Closed cmgrote closed 3 years ago
This looks bad:
Caused by: java.io.IOException: Invalid keystore format
How are you invoking the chassis?
I've been using zuul locally, ubuntu openjdk, & the Redhat UBI in containers, but not J9 recently - I have experienced rather a few issues in the past. In each case I've raised an issue with the openJ9 team who have been able to investigate, but because of this I've not been running with J9 locally. Though not aware of other outstanding issues.
Does it fail entirely with our format of keystore? Java keystores can be in jks format or p12 - we're using the latter as more standard/cross platform - is it specific to that?
Is this just an IBM JDK issue, or is it openJ9 generally. Can you try with jdks from adoptopenjdk.net - what happens with 8? 11? 15?
I see an interesting entry in the stack trace
at com.ibm.crypto.provider.JavaKeyStore.engineLoad(Unknown Source) ~[ibmjceprovider.jar:8.0 build_20210113-389]
not sure if that appears in openj9? I think it's an IBM extension.
I see a recent change (not this issue - but in that area) as per https://www.ibm.com/support/pages/apar/IJ04911
This looks like an IBM JVM issue - if you can reproduce a 'hello world' example with our .p12 I think it worth forwarding to their support?
Also am not familiar with the plugin providers - ie in terms of whether we've done anything wrong
Finally certs are replaceable, and in a real environment the self-signed ones shipped with egeria would not be used in any case
This is a Java 7 article -> https://www.ibm.com/support/knowledgecenter/en/SSYKE2_7.0.0/com.ibm.java.security.component.70.doc/security-component/keytoolDocs/supportedkeystoretypes.html but this, and other articles indicate there may be some incompatibility even in pkcs12 keystores
There is indeed one use of 'keytool' (openjdk) in the process to generate the certs. Specifically the stage to create the truststore. I had been trying to use openssl tool for all steps but couldn't get that step as I wanted so used keytool instead (which most docs refer to in any case). I wasn't aware of compatibility issues as it's java.... That could be where an issue crept in.
One could run the 'gensamplecerts.sh' using the IBM jdk locally in the environment where you are running egeria, and see if those certs work ok. Also be interesting to see the response from the JDK team
If so, I wouldn't suggest we check these in, but I can look again at removing the keytool invocation and just using openssl
Only logged for posterity -- I'm not using this JDK, and the original reporter was happy to switch to another. So suggest we keep the issue to poll if anyone actually uses / plans to use this JDK, but otherwise do not believe we need to actively work on anything to progress it.
If we don't have a current plan to fix, we could close. I do agree recording it as an issue is really helpful if someone else hits the issue - it can be reopened in future if required
It appears that if attempting to use the IBM J9 JDK (here specifically version
Java(TM) SE Runtime Environment (build 8.0.6.25 - pxa6480sr6fp25-20210115_01(SR6 FP25))
) the truststore cannot be loaded. This appears to be an issue with the IBM JDK, as we have not been able to reproduce it with any other.If there are any users of this JDK please let us know any suggestions on resolving it (obviously without breaking any of the others) -- otherwise capturing here primarily for reference. If you run into this error and do not need to use the IBM JDK, we would suggest using another (OpenJDK, etc).