Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-14326

IDM unnecessarily writes to keystore and trustore

    XMLWordPrintable

    Details

    • Target Version/s:
    • Verified Version/s:
    • Story Points:
      2
    • Sprint:
      2020.04 - IDM
    • Support Ticket IDs:

      Description

      This issue is observed with the IDM populated keystore, and with pre-prepared external keystore.

      To reproduce this issue,

      1. Start up a new IDM instance

      2. Observe the timestamp of the keystore file

      [ security]$ ls -l
      total 104
      -rw-------. 1 fg fg  8121 Feb  3 13:36 keystore.jceks
      -rw-------. 1 fg fg     8 Jan 31 18:57 keystorepass
      -rw-------. 1 fg fg   140 Jan 31 18:57 realm.properties
      -rw-------. 1 fg fg     8 Jan 31 18:57 storepass
      -rw-------. 1 fg fg 82578 Feb  3 13:36 truststore
      

      3. Shut down the instance, the timestamps remain the same

      4. Wait one minute. Start the instance again.

      [ openidm]$ date
      Mon Feb  3 13:37:33 +08 2020
      [ openidm]$ ./startup.sh
      Executing ./startup.sh...
      Using OPENIDM_HOME:   /opt/fg/idm700/openidm
      Using PROJECT_HOME:   /opt/fg/idm700/openidm
      Using OPENIDM_OPTS:   -Xmx2048m -Xms2048m
      Using LOGGING_CONFIG: -Djava.util.logging.config.file=/opt/fg/idm700/openidm/conf/logging.properties
      -> OpenIDM version "7.0.0-SNAPSHOT" (build: 20200131185751, revision: bee135c) jenkins-OpenIDM-build-master-1615
      OpenIDM ready
      

      5. The keystore timestamp is updated. The truststore too. The timestamp is updated, but the actual keys and certificates remain unchanged in the keystores.

      [ security]$ ls -l
      total 104
      -rw-------. 1 fg fg  8121 Feb  3 13:37 keystore.jceks
      -rw-------. 1 fg fg     8 Jan 31 18:57 keystorepass
      -rw-------. 1 fg fg   140 Jan 31 18:57 realm.properties
      -rw-------. 1 fg fg     8 Jan 31 18:57 storepass
      -rw-------. 1 fg fg 82578 Feb  3 13:37 truststore
      

      6. Set the file keystore.jceks to read-only. IDM starts with 3 "Unable to store keystore" errors. Here is one example:

      [ openidm]$ ./startup.sh
      Executing ./startup.sh...
      Using OPENIDM_HOME:   /opt/fg/idm700/openidm
      Using PROJECT_HOME:   /opt/fg/idm700/openidm
      Using OPENIDM_OPTS:   -Xmx2048m -Xms2048m
      Using LOGGING_CONFIG: -Djava.util.logging.config.file=/opt/fg/idm700/openidm/conf/logging.properties
      [14] Feb 03, 2020 1:41:12.146 PM org.forgerock.openidm.secrets.keystore.SecretInjector lambda$store$0
      SEVERE: Unable to store keystore
      java.io.FileNotFoundException: /opt/fg/idm700/openidm/security/keystore.jceks (Permission denied)
      	at java.io.FileOutputStream.open0(Native Method)
      	at java.io.FileOutputStream.open(FileOutputStream.java:270)
      	at java.io.FileOutputStream.<init>(FileOutputStream.java:213)
      	at java.io.FileOutputStream.<init>(FileOutputStream.java:162)
      	at org.forgerock.openidm.secrets.keystore.SecretInjector.lambda$store$0(SecretInjector.java:101)
      	at java.util.HashMap$ValueSpliterator.forEachRemaining(HashMap.java:1628)
      	at java.util.stream.ReferencePipeline$Head.forEach(ReferencePipeline.java:647)
      	at org.forgerock.openidm.secrets.keystore.SecretInjector.store(SecretInjector.java:100)
      	at org.forgerock.openidm.secrets.config.Secrets.injectSecretsIfNecessary(Secrets.java:77)
      	at org.forgerock.openidm.secrets.config.Secrets.asSecretsProvider(Secrets.java:57)
      	at org.forgerock.openidm.secrets.impl.DefaultSecretsService.activate(DefaultSecretsService.java:114)
      	at org.forgerock.openidm.secrets.factory.SecretsServiceFactory.initialize(SecretsServiceFactory.java:56)
      	at org.forgerock.openidm.secrets.factory.SecretsServiceFactory.getService(SecretsServiceFactory.java:32)
      	at org.forgerock.openidm.crypto.factory.CryptoServiceFactory.getInstance(CryptoServiceFactory.java:41)
      	at org.forgerock.openidm.datasource.jdbc.JDBCDataSourceServiceFactory.<init>(JDBCDataSourceServiceFactory.java:62)
      	at org.forgerock.openidm.datasource.jdbc.Activator.start(Activator.java:44)
      	at org.apache.felix.framework.util.SecureAction.startActivator(SecureAction.java:698)
      	at org.apache.felix.framework.Felix.activateBundle(Felix.java:2402)
      	at org.apache.felix.framework.Felix.startBundle(Felix.java:2308)
      	at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1539)
      	at org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308)
      	at java.lang.Thread.run(Thread.java:748)
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              cgdrake Chris Drake
              Reporter:
              yinyan.cao Yinyan Cao
              QA Assignee:
              Scott McCollough Scott McCollough
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: