FileKeystore is hard to use with non-file-based keystores --------------------------------------------------------- Key: WFCORE-3046 URL: https://issues.jboss.org/browse/WFCORE-3046 Project: WildFly Core Issue Type: Bug Components: Security Reporter: Jan Pazdziora Assignee: Darran Lofthouse Priority: Major We are implementing JCA KeyStore provider to get certificates and keys via external process over the network: https://github.com/latchset/custodia-jca-provider However, code in https://github.com/wildfly/wildfly-core/blob/master/domain-management/src... makes use of such code hard. It seems that FileKeystore has two modes of operation -- either alias is specified and then the KeyStore is treated as file (isKeyStore = true) which has to exist and it has to be able to list aliases, or the file is not required to exist (isKeyStore = false) but then alias cannot be specified (and if it is specified as alias attribute to <keystore> element, it is ignored). In case we'd like to be able to use our provider without additional configuration in java.security, we'd like to be able to specify alias to retrieve specified entry, especially since getting the list of aliases might be either slow (for large sets) or not possible. For that however, we need to go the isKeyStore = true route with path specified and file existing. Alas, when we try <ssl> <keystore provider="custodia-cli" path="/dev/null" alias="wildfly/server-ssl" keystore-password="thepassword" /> </ssl> then due to the extra check in WildFly's code, startup fails with Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYDM0083: The KeyStore /dev/null does not contain any keys. at org.jboss.as.domain.management.security.FileKeystore.assertContainsKey(FileKeystore.java:169) at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:120) at org.jboss.as.domain.management.security.FileKeyManagerService.loadKeyStore(FileKeyManagerService.java:189) Please consider removing the if (isKeyStore) { assertContainsKey(loadedKeystore); } code from https://github.com/wildfly/wildfly-core/blob/master/domain-management/src... since existence of the keystore file does not guarantee that the keys will be stored in it and that the provider will be able to loop through them. The file might be just /dev/null or some config file of the provider. Ideally though, it should be possible to specify alias even for keystore which has no path specified.