[jboss-jira] [JBoss JIRA] (WFCORE-2046) KeyManager synchronization issue when using IBM JDK

Josef Cacek (JIRA) issues at jboss.org
Fri Nov 25 10:21:00 EST 2016 

Josef Cacek created WFCORE-2046:
-----------------------------------

             Summary: KeyManager synchronization issue when using IBM JDK
                 Key: WFCORE-2046
                 URL: https://issues.jboss.org/browse/WFCORE-2046
             Project: WildFly Core
          Issue Type: Bug
          Components: Domain Management, Security
            Reporter: Josef Cacek
            Assignee: Brian Stansberry
            Priority: Blocker


We hit a {{KeyManagerFactory}} related synchronization issue in {{org.jboss.as.domain.management.security.AbstractKeyManagerService.createKeyManagers(boolean)}} method on IBM JDK. The issue occurs if there are more security realms with SSL identities in EAP and they have keystores with different passwords.

As the ApplicationRealm (in EAP 7.1) has preconfigured ssl identity configuration, the risk customers will hit this when they add their own security realm with a ssl identity is big. The frequency we hit this issue is more than 10% cases on our machines.

Our debugging suggests the problem is located in IBM JDK implementation of {{javax.net.ssl.KeyManagerFactorySpi}} (class {{com.ibm.jsse2.ae$a}}).
The workflow:
# user calls {{keyManagerFactory.init(keyStore, keystorePassword)}} which invokes {{com.ibm.jsse2.ae$a.engineInit(Keystore keyStore, char[] password)}}
# the password (from the second method parameter) is stored into static field {{com.ibm.jsse2.ae.d}} and in the next step the field is used as parameter for creating new object {{new com.ibm.jsse2.aw(keyStore, d)}}
# the previous step is not synchronized and when more threads call {{keyManagerFactory.init()}} with different passwords, wrong password may be used for retrieving a key from keystore.

*Possible workaround*
We could workaround this issue on EAP side (until it's fixed in the JDK) by synchronizing {{keyManagerFactory.init()}} call in {{AbstractKeyManagerService.createKeyManagers(boolean)}} when IBM JDK is used.




--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list