Uploaded image for project: 'ZooKeeper'
  1. ZooKeeper
  2. ZOOKEEPER-2429

IbmX509 KeyManager and TrustManager algorithm not supported

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 3.5.0
    • Fix Version/s: 3.6.0, 3.5.7
    • Component/s: security, server
    • Labels:
      None

      Description

      When connecting from a zookeeper client running in IBM WebSphere Application Server version 8.5.5, with SSL configured in ZooKeeper, the below mentioned exception is observed.

      org.jboss.netty.channel.ChannelPipelineException: Failed to initialize a pipeline.
      at org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.java:208)
      at org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.java:182)
      at org.apache.zookeeper.ClientCnxnSocketNetty.connect(ClientCnxnSocketNetty.java:112)
      at org.apache.zookeeper.ClientCnxn$SendThread.startConnect(ClientCnxn.java:1130)
      at org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1158)
      Caused by: org.apache.zookeeper.common.X509Exception$SSLContextException: Failed to create KeyManager
      at org.apache.zookeeper.common.X509Util.createSSLContext(X509Util.java:75)
      at org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.initSSL(ClientCnxnSocketNetty.java:358)
      at org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.getPipeline(ClientCnxnSocketNetty.java:348)
      at org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.java:206)
      ... 4 more
      Caused by: org.apache.zookeeper.common.X509Exception$KeyManagerException: java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not available
      at org.apache.zookeeper.common.X509Util.createKeyManager(X509Util.java:129)
      at org.apache.zookeeper.common.X509Util.createSSLContext(X509Util.java:73)
      ... 7 more
      Caused by: java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not available
      at sun.security.jca.GetInstance.getInstance(GetInstance.java:172)
      at javax.net.ssl.KeyManagerFactory.getInstance(KeyManagerFactory.java:9)
      at org.apache.zookeeper.common.X509Util.createKeyManager(X509Util.java:118)

      Reason : IBM websphere uses its own jre and supports only IbmX509 keymanager algorithm which is causing an exception when trying to get an key manager instance using SunX509 which is not supported.
      Currently KeyManager algorithm name (SunX509) is hardcoded in the class X509Util.java.

      Possible fix: Instead of having algorithm name hardcoded to SunX509 we can fall back to the default algorithm supported by the underlying jre.

      Instead of having this -
      KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
      TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");

      can we have ?
      KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());

      TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());

        Attachments

          Activity

            People

            • Assignee:
              jsaurav Saurabh jain
              Reporter:
              sauravmanit Saurabh Jain
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: