Re: [jetty-users] Different passwords for key store and trust store -- i

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] Different passwords for key store and trust store -- is it possible?

From: Simone Bordet <sbordet@xxxxxxxxxxx>
Date: Tue, 28 Nov 2017 15:27:09 +0100
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>

Hi Shawn,

On Tue, Nov 28, 2017 at 12:38 AM, Shawn Heisey <eclipse@xxxxxxxxxxxx> wrote:
> I'm a committer on the Apache Lucene/Solr project.  One of our users
> opened an issue on Solr 6.6.2, which uses Jetty 9.3.14.  Here's the URL
> for that issue:
>
> https://issues.apache.org/jira/browse/SOLR-11678
>
> They want to use different passwords for their key store and their trust
> store.  If they set their stores up so they both use the same password,
> then everything works, but when they use different passwords, the Jetty
> startup throws an exception.

The exception reported in the SOLR issue shows that the exception is
thrown while loading the keystore, not the truststore.
So either they have the wrong password, or they also have a keymanager
password that they did not specify in the Jetty configuration.

> At this time I don't have precise information on how the user has
> installed and configured Solr, but I'm taking a leap of faith and
> assuming that they're not completely clueless and have done the job
> correctly from the point of view of the Solr project.
>
> I'm just barely familiar with how Java deals with stores for SSL ...
> enough to know that it's typically more difficult to inform Java-based
> software about certificates and keys compared to software that can
> directly use PEM-encoded files.
>
> The Solr startup script sets system properties for the store filenames
> and environment variables for the passwords, and makes sure the
> environment variables are exported so forked processes can access them.
> Then in the jetty-ssl.xml that Solr provides we have this:
>
>   <Set name="KeyStorePath"><Property name="solr.jetty.keystore"
> default="./etc/solr-ssl.keystore.jks"/></Set>
>   <Set name="KeyStorePassword"><Env name="SOLR_SSL_KEY_STORE_PASSWORD"
> default="secret"/></Set>
>   <Set name="TrustStorePath"><Property name="solr.jetty.truststore"
> default="./etc/solr-ssl.keystore.jks"/></Set>
>   <Set name="TrustStorePassword"><Env
> name="SOLR_SSL_TRUST_STORE_PASSWORD" default="secret"/></Set>
>
> Does Jetty support different passwords for the key store and the trust
> store?

Yes.

> If so, then based on the info I've provided, is Solr configuring
> Jetty correctly?

>From the XML snippet above, yes.

> Would we need to upgrade Jetty beyond 9.3.14 for it to work?

Not necessarily, although the current version of Jetty is 9.4.x,
rather than 9.3.x.

-- 
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.

Follow-Ups:
- Re: [jetty-users] Different passwords for key store and trust store -- is it possible?
  - From: Shawn Heisey

References:
- [jetty-users] Different passwords for key store and trust store -- is it possible?
  - From: Shawn Heisey

Prev by Date: [jetty-users] Different passwords for key store and trust store -- is it possible?
Next by Date: Re: [jetty-users] Different passwords for key store and trust store -- is it possible?
Previous by thread: [jetty-users] Different passwords for key store and trust store -- is it possible?
Next by thread: Re: [jetty-users] Different passwords for key store and trust store -- is it possible?
Index(es):
- Date
- Thread

Breadcrumbs