[Pki-devel] [fedora-java] Tomcat, NSS and OpenJDK
Andrew Wnuk
awnuk at redhat.com
Tue Oct 4 22:27:17 UTC 2011
Adding Bob and Elio.
On 10/04/2011 02:49 PM, Adam Young wrote:
> On 10/04/2011 04:47 PM, Dr Andrew John Hughes wrote:
>> On 20:58 Mon 03 Oct , Adam Young wrote:
>>> Tomcat has a class called "Realm" which is basically a way of managing
>>> the set of authentication mechanisms. PKI seems To use an older
>>> approach which bypasses the Realm config in Tomcat. I started looking
>>> at what it would take to close the distance between the two. In doing
>>> so, I found something interesting in the openjdk code base:
>>>
>>> In /usr/lib/jvm/java-1.6.0/jre/lib/security/java.security, there is a
>>> section that looks like this:
>>> #
>>> # List of providers and their preference orders (see above):
>>> #
>>> security.provider.1=sun.security.provider.Sun
>>> security.provider.2=sun.security.rsa.SunRsaSign
>>> ...
>>> # the NSS security provider was not enabled for this build; it can be
>>> enabled
>>> # if NSS (libnss3) is available on the machine. The nss.cfg file may
>>> need
>>> # editing to reflect the location of the NSS installation.
>>> #security.provider.9=sun.security.pkcs11.SunPKCS11
>>> ${java.home}/lib/security/nss.cfg
>>>
>> This is added by IcedTea, which can enable NSS support during the build.
>> However, from the commenting, it seems the option has not been turned
>> on in the
>> Fedora packages.
>>
>> If you check /usr/lib/jvm/java-1.6.0-openjdk/lib/security/nss.cfg
>> points at
>> your NSS install, then uncommenting that line should allow Java to
>> use NSS
>> for cryptography.
>
>
> I did that on my system and got it to work. I also went through the
> steps to do it programmatically from Java code:
>
> Class providerClass = Class.forName("sun.security.pkcs11.SunPKCS11");
> System.out.print("found class");
> Provider provider = (Provider)
> providerClass.getConstructor(String.class).newInstance("/usr/lib/jvm/java-1.6.0-openjdk.x86_64/jre/lib/security/nss.cfg");
> Security.addProvider(provider);
>
>
> I'm sure there is a better approach, this was just the quickest to hack.
>
>>
>>> So it seems that Sun had, at least in the past, supported NSS as a
>>> Sercurity provider. For the member of the Java team not familiar with
>>> NSS (I wasn't) It is the Network Security Services and is the basis
>>> for,
>>> amongst other things, how Mozilla stores passwords and certificates.
>>> PKI makes pretty heavy use of NSS, via the Opensource Java bindings
>>> in JSS.
>>>
>>> This page here has more info:
>>>
>>> http://download.oracle.com/javase/1.5.0/docs/guide/security/p11guide.html#Intro
>>>
>>>
>>> It seems like the Oracle JDK has had support in the past for NSS as a
>>> JAAS module. To close the acronym loop with Tomcat, Tomcat has a JAAS
>>> Realm class. What this says to me is that, at one point, Java
>>> developers could have configured Tomcat to use NSS as the
>>> authentication
>>> mechanism for an application.
>> AIUI, the JDK implementation just uses NSS to provide cryptography
>> algorithms,
>> not authentication.
>
> Hmmm...seems to me that if you can use it to look at and validate a
> certificate, you should be able to get the principal from it. But we
> are probably going to use LDAP as the JAAS piece anyway, as that is
> where all of the Users and ACIs live, so that might be OK. I'm not
> certain that it makes sense to get roles out of an NSS database for
> any but the smallest applications.
>
>>
>>> This class ships in the file:
>>>
>>> /usr/lib/jvm/java-1.6.0-openjdk.x86_64/jre/lib/ext/sunpkcs11.jar
>>>
>>> And The native library is in
>>>
>>> /usr/lib/jvm/java-1.6.0-openjdk.x86_64/jre/lib/amd64/libj2pkcs11.so
>>>
>>>
>>> So it looks like we might have an additional Java implementation of NSS
>>> available, one that can potentially provide NSS support for Tomcat and
>>> JBoss via JAAS. It looks like all it requires is a change to the
>>> configuration file that we ship. I'm not quite sure how we would go
>>> about doing this in an automated fashion, short of pulling in
>>> libnss3 as
>>> part of Open JDK support. I'm guessing that if we enable it and the
>>> nss
>>> library is missing it errors our in some ugly manner, but I have not
>>> tested it.
>> The Fedora java-1.6.0-openjdk package would need to be altered to pass
>> --enable-nss to configure and to depend on libnss3 (as you say).
>>
>> I can't remember exactly how it errors out off-hand and I've never
>> had a system
>> without NSS on to see that on! If you have Firefox, you have NSS.
>>
>>> Is anyone familiar with this code?
>> I am; I added the support in IcedTea and fix some bugs in the NSS
>> code upstream (which took forever; the security-dev OpenJDK people
>> at Oracle are very slow to respond in my experience).
>
>
> Thank you. Very nicely done!
>>
>>> Would it be acceptable to activate
>>> this security module by default and to pull in libnss with Java? Is
>>> there some automated way to enable this if NSS is installed?
>> Debian and Ubuntu do enable it, and the option is there as a USE flag
>> in Gentoo. However, an issue did come up regarding it and Firefox:
>>
>> http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=473
>>
>> which may be a blocker. As I say, the process of enabling it is just a
>> two line change in the java-1.6.0-openjdk spec file.
>
>
> Yes, we would want to wait until we had a resolution for that issue.
> I hear that a change is coming for NSS due to enough people hitting
> this, but I do not know the time frame.
>
>
>
>>
>>> --
>>> java-devel mailing list
>>> java-devel at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/java-devel
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
More information about the Pki-devel
mailing list