users@glassfish.java.net

Re: Installation/asadmin create-domain -- keytool gives error

From: Mark Martin <storycrafter_at_gmail.com>
Date: Sat, 23 Jun 2007 14:27:45 -0500

Looks like, as it turns out, it's a function of the Sun PKCS#11 crypto
provider deferring to using the Ultrasparc T1 hardware crypto acceleration
on the T2000 boxes. (
http://java.sun.com/developer/technicalArticles/xml/dig_signatures/).

Looks like it's a configuration issue preventing me from using the RSA key
algorithm (with either MD5 and SHA1 signing) -- by default those keysigning
algo's are "disabled" in the software provider since JDK 1.5, which means
the software provider defers to using the hardware crypto providers present
in the kernel/Ultrasparc T1. I'll post a follow up if I can get the issue
figured out.

Meanwhile, crash course in hardware cryptography providing continues...

FWIW, both T2000's are pretty stock with very little configuration changes
aside from basic Blastwave package additions. I'm surprised others haven't
had this issue on this hardware.

On 6/23/07, Mark Martin <storycrafter_at_gmail.com> wrote:
>
> Interestingly, if I change the key algorithm to DSA, it works as
> expected. I see that the signing algorithm was changed from MD5withRSA to
> SHA1withRSA in JDK 1.6. (
> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6560733). This does
> little to explain why I was having the issue with 1.5_06, though.
>
> I will continue to play with keytool and find out why it is unable to
> verify signatures when using the RSA key algorithm (or SHA1withRSA signing)
> on 2 different sparc Solaris 10 boxen with 3 different JDK versions.
>
> Thanks,
> Mark
>
>


-- 
------------------------------------------------------
Born to the false world, the wanderer,
Storyteller, The Pied Piper
On a quest for immortality
Gathering a troop to find the fantasy
-- Nightwish