users@glassfish.java.net

Keystore passwords not defined as JVM properties

From: Major Péter <majorpetya_at_sch.bme.hu>
Date: Fri, 11 Jan 2013 15:30:20 +0000

Hi,

I have an application running fine in GlassFish v3.1.2, but that app would like to use the Grizzly framework to make outgoing connections to SSL protected resources (LDAPS in this case), but the code fails horribly at the very bottom of Grizzly:
java.lang.IllegalStateException: KeyManagerFactoryImpl is not initialized
    at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl.engineGetKeyManagers(KeyManagerFactoryImpl.java:30)
    at javax.net.ssl.KeyManagerFactory.getKeyManagers(KeyManagerFactory.java:272)
    at org.glassfish.grizzly.ssl.SSLContextConfigurator.createSSLContext(SSLContextConfigurator.java:601)
    at org.glassfish.grizzly.ssl.SSLFilter.<init>(SSLFilter.java:130)

What happens is that Grizzly does not seem to like the fact that the
-Djavax.net.ssl.keystore
-Djavax.net.ssl.truststore
JVM properties are set in the domain, but the corresponding password properties are missing. And it blows up with (on FINE level of course…):
[#|2013-01-11T14:39:22.791+0000|FINE|glassfish3.1.2|org.glassfish.grizzly.ssl.SSLContextConfigurator|_ThreadID=21;_ThreadName=Thread-3;ClassName=org.glassfish.grizzly.ssl.SSLContextConfigurator;MethodName=createSSLContext;|Key store unrecoverable exception.
java.security.UnrecoverableKeyException: Password must not be null
    at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:107)
    at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:38)
    at java.security.KeyStore.getKey(KeyStore.java:763)
    at com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:113)
    at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:48)
    at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:239)

I know that the keystore passwords are actually the same as the GlassFish master password, but I don't know how to explain this to Grizzly.. Right now I set the password JVM properties in domain.xml and Grizzly is happy, but I wonder if there is a better way to deal with this.
The question for GlassFish gurus: shouldn't GlassFish set these JVM properties with the master password during config? Seems like having only the paths defined for the keystores is breaking JSSE.

Any thoughts welcome.

Thanks,
Peter
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.