[Pki-devel] [fedora-java] Tomcat, NSS and OpenJDK

Dr Andrew John Hughes ahughes at redhat.com
Tue Oct 4 20:47:08 UTC 2011 

On 20:58 Mon 03 Oct     , Adam Young wrote:
> Tomcat has a class called "Realm" which is basically a way of managing 
> the set of authentication mechanisms.  PKI seems To use an older 
> approach which bypasses the Realm  config in Tomcat.  I started looking 
> at what it would take to close the distance between the two.  In doing 
> so, I found something interesting in the openjdk code base:
> 
> In /usr/lib/jvm/java-1.6.0/jre/lib/security/java.security,  there is a 
> section that looks like this:
> #
> # List of providers and their preference orders (see above):
> #
> security.provider.1=sun.security.provider.Sun
> security.provider.2=sun.security.rsa.SunRsaSign
> ...
> # the NSS security provider was not enabled for this build; it can be 
> enabled
> # if NSS (libnss3) is available on the machine. The nss.cfg file may need
> # editing to reflect the location of the NSS installation.
> #security.provider.9=sun.security.pkcs11.SunPKCS11 
> ${java.home}/lib/security/nss.cfg
> 

This is added by IcedTea, which can enable NSS support during the build.
However, from the commenting, it seems the option has not been turned on in the
Fedora packages.

If you check /usr/lib/jvm/java-1.6.0-openjdk/lib/security/nss.cfg points at
your NSS install, then uncommenting that line should allow Java to use NSS
for cryptography.

> 
> So it seems that Sun had, at least in the past, supported  NSS as a 
> Sercurity provider.  For the member of the Java team not familiar with 
> NSS (I wasn't) It is the Network Security Services and is the basis for, 
> amongst other things, how Mozilla stores passwords and certificates.  
> PKI makes pretty heavy use of NSS, via the Opensource Java bindings in JSS.
> 
> This page here has more info:
> 
> http://download.oracle.com/javase/1.5.0/docs/guide/security/p11guide.html#Intro
> 
> It seems like the Oracle JDK has had support in the past for NSS as a 
> JAAS module.  To close the acronym loop with Tomcat, Tomcat has a JAAS 
> Realm  class.  What this says to me is that, at one point, Java 
> developers could have configured Tomcat to use NSS as the authentication 
> mechanism for an application.

AIUI, the JDK implementation just uses NSS to provide cryptography algorithms,
not authentication.

> 
> This class ships in the  file:
> 
> /usr/lib/jvm/java-1.6.0-openjdk.x86_64/jre/lib/ext/sunpkcs11.jar
> 
> And The native library is in
> 
> /usr/lib/jvm/java-1.6.0-openjdk.x86_64/jre/lib/amd64/libj2pkcs11.so
> 
> 
> So it looks like we might have an additional Java implementation of NSS 
> available, one that can potentially provide  NSS support for Tomcat and 
> JBoss  via JAAS.  It looks like all it requires is a change to the 
> configuration file that we ship.  I'm not quite sure how we would go 
> about doing this in an automated fashion, short of pulling in libnss3 as 
> part of Open JDK support.  I'm guessing that if we enable it and the nss 
> library is missing it errors our in some ugly manner, but I have not 
> tested it.

The Fedora java-1.6.0-openjdk package would need to be altered to pass
--enable-nss to configure and to depend on libnss3 (as you say).

I can't remember exactly how it errors out off-hand and I've never had a system
without NSS on to see that on!  If you have Firefox, you have NSS.

> 
> Is anyone familiar with this code?  

I am; I added the support in IcedTea and fix some bugs in the NSS
code upstream (which took forever; the security-dev OpenJDK people
at Oracle are very slow to respond in my experience).

> Would it be acceptable to activate 
> this security module by default and to pull in libnss with Java?  Is 
> there some automated way to enable this if NSS is installed?

Debian and Ubuntu do enable it, and the option is there as a USE flag
in Gentoo.  However, an issue did come up regarding it and Firefox:

http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=473

which may be a blocker.  As I say, the process of enabling it is just a
two line change in the java-1.6.0-openjdk spec file.

> --
> java-devel mailing list
> java-devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/java-devel

-- 
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

Support Free Java!
Contribute to GNU Classpath and IcedTea
http://www.gnu.org/software/classpath
http://icedtea.classpath.org
PGP Key: F5862A37 (https://keys.indymedia.org/)
Fingerprint = EA30 D855 D50F 90CD F54D  0698 0713 C3ED F586 2A37

More information about the Pki-devel mailing list