FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development Java

 
 
LinkBack Thread Tools
 
Old 10-04-2011, 12:58 AM
Adam Young
 
Default Tomcat, NSS and OpenJDK

Tomcat has a class called "Realm" which is basically a way of managing
the set of authentication mechanisms. PKI seems To use an older
approach which bypasses the Realm config in Tomcat. I started looking
at what it would take to close the distance between the two. In doing
so, I found something interesting in the openjdk code base:

In /usr/lib/jvm/java-1.6.0/jre/lib/security/java.security, there is a
section that looks like this:
#
# List of providers and their preference orders (see above):
#
security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
...
# the NSS security provider was not enabled for this build; it can be
enabled
# if NSS (libnss3) is available on the machine. The nss.cfg file may need
# editing to reflect the location of the NSS installation.
#security.provider.9=sun.security.pkcs11.SunPKCS11
${java.home}/lib/security/nss.cfg


So it seems that Sun had, at least in the past, supported NSS as a
Sercurity provider. For the member of the Java team not familiar with
NSS (I wasn't) It is the Network Security Services and is the basis for,
amongst other things, how Mozilla stores passwords and certificates.
PKI makes pretty heavy use of NSS, via the Opensource Java bindings in JSS.

This page here has more info:

http://download.oracle.com/javase/1.5.0/docs/guide/security/p11guide.html#Intro

It seems like the Oracle JDK has had support in the past for NSS as a
JAAS module. To close the acronym loop with Tomcat, Tomcat has a JAAS
Realm class. What this says to me is that, at one point, Java
developers could have configured Tomcat to use NSS as the authentication
mechanism for an application.

This class ships in the file:

/usr/lib/jvm/java-1.6.0-openjdk.x86_64/jre/lib/ext/sunpkcs11.jar

And The native library is in

/usr/lib/jvm/java-1.6.0-openjdk.x86_64/jre/lib/amd64/libj2pkcs11.so


So it looks like we might have an additional Java implementation of NSS
available, one that can potentially provide NSS support for Tomcat and
JBoss via JAAS. It looks like all it requires is a change to the
configuration file that we ship. I'm not quite sure how we would go
about doing this in an automated fashion, short of pulling in libnss3 as
part of Open JDK support. I'm guessing that if we enable it and the nss
library is missing it errors our in some ugly manner, but I have not
tested it.

Is anyone familiar with this code? Would it be acceptable to activate
this security module by default and to pull in libnss with Java? Is
there some automated way to enable this if NSS is installed?
--
java-devel mailing list
java-devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/java-devel
 
Old 10-04-2011, 08:47 PM
Dr Andrew John Hughes
 
Default Tomcat, NSS and OpenJDK

On 20:58 Mon 03 Oct , Adam Young wrote:
> Tomcat has a class called "Realm" which is basically a way of managing
> the set of authentication mechanisms. PKI seems To use an older
> approach which bypasses the Realm config in Tomcat. I started looking
> at what it would take to close the distance between the two. In doing
> so, I found something interesting in the openjdk code base:
>
> In /usr/lib/jvm/java-1.6.0/jre/lib/security/java.security, there is a
> section that looks like this:
> #
> # List of providers and their preference orders (see above):
> #
> security.provider.1=sun.security.provider.Sun
> security.provider.2=sun.security.rsa.SunRsaSign
> ...
> # the NSS security provider was not enabled for this build; it can be
> enabled
> # if NSS (libnss3) is available on the machine. The nss.cfg file may need
> # editing to reflect the location of the NSS installation.
> #security.provider.9=sun.security.pkcs11.SunPKCS11
> ${java.home}/lib/security/nss.cfg
>

This is added by IcedTea, which can enable NSS support during the build.
However, from the commenting, it seems the option has not been turned on in the
Fedora packages.

If you check /usr/lib/jvm/java-1.6.0-openjdk/lib/security/nss.cfg points at
your NSS install, then uncommenting that line should allow Java to use NSS
for cryptography.

>
> So it seems that Sun had, at least in the past, supported NSS as a
> Sercurity provider. For the member of the Java team not familiar with
> NSS (I wasn't) It is the Network Security Services and is the basis for,
> amongst other things, how Mozilla stores passwords and certificates.
> PKI makes pretty heavy use of NSS, via the Opensource Java bindings in JSS.
>
> This page here has more info:
>
> http://download.oracle.com/javase/1.5.0/docs/guide/security/p11guide.html#Intro
>
> It seems like the Oracle JDK has had support in the past for NSS as a
> JAAS module. To close the acronym loop with Tomcat, Tomcat has a JAAS
> Realm class. What this says to me is that, at one point, Java
> developers could have configured Tomcat to use NSS as the authentication
> mechanism for an application.

AIUI, the JDK implementation just uses NSS to provide cryptography algorithms,
not authentication.

>
> This class ships in the file:
>
> /usr/lib/jvm/java-1.6.0-openjdk.x86_64/jre/lib/ext/sunpkcs11.jar
>
> And The native library is in
>
> /usr/lib/jvm/java-1.6.0-openjdk.x86_64/jre/lib/amd64/libj2pkcs11.so
>
>
> So it looks like we might have an additional Java implementation of NSS
> available, one that can potentially provide NSS support for Tomcat and
> JBoss via JAAS. It looks like all it requires is a change to the
> configuration file that we ship. I'm not quite sure how we would go
> about doing this in an automated fashion, short of pulling in libnss3 as
> part of Open JDK support. I'm guessing that if we enable it and the nss
> library is missing it errors our in some ugly manner, but I have not
> tested it.

The Fedora java-1.6.0-openjdk package would need to be altered to pass
--enable-nss to configure and to depend on libnss3 (as you say).

I can't remember exactly how it errors out off-hand and I've never had a system
without NSS on to see that on! If you have Firefox, you have NSS.

>
> Is anyone familiar with this code?

I am; I added the support in IcedTea and fix some bugs in the NSS
code upstream (which took forever; the security-dev OpenJDK people
at Oracle are very slow to respond in my experience).

> Would it be acceptable to activate
> this security module by default and to pull in libnss with Java? Is
> there some automated way to enable this if NSS is installed?

Debian and Ubuntu do enable it, and the option is there as a USE flag
in Gentoo. However, an issue did come up regarding it and Firefox:

http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=473

which may be a blocker. As I say, the process of enabling it is just a
two line change in the java-1.6.0-openjdk spec file.

> --
> java-devel mailing list
> java-devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/java-devel

--
Andrew

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

Support Free Java!
Contribute to GNU Classpath and IcedTea
http://www.gnu.org/software/classpath
http://icedtea.classpath.org
PGP Key: F5862A37 (https://keys.indymedia.org/)
Fingerprint = EA30 D855 D50F 90CD F54D 0698 0713 C3ED F586 2A37
--
java-devel mailing list
java-devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/java-devel
 
Old 10-04-2011, 09:49 PM
Adam Young
 
Default Tomcat, NSS and OpenJDK

On 10/04/2011 04:47 PM, Dr Andrew John Hughes wrote:
> On 20:58 Mon 03 Oct , Adam Young wrote:
>> Tomcat has a class called "Realm" which is basically a way of managing
>> the set of authentication mechanisms. PKI seems To use an older
>> approach which bypasses the Realm config in Tomcat. I started looking
>> at what it would take to close the distance between the two. In doing
>> so, I found something interesting in the openjdk code base:
>>
>> In /usr/lib/jvm/java-1.6.0/jre/lib/security/java.security, there is a
>> section that looks like this:
>> #
>> # List of providers and their preference orders (see above):
>> #
>> security.provider.1=sun.security.provider.Sun
>> security.provider.2=sun.security.rsa.SunRsaSign
>> ...
>> # the NSS security provider was not enabled for this build; it can be
>> enabled
>> # if NSS (libnss3) is available on the machine. The nss.cfg file may need
>> # editing to reflect the location of the NSS installation.
>> #security.provider.9=sun.security.pkcs11.SunPKCS11
>> ${java.home}/lib/security/nss.cfg
>>
> This is added by IcedTea, which can enable NSS support during the build.
> However, from the commenting, it seems the option has not been turned on in the
> Fedora packages.
>
> If you check /usr/lib/jvm/java-1.6.0-openjdk/lib/security/nss.cfg points at
> your NSS install, then uncommenting that line should allow Java to use NSS
> for cryptography.


I did that on my system and got it to work. I also went through the
steps to do it programmatically from Java code:

Class providerClass = Class.forName("sun.security.pkcs11.SunPKCS11");
System.out.print("found class");
Provider provider = (Provider)
providerClass.getConstructor(String.class).newInst ance("/usr/lib/jvm/java-1.6.0-openjdk.x86_64/jre/lib/security/nss.cfg");
Security.addProvider(provider);


I'm sure there is a better approach, this was just the quickest to hack.

>
>> So it seems that Sun had, at least in the past, supported NSS as a
>> Sercurity provider. For the member of the Java team not familiar with
>> NSS (I wasn't) It is the Network Security Services and is the basis for,
>> amongst other things, how Mozilla stores passwords and certificates.
>> PKI makes pretty heavy use of NSS, via the Opensource Java bindings in JSS.
>>
>> This page here has more info:
>>
>> http://download.oracle.com/javase/1.5.0/docs/guide/security/p11guide.html#Intro
>>
>> It seems like the Oracle JDK has had support in the past for NSS as a
>> JAAS module. To close the acronym loop with Tomcat, Tomcat has a JAAS
>> Realm class. What this says to me is that, at one point, Java
>> developers could have configured Tomcat to use NSS as the authentication
>> mechanism for an application.
> AIUI, the JDK implementation just uses NSS to provide cryptography algorithms,
> not authentication.

Hmmm...seems to me that if you can use it to look at and validate a
certificate, you should be able to get the principal from it. But we
are probably going to use LDAP as the JAAS piece anyway, as that is
where all of the Users and ACIs live, so that might be OK. I'm not
certain that it makes sense to get roles out of an NSS database for any
but the smallest applications.

>
>> This class ships in the file:
>>
>> /usr/lib/jvm/java-1.6.0-openjdk.x86_64/jre/lib/ext/sunpkcs11.jar
>>
>> And The native library is in
>>
>> /usr/lib/jvm/java-1.6.0-openjdk.x86_64/jre/lib/amd64/libj2pkcs11.so
>>
>>
>> So it looks like we might have an additional Java implementation of NSS
>> available, one that can potentially provide NSS support for Tomcat and
>> JBoss via JAAS. It looks like all it requires is a change to the
>> configuration file that we ship. I'm not quite sure how we would go
>> about doing this in an automated fashion, short of pulling in libnss3 as
>> part of Open JDK support. I'm guessing that if we enable it and the nss
>> library is missing it errors our in some ugly manner, but I have not
>> tested it.
> The Fedora java-1.6.0-openjdk package would need to be altered to pass
> --enable-nss to configure and to depend on libnss3 (as you say).
>
> I can't remember exactly how it errors out off-hand and I've never had a system
> without NSS on to see that on! If you have Firefox, you have NSS.
>
>> Is anyone familiar with this code?
> I am; I added the support in IcedTea and fix some bugs in the NSS
> code upstream (which took forever; the security-dev OpenJDK people
> at Oracle are very slow to respond in my experience).


Thank you. Very nicely done!
>
>> Would it be acceptable to activate
>> this security module by default and to pull in libnss with Java? Is
>> there some automated way to enable this if NSS is installed?
> Debian and Ubuntu do enable it, and the option is there as a USE flag
> in Gentoo. However, an issue did come up regarding it and Firefox:
>
> http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=473
>
> which may be a blocker. As I say, the process of enabling it is just a
> two line change in the java-1.6.0-openjdk spec file.


Yes, we would want to wait until we had a resolution for that issue. I
hear that a change is coming for NSS due to enough people hitting this,
but I do not know the time frame.



>
>> --
>> java-devel mailing list
>> java-devel@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/java-devel

--
java-devel mailing list
java-devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/java-devel
 
Old 10-04-2011, 10:20 PM
John Dennis
 
Default Tomcat, NSS and OpenJDK

On 10/04/2011 04:47 PM, Dr Andrew John Hughes wrote:
> I am; I added the support in IcedTea and fix some bugs in the NSS
> code upstream (which took forever; the security-dev OpenJDK people
> at Oracle are very slow to respond in my experience).

Thank you for doing this work, it's appreciated.

--
John Dennis <jdennis@redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
--
java-devel mailing list
java-devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/java-devel
 
Old 10-04-2011, 10:27 PM
Andrew Wnuk
 
Default Tomcat, NSS and OpenJDK

Adding Bob and Elio.

On 10/04/2011 02:49 PM, Adam Young wrote:
> On 10/04/2011 04:47 PM, Dr Andrew John Hughes wrote:
>> On 20:58 Mon 03 Oct , Adam Young wrote:
>>> Tomcat has a class called "Realm" which is basically a way of managing
>>> the set of authentication mechanisms. PKI seems To use an older
>>> approach which bypasses the Realm config in Tomcat. I started looking
>>> at what it would take to close the distance between the two. In doing
>>> so, I found something interesting in the openjdk code base:
>>>
>>> In /usr/lib/jvm/java-1.6.0/jre/lib/security/java.security, there is a
>>> section that looks like this:
>>> #
>>> # List of providers and their preference orders (see above):
>>> #
>>> security.provider.1=sun.security.provider.Sun
>>> security.provider.2=sun.security.rsa.SunRsaSign
>>> ...
>>> # the NSS security provider was not enabled for this build; it can be
>>> enabled
>>> # if NSS (libnss3) is available on the machine. The nss.cfg file may
>>> need
>>> # editing to reflect the location of the NSS installation.
>>> #security.provider.9=sun.security.pkcs11.SunPKCS11
>>> ${java.home}/lib/security/nss.cfg
>>>
>> This is added by IcedTea, which can enable NSS support during the build.
>> However, from the commenting, it seems the option has not been turned
>> on in the
>> Fedora packages.
>>
>> If you check /usr/lib/jvm/java-1.6.0-openjdk/lib/security/nss.cfg
>> points at
>> your NSS install, then uncommenting that line should allow Java to
>> use NSS
>> for cryptography.
>
>
> I did that on my system and got it to work. I also went through the
> steps to do it programmatically from Java code:
>
> Class providerClass = Class.forName("sun.security.pkcs11.SunPKCS11");
> System.out.print("found class");
> Provider provider = (Provider)
> providerClass.getConstructor(String.class).newInst ance("/usr/lib/jvm/java-1.6.0-openjdk.x86_64/jre/lib/security/nss.cfg");
> Security.addProvider(provider);
>
>
> I'm sure there is a better approach, this was just the quickest to hack.
>
>>
>>> So it seems that Sun had, at least in the past, supported NSS as a
>>> Sercurity provider. For the member of the Java team not familiar with
>>> NSS (I wasn't) It is the Network Security Services and is the basis
>>> for,
>>> amongst other things, how Mozilla stores passwords and certificates.
>>> PKI makes pretty heavy use of NSS, via the Opensource Java bindings
>>> in JSS.
>>>
>>> This page here has more info:
>>>
>>> http://download.oracle.com/javase/1.5.0/docs/guide/security/p11guide.html#Intro
>>>
>>>
>>> It seems like the Oracle JDK has had support in the past for NSS as a
>>> JAAS module. To close the acronym loop with Tomcat, Tomcat has a JAAS
>>> Realm class. What this says to me is that, at one point, Java
>>> developers could have configured Tomcat to use NSS as the
>>> authentication
>>> mechanism for an application.
>> AIUI, the JDK implementation just uses NSS to provide cryptography
>> algorithms,
>> not authentication.
>
> Hmmm...seems to me that if you can use it to look at and validate a
> certificate, you should be able to get the principal from it. But we
> are probably going to use LDAP as the JAAS piece anyway, as that is
> where all of the Users and ACIs live, so that might be OK. I'm not
> certain that it makes sense to get roles out of an NSS database for
> any but the smallest applications.
>
>>
>>> This class ships in the file:
>>>
>>> /usr/lib/jvm/java-1.6.0-openjdk.x86_64/jre/lib/ext/sunpkcs11.jar
>>>
>>> And The native library is in
>>>
>>> /usr/lib/jvm/java-1.6.0-openjdk.x86_64/jre/lib/amd64/libj2pkcs11.so
>>>
>>>
>>> So it looks like we might have an additional Java implementation of NSS
>>> available, one that can potentially provide NSS support for Tomcat and
>>> JBoss via JAAS. It looks like all it requires is a change to the
>>> configuration file that we ship. I'm not quite sure how we would go
>>> about doing this in an automated fashion, short of pulling in
>>> libnss3 as
>>> part of Open JDK support. I'm guessing that if we enable it and the
>>> nss
>>> library is missing it errors our in some ugly manner, but I have not
>>> tested it.
>> The Fedora java-1.6.0-openjdk package would need to be altered to pass
>> --enable-nss to configure and to depend on libnss3 (as you say).
>>
>> I can't remember exactly how it errors out off-hand and I've never
>> had a system
>> without NSS on to see that on! If you have Firefox, you have NSS.
>>
>>> Is anyone familiar with this code?
>> I am; I added the support in IcedTea and fix some bugs in the NSS
>> code upstream (which took forever; the security-dev OpenJDK people
>> at Oracle are very slow to respond in my experience).
>
>
> Thank you. Very nicely done!
>>
>>> Would it be acceptable to activate
>>> this security module by default and to pull in libnss with Java? Is
>>> there some automated way to enable this if NSS is installed?
>> Debian and Ubuntu do enable it, and the option is there as a USE flag
>> in Gentoo. However, an issue did come up regarding it and Firefox:
>>
>> http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=473
>>
>> which may be a blocker. As I say, the process of enabling it is just a
>> two line change in the java-1.6.0-openjdk spec file.
>
>
> Yes, we would want to wait until we had a resolution for that issue.
> I hear that a change is coming for NSS due to enough people hitting
> this, but I do not know the time frame.
>
>
>
>>
>>> --
>>> java-devel mailing list
>>> java-devel@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/java-devel
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

--
java-devel mailing list
java-devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/java-devel
 

Thread Tools




All times are GMT. The time now is 10:52 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org