In current GlassFish v2 EE (which is the cluster mode that is available
starting build b12), NSS is used as a storage for certificates and
private keys. NSS is a native library that is not available on all
platforms. This limits our reach to other platforms like Mac. Our goal
is to move away from native library but still provide the same
functionality. We propose to switch to JKS (supported by JDK) in
GlassFish EE v2. We will support both NSS and JKS but JKS would be the
default option. NSS would not be bundled by default and for NSS option
to work, some manual steps will be required. This enables us to reach a
wider range of users and also simplifies dependencies.
The following is the list of proposed changes (at high level):
- admin CLI will need to provide an option to indicate whether we should
use NSS or JKS as certificate storage for domain creation.
By default, a domain with JKS will be created.
The selection is only during domain creation time. Once a domain is
created, we will not support changing of certificate storage type.
- synchronization may need to update for this change
- security runtime will initialize NSS or JKS accordingly
Please let me know if you have comments/suggestions/concerns.
Regards,
Shing Wai Chan