Migrate legacy JKS/JCEKS security stores to PKCS12 when upgrading from 7.0.x#26109
Open
renatsaf wants to merge 1 commit into
Open
Migrate legacy JKS/JCEKS security stores to PKCS12 when upgrading from 7.0.x#26109renatsaf wants to merge 1 commit into
renatsaf wants to merge 1 commit into
Conversation
GlassFish 7.1.0+ reads its security stores exclusively as PKCS12 under fixed file names (keystore.p12, cacerts.p12, domain-passwords.p12), but a domain created by 7.0.x or older still contains keystore.jks, cacerts.jks and a JCEKS domain-passwords. SecurityUpgradeService did not convert them, so an upgraded domain could fail to read its stores. Extend SecurityUpgradeService.postConstruct() to detect the legacy stores in <domain>/config and convert them to PKCS12 using the domain master password. The conversion is idempotent (skips when the legacy file is absent or the .p12 target already exists), retains each legacy file as <name>.bak, and fails gracefully without aborting the upgrade. Adds a unit test covering the secret-key JCEKS domain-passwords case. Fixes eclipse-ee4j#26107 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Commit
096ace25("Switching from JKS and JCEKS to PKCS12") changed GlassFish 7.1.0+ to read and write its security stores exclusively in PKCS12 under fixed file names (keystore.p12,cacerts.p12,domain-passwords.p12). A domain created by 7.0.x or older instead containskeystore.jks,cacerts.jksand a JCEKSdomain-passwords.SecurityUpgradeServiceupgraded the JACC provider, the JDBC-realm digest, generated policy files and warned on NSS — but never converted the keystores, so an upgraded domain could fail to read its stores. Follow-up requested in PR #26103.Change
Extend
SecurityUpgradeService.postConstruct()with amigrateLegacyKeystores()step that detects the legacy stores in<domain>/configand converts them to PKCS12 under the new names using the domain master password:keystore.jks→keystore.p12cacerts.jks→cacerts.p12domain-passwords(JCEKS) →domain-passwords.p12Properties:
.p12target already exists.<name>.bak.NCLS-SECURITY-01016/01017/01018messages), removes any half-written.p12, and never aborts the upgrade.java.security.KeyStoredirectly (no externalkeytoolprocess) and copies private keys, trusted certificates and secret keys.Runs on the
start-domain --upgradepath. NSS (.db) stores remain out of scope (existing warning unchanged). Coordinates with the cluster sync-list fix in #26103 so migrated instances receive the.p12files.Testing
Added
SecurityUpgradeServiceTestcovering the secret-key JCEKSdomain-passwordscase (entries and store type preserved). Module compiles and tests pass locally.Fixes #26107
🤖 Generated with Claude Code