payara
Bug Report: keystore/truststore JVM Option might not be fully implemented /FISH-7793
Brief Summary
I have tested the JVM Options javax.net.ssl.keyStore, javax.net.ssl.trustStore to use a centralized keystore for multiple domains. This feature is interesting because the app uses certificates from the truststore, keys from the keystore, to sign/encrypt messages.
In the app, I changed it so that every access to the keystore/truststore will be made by using the specified path in the jvm options.
To test my app, I removed the default keystore and truststore.
Expected Outcome
The payara domain works without the default keystore/truststore if the option specifying a different location is set. It does not ask for a masterpassword.
Current Outcome
The payara domain fails to start, asking for a masterpassword. Even when explicitly setting the password beforehand, the masterpassword doesn't work.
To my understanding, the masterpassword is also the password securing the keystore/truststore. My thinking is that it tries to decrypt the default key/truststore, which don't exist, and therefore it fails
Reproducer
- create payara domain
- create a copy of the domains keystore, truststore and point the jvm options
javax.net.ssl.keyStoreandjavax.net.ssl.trustStoreto the corresponding location (in which payara has permissions to read/write) - optional: set a masterpassword
asadmin change-master-password - up until now, everything works fine
- remove default keystore, truststore
- stop domain and start it again
- on start, it asks for a masterpassword
Operating System
Ubuntu Server 20.04
JDK Version
OpenJDK 1.8.0_262-b10
Payara Distribution
Payara Server Full Profile
Hi @docktordreh,
It is uncertain whether or not this use case is supported. I have raised an investigation under FISH-7793 and we will proceed from there.
