Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16936

Tree nodes create new keystore object each time node is called.

    XMLWordPrintable

    Details

    • Sprint:
      AM Sustaining Sprint 79, AM Sustaining Sprint 80
    • Story Points:
      3
    • Needs backport:
      No
    • Support Ticket IDs:
    • Functional tests:
      No

      Description

      Bug description

      When for example; using the persistent cookie node, the node will decrypt a Pcookie and need to read the encryption key form the Keystore. Every time it needs to read the key, it creates a new Keystore object. This means there are many open, read, close operations on the Keystore for just a single check.

      Note: this does not happen for Auth Modules.

      How to reproduce the issue

      1. Setup a tree with a set persistent cookie node
      2. Setup a tree with a persistent cookie decision node
      3. Watch to the keystore:  inotifywait --monitor --timefmt '%F %T' --format '%T %w %e' keystore.jceks
      4. Authn against tree get Pcookie JWT
      5. Authn against Pcookie decision node and another number of open, read, closes

       

      Below is for one call to the Persistent cookie decision node, with the getPrivateAuthKey() method being called three times.

       

      2020-10-16 01:01:55 /home/fr/am/am/keystore.jceks OPEN
      2020-10-16 01:01:55 /home/fr/am/am/keystore.jceks ACCESS
      2020-10-16 01:01:55 /home/fr/am/am/keystore.jceks CLOSE_NOWRITE,CLOSE
      2020-10-16 01:02:00 /home/fr/am/am/keystore.jceks OPEN
      2020-10-16 01:02:00 /home/fr/am/am/keystore.jceks ACCESS
      2020-10-16 01:02:00 /home/fr/am/am/keystore.jceks CLOSE_NOWRITE,CLOSE
      2020-10-16 01:02:00 /home/fr/am/am/keystore.jceks OPEN
      2020-10-16 01:02:00 /home/fr/am/am/keystore.jceks ACCESS
      2020-10-16 01:02:00 /home/fr/am/am/keystore.jceks CLOSE_NOWRITE,CLOSE
      2020-10-16 01:02:05 /home/fr/am/am/keystore.jceks OPEN
      2020-10-16 01:02:05 /home/fr/am/am/keystore.jceks ACCESS
      2020-10-16 01:02:05 /home/fr/am/am/keystore.jceks CLOSE_NOWRITE,CLOSE
      2020-10-16 01:02:05 /home/fr/am/am/keystore.jceks OPEN
      2020-10-16 01:02:05 /home/fr/am/am/keystore.jceks ACCESS
      2020-10-16 01:02:05 /home/fr/am/am/keystore.jceks CLOSE_NOWRITE,CLOSE
      

       

      Expected behaviour
      Reference cached keystore instead of reading from disk each time.
      Current behaviour
      Reads from disk muliple times per call.

      Workaround

      Use authentication modules

      Code analysis

      org.forgerock.openam.auth.nodes.AuthKeyFactory
      public Key getPrivateAuthKey(AMKeyProvider amKeyProvider, String orgName) throws FileNotFoundException,
              SSOException, SMSException {
          logger.debug("getPrivateAuthKey method started");
          String keyAlias = getKeyAlias(orgName);
          logger.debug("keyAlias {}", keyAlias);
          final KeyStore keyStore = new KeyStoreBuilder()
                  .withKeyStoreFile(amKeyProvider.getKeystoreFilePath())
                  .withPassword(amKeyProvider.getKeystorePass())
                  .withKeyStoreType(amKeyProvider.getKeystoreType())
                  .build();
          logger.debug("Keystore built successfully");
          return new KeyStoreManager(keyStore).getPrivateKey(keyAlias, amKeyProvider.getPrivateKeyPass());
      }
      

        Attachments

          Activity

            People

            Assignee:
            jonthomas Jonathan Thomas
            Reporter:
            anthony.harrison Anthony Harrison
            Votes:
            2 Vote for this issue
            Watchers:
            9 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: