Skip to main content

Keystore passwords not defined as JVM properties

Please note these java.net forums are being decommissioned and use the new and improved forums at https://community.oracle.com/community/java.
No replies
aldaris
Offline
Joined: 2009-07-22

Hi,

I have an application running fine in GlassFish v3.1.2, but that app would like to use the Grizzly framework to make outgoing connections to SSL protected resources (LDAPS in this case), but the code fails horribly at the very bottom of Grizzly:
java.lang.IllegalStateException: KeyManagerFactoryImpl is not initialized
at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl.engineGetKeyManagers(KeyManagerFactoryImpl.java:30)
at javax.net.ssl.KeyManagerFactory.getKeyManagers(KeyManagerFactory.java:272)
at org.glassfish.grizzly.ssl.SSLContextConfigurator.createSSLContext(SSLContextConfigurator.java:601)
at org.glassfish.grizzly.ssl.SSLFilter.(SSLFilter.java:130)

What happens is that Grizzly does not seem to like the fact that the
-Djavax.net.ssl.keystore
-Djavax.net.ssl.truststore
JVM properties are set in the domain, but the corresponding password properties are missing. And it blows up with (on FINE level of course…):
[#|2013-01-11T14:39:22.791+0000|FINE|glassfish3.1.2|org.glassfish.grizzly.ssl.SSLContextConfigurator|_ThreadID=21;_ThreadName=Thread-3;ClassName=org.glassfish.grizzly.ssl.SSLContextConfigurator;MethodName=createSSLContext;|Key store unrecoverable exception.
java.security.UnrecoverableKeyException: Password must not be null
at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:107)
at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:38)
at java.security.KeyStore.getKey(KeyStore.java:763)
at com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl.(SunX509KeyManagerImpl.java:113)
at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:48)
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:239)

I know that the keystore passwords are actually the same as the GlassFish master password, but I don't know how to explain this to Grizzly.. Right now I set the password JVM properties in domain.xml and Grizzly is happy, but I wonder if there is a better way to deal with this.
The question for GlassFish gurus: shouldn't GlassFish set these JVM properties with the master password during config? Seems like having only the paths defined for the keystores is breaking JSSE.

Any thoughts welcome.

Thanks,
Peter