July 2017 - jboss-jira - Jboss List Archives

[JBoss JIRA] (WFCORE-3075) KeyStore password as default KeyManager password

by Jan Kalina (JIRA)

[ https://issues.jboss.org/browse/WFCORE-3075?page=com.atlassian.jira.plugi... ] Jan Kalina updated WFCORE-3075: ------------------------------- Description: In Elytron, there is keystore password (key-store resource) and key password (key-managers resource) required. However in theory there could be cases, where no password can be intended - key-store resource for truststore purposes (reading truststore) (but in legacy is password required) - PKCS12 can be created without key password (but keystore password in legacy is required) - you can create JKS programatically without keystore password - *in legacy key password is optional (which mean keystore password is used)* >From discussion: We can make the password optional on the KeyManager so if no password is specified on the KeyManager we assume it is the one from the KeyStore. Created analysis document for this: https://developer.jboss.org/wiki/AnalysisDesign-KeyStorePasswordAsDefault... was: In Elytron, there is keystore password (key-store resource) and key password (key-managers resource) required. However in theory there could be cases, where no password can be intended - key-store resource for truststore purposes (reading truststore) (but in legacy is required) - PKCS12 can be created without key password (but keystore password in legacy is required) - you can create JKS programatically without keystore password - *in legacy key password is optional (which mean keystore password is used)* >From discussion: We can make the password optional on the KeyManager so if no password is specified on the KeyManager we assume it is the one from the KeyStore. Created analysis document for this: https://developer.jboss.org/wiki/AnalysisDesign-KeyStorePasswordAsDefault... > KeyStore password as default KeyManager password > ------------------------------------------------ > > Key: WFCORE-3075 > URL: https://issues.jboss.org/browse/WFCORE-3075 > Project: WildFly Core > Issue Type: Bug > Components: Security > Reporter: Jan Kalina > Priority: Critical > Labels: keymanager, keystore, trustmanager > > In Elytron, there is keystore password (key-store resource) and key password (key-managers resource) required. > However in theory there could be cases, where no password can be intended > - key-store resource for truststore purposes (reading truststore) (but in legacy is password required) > - PKCS12 can be created without key password (but keystore password in legacy is required) > - you can create JKS programatically without keystore password > - *in legacy key password is optional (which mean keystore password is used)* > From discussion: We can make the password optional on the KeyManager so if no password is specified on the KeyManager we assume it is the one from the KeyStore. > Created analysis document for this: https://developer.jboss.org/wiki/AnalysisDesign-KeyStorePasswordAsDefault... -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-3075) KeyStore password as default KeyManager password

by Jan Kalina (JIRA)

[ https://issues.jboss.org/browse/WFCORE-3075?page=com.atlassian.jira.plugi... ] Jan Kalina updated WFCORE-3075: ------------------------------- Description: In Elytron, there is keystore password (key-store resource) and key password (key-managers resource) required. However in theory there could be cases, where no password can be intended - key-store resource for truststore purposes (reading truststore) (but in legacy is required) - PKCS12 can be created without key password (but keystore password in legacy is required) - you can create JKS programatically without keystore password - *in legacy key password is optional (which mean keystore password is used)* >From discussion: We can make the password optional on the KeyManager so if no password is specified on the KeyManager we assume it is the one from the KeyStore. Created analysis document for this: https://developer.jboss.org/wiki/AnalysisDesign-KeyStorePasswordAsDefault... was: In Elytron, there is keystore password (key-store resource) and key password (key-managers resource) required. However in theory there could be cases, where no password can be intended - key-store resource for truststore purposes (reading truststore) - PKCS12 can be created without key password - you can create JKS programatically without keystore password - in legacy key password is optional Question is if we want to support these cases in EAP. On the other hand: - truststore password in legacy is required - keystore password in legacy is required - changing from required to optional can be performed in future in backward compatible manner - requiring password is more secure So from my PoV with Elytron we are compared to legacy little bit unsafe only with required key password. But that can be changed to optional easily in future if there will be customer case. WDYT? > KeyStore password as default KeyManager password > ------------------------------------------------ > > Key: WFCORE-3075 > URL: https://issues.jboss.org/browse/WFCORE-3075 > Project: WildFly Core > Issue Type: Bug > Components: Security > Reporter: Jan Kalina > Priority: Critical > Labels: keymanager, keystore, trustmanager > > In Elytron, there is keystore password (key-store resource) and key password (key-managers resource) required. > However in theory there could be cases, where no password can be intended > - key-store resource for truststore purposes (reading truststore) (but in legacy is required) > - PKCS12 can be created without key password (but keystore password in legacy is required) > - you can create JKS programatically without keystore password > - *in legacy key password is optional (which mean keystore password is used)* > From discussion: We can make the password optional on the KeyManager so if no password is specified on the KeyManager we assume it is the one from the KeyStore. > Created analysis document for this: https://developer.jboss.org/wiki/AnalysisDesign-KeyStorePasswordAsDefault... -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-3075) Required keystore and key paswords

by Jan Kalina (JIRA)

[ https://issues.jboss.org/browse/WFCORE-3075?page=com.atlassian.jira.plugi... ] Jan Kalina updated WFCORE-3075: ------------------------------- Labels: keymanager keystore trustmanager (was: eap71_priority keymanager keystore ssl trustmanager) > Required keystore and key paswords > ---------------------------------- > > Key: WFCORE-3075 > URL: https://issues.jboss.org/browse/WFCORE-3075 > Project: WildFly Core > Issue Type: Bug > Components: Security > Reporter: Jan Kalina > Priority: Critical > Labels: keymanager, keystore, trustmanager > > In Elytron, there is keystore password (key-store resource) and key password (key-managers resource) required. > However in theory there could be cases, where no password can be intended > - key-store resource for truststore purposes (reading truststore) > - PKCS12 can be created without key password > - you can create JKS programatically without keystore password > - in legacy key password is optional > Question is if we want to support these cases in EAP. > On the other hand: > - truststore password in legacy is required > - keystore password in legacy is required > - changing from required to optional can be performed in future in backward compatible manner > - requiring password is more secure > So from my PoV with Elytron we are compared to legacy little bit unsafe only with required key password. But that can be changed to optional easily in future if there will be customer case. > WDYT? -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-3075) KeyStore password as default KeyManager password

by Jan Kalina (JIRA)

[ https://issues.jboss.org/browse/WFCORE-3075?page=com.atlassian.jira.plugi... ] Jan Kalina updated WFCORE-3075: ------------------------------- Summary: KeyStore password as default KeyManager password (was: Required keystore and key paswords) > KeyStore password as default KeyManager password > ------------------------------------------------ > > Key: WFCORE-3075 > URL: https://issues.jboss.org/browse/WFCORE-3075 > Project: WildFly Core > Issue Type: Bug > Components: Security > Reporter: Jan Kalina > Priority: Critical > Labels: keymanager, keystore, trustmanager > > In Elytron, there is keystore password (key-store resource) and key password (key-managers resource) required. > However in theory there could be cases, where no password can be intended > - key-store resource for truststore purposes (reading truststore) > - PKCS12 can be created without key password > - you can create JKS programatically without keystore password > - in legacy key password is optional > Question is if we want to support these cases in EAP. > On the other hand: > - truststore password in legacy is required > - keystore password in legacy is required > - changing from required to optional can be performed in future in backward compatible manner > - requiring password is more secure > So from my PoV with Elytron we are compared to legacy little bit unsafe only with required key password. But that can be changed to optional easily in future if there will be customer case. > WDYT? -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-3075) Required keystore and key paswords

by Jan Kalina (JIRA)

[ https://issues.jboss.org/browse/WFCORE-3075?page=com.atlassian.jira.plugi... ] Jan Kalina moved JBEAP-12210 to WFCORE-3075: -------------------------------------------- Project: WildFly Core (was: JBoss Enterprise Application Platform) Key: WFCORE-3075 (was: JBEAP-12210) Workflow: GIT Pull Request workflow (was: CDW with loose statuses v1) Component/s: Security (was: Security) > Required keystore and key paswords > ---------------------------------- > > Key: WFCORE-3075 > URL: https://issues.jboss.org/browse/WFCORE-3075 > Project: WildFly Core > Issue Type: Bug > Components: Security > Reporter: Jan Kalina > Priority: Critical > Labels: eap71_priority, keymanager, keystore, ssl, trustmanager > > In Elytron, there is keystore password (key-store resource) and key password (key-managers resource) required. > However in theory there could be cases, where no password can be intended > - key-store resource for truststore purposes (reading truststore) > - PKCS12 can be created without key password > - you can create JKS programatically without keystore password > - in legacy key password is optional > Question is if we want to support these cases in EAP. > On the other hand: > - truststore password in legacy is required > - keystore password in legacy is required > - changing from required to optional can be performed in future in backward compatible manner > - requiring password is more secure > So from my PoV with Elytron we are compared to legacy little bit unsafe only with required key password. But that can be changed to optional easily in future if there will be customer case. > WDYT? -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

[JBoss JIRA] (WFLY-9102) Create test for JBoss does not flush the security-domain JAAS authentication cache on session invalidation

by Hynek Švábek (JIRA)

[ https://issues.jboss.org/browse/WFLY-9102?page=com.atlassian.jira.plugin.... ] Hynek Švábek commented on WFLY-9102: ------------------------------------ Test is implemented in upstream yet. > Create test for JBoss does not flush the security-domain JAAS authentication cache on session invalidation > ---------------------------------------------------------------------------------------------------------- > > Key: WFLY-9102 > URL: https://issues.jboss.org/browse/WFLY-9102 > Project: WildFly > Issue Type: Bug > Components: Security, Test Suite > Reporter: Hynek Švábek > Assignee: Hynek Švábek > > Create test JBoss does not flush the security-domain JAAS authentication cache on session invalidation. > There is one off patch for it JBEAP-11735. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

[JBoss JIRA] (WFLY-9102) Create test for JBoss does not flush the security-domain JAAS authentication cache on session invalidation

by Hynek Švábek (JIRA)

[ https://issues.jboss.org/browse/WFLY-9102?page=com.atlassian.jira.plugin.... ] Hynek Švábek closed WFLY-9102. ------------------------------ Resolution: Duplicate Issue > Create test for JBoss does not flush the security-domain JAAS authentication cache on session invalidation > ---------------------------------------------------------------------------------------------------------- > > Key: WFLY-9102 > URL: https://issues.jboss.org/browse/WFLY-9102 > Project: WildFly > Issue Type: Bug > Components: Security, Test Suite > Reporter: Hynek Švábek > Assignee: Hynek Švábek > > Create test JBoss does not flush the security-domain JAAS authentication cache on session invalidation. > There is one off patch for it JBEAP-11735. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

[JBoss JIRA] (ELY-1027) CS tool, Parameter --salt requires --iteration and vice versa

by Yeray Borges (JIRA)

[ https://issues.jboss.org/browse/ELY-1027?page=com.atlassian.jira.plugin.s... ] Yeray Borges resolved ELY-1027. ------------------------------- Resolution: Cannot Reproduce Bug > CS tool, Parameter --salt requires --iteration and vice versa > ------------------------------------------------------------- > > Key: ELY-1027 > URL: https://issues.jboss.org/browse/ELY-1027 > Project: WildFly Elytron > Issue Type: Bug > Components: Credential Store > Reporter: Hynek Švábek > Assignee: Yeray Borges > > If I use only one parameter from --salt or --iteration then this one is ignored and result password is in clear text. > {code} > java -jar wildfly-elytron-tool.jar credential-store --add myalias --secret supersecretpassword --location="test.store" --uri "cr-store://test?modifiable=true;create=true;keyStoreType=JCEKS" --password mycspassword --summary --salt="abcdefgh" > {code} > Result of this command is: > {code} > Alias "myalias" has been successfully stored > Credential store command summary: > -------------------------------------- > /subsystem=elytron/credential-store=test:add(uri="cr-store://test?modifiable=true;create=true;keyStoreType=JCEKS",relative-to=jboss.server.data.dir,credential-reference={clear-text="mycspassword"}) > {code} > *There is expected error.* > Please add there this constraint: parameter --salt requires --iteration and vice versa -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

[JBoss JIRA] (WFLY-9102) Create test for JBoss does not flush the security-domain JAAS authentication cache on session invalidation

by Hynek Švábek (JIRA)

[ https://issues.jboss.org/browse/WFLY-9102?page=com.atlassian.jira.plugin.... ] Hynek Švábek reassigned WFLY-9102: ---------------------------------- Assignee: Hynek Švábek (was: Darran Lofthouse) > Create test for JBoss does not flush the security-domain JAAS authentication cache on session invalidation > ---------------------------------------------------------------------------------------------------------- > > Key: WFLY-9102 > URL: https://issues.jboss.org/browse/WFLY-9102 > Project: WildFly > Issue Type: Bug > Components: Security, Test Suite > Reporter: Hynek Švábek > Assignee: Hynek Švábek > > Create test JBoss does not flush the security-domain JAAS authentication cache on session invalidation. > There is one off patch for it JBEAP-11735. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

[JBoss JIRA] (WFLY-9102) Create test for JBoss does not flush the security-domain JAAS authentication cache on session invalidation

by Hynek Švábek (JIRA)

Hynek Švábek created WFLY-9102: ---------------------------------- Summary: Create test for JBoss does not flush the security-domain JAAS authentication cache on session invalidation Key: WFLY-9102 URL: https://issues.jboss.org/browse/WFLY-9102 Project: WildFly Issue Type: Bug Components: Test Suite, Security Reporter: Hynek Švábek Assignee: Darran Lofthouse Create test JBoss does not flush the security-domain JAAS authentication cache on session invalidation. There is one off patch for it JBEAP-11735. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira July 2017