

        I had an assumption that each keystore file can be managed separately which will have a keystore password and associated private keys password.

        I think we can revert back to the original logic and can take this suggestion as further improvement.

        Thanks
        Ashish

        Show
        Ashish Jain added a comment - Hi Ivan, I appreciate your suggestions and code improvements made the patch. However I think a) can be taken as further improvement. The reason being the inconsistency b/w GERONIMO-4896 and GERONIMO-5148 due to changes you have made to GERONIMO-5156 . I had an assumption that each keystore file can be managed separately which will have a keystore password and associated private keys password. I think we can revert back to the original logic and can take this suggestion as further improvement. Thanks Ashish
        Hide
        Ivan added a comment -

        Just find the initial configuration style is used in other places, if it conflicts with those places, I am OK to use the old way.

        Show
        Ivan added a comment - Just find the initial configuration style is used in other places, if it conflicts with those places, I am OK to use the old way.
        Hide
        Ivan added a comment -

        Hi, Ashish :
        I committed the changes based on the patch provided by you to 2.1 branch at revision: 917428.
        Some changes include :
        a. Use the style like a.keyStorePassword=a
        a.b.keyPassword=b
        to configure the passwords for key store and private key. With this way, we could configure passwords for multiple keystore in the single file.
        b. Use the keystoreName attribute of the gbean to search the keystore instance, not the gbean name.
        If any comment, please let me know

        Show
        Ivan added a comment - Hi, Ashish : I committed the changes based on the patch provided by you to 2.1 branch at revision: 917428. Some changes include : a. Use the style like a.keyStorePassword=a a.b.keyPassword=b to configure the passwords for key store and private key. With this way, we could configure passwords for multiple keystore in the single file. b. Use the keystoreName attribute of the gbean to search the keystore instance, not the gbean name. If any comment, please let me know
        Hide
        Shawn Jiang added a comment -
         This order of specifying the keyStore and aliases have to be preserved,

        Since you've refactored the code with Properties API, the order of the entries do not matter anymore. Please create the patch as a whole instead of 3 files by :

        1, svn add the new files.
        2, create the patch.

        So that we can apply the patch easily. Thanks.

        Show
        Shawn Jiang added a comment - This order of specifying the keyStore and aliases have to be preserved, Since you've refactored the code with Properties API, the order of the entries do not matter anymore. Please create the patch as a whole instead of 3 files by : 1, svn add the new files. 2, create the patch. So that we can apply the patch easily. Thanks.
        Hide
        Ashish Jain added a comment -

        Uploading a patch kindly review and apply.

        Show
        Ashish Jain added a comment - Uploading a patch kindly review and apply.
        Hide
        Ashish Jain added a comment -

        Here is how plan to address this:

        1) Command to invoke the unlockKeystore functionality
        deploy.bat unlockKeyStore <keyStoreName> <keyAlias1> <keyAlias2> .................

        2) There can be 2 cases
        a) one is when user only want to unlock the keystore. In that case the command will be
        deploy.bat unlockKeyStore <keyStoreName>

        The password for keystore will have to be specified in the file pointing to org.apache.geronimo.keyStoreTrustStorePasswordFile.
        See GERONIMO-4896 for more information on this system property.

        b) User wants to unlock a keyStore and one or more private keys. In that case the command will be
        deploy.bat unlockKeyStore <keyStoreName> <keyAlias1> <keyAlias2> .................

        The password for keystore and private keys will have to be specified in the file pointing to org.apache.geronimo.keyStoreTrustStorePasswordFile.
        See GERONIMO-4896 for more information on this system property. here is how the file will look like
        keyStorePassword=<Encrypted_KeyStorePassword>
        keyAlias1=<Encrypted_keyAlias1Password>
        keyAlias2=<Encrypted_keyAlias2Password>
        .
        .

        This order of specifying the keyStore and aliases have to be preserved,

        Please suggest any improvements.

        Show
        Ashish Jain added a comment - Here is how plan to address this: 1) Command to invoke the unlockKeystore functionality deploy.bat unlockKeyStore <keyStoreName> <keyAlias1> <keyAlias2> ................. 2) There can be 2 cases a) one is when user only want to unlock the keystore. In that case the command will be deploy.bat unlockKeyStore <keyStoreName> The password for keystore will have to be specified in the file pointing to org.apache.geronimo.keyStoreTrustStorePasswordFile. See GERONIMO-4896 for more information on this system property. b) User wants to unlock a keyStore and one or more private keys. In that case the command will be deploy.bat unlockKeyStore <keyStoreName> <keyAlias1> <keyAlias2> ................. The password for keystore and private keys will have to be specified in the file pointing to org.apache.geronimo.keyStoreTrustStorePasswordFile. See GERONIMO-4896 for more information on this system property. here is how the file will look like keyStorePassword=<Encrypted_KeyStorePassword> keyAlias1=<Encrypted_keyAlias1Password> keyAlias2=<Encrypted_keyAlias2Password> . . This order of specifying the keyStore and aliases have to be preserved, Please suggest any improvements.

          People

          • Assignee:
            Ivan
            Reporter:
            Ashish Jain
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development