Menu
▾
▴
Re: [Signserver-develop] Informations and tests
|
From: Markus K. <ma...@pr...> - 2012-07-30 08:45:51
|
Hi Antoine, See answers below. On 2012-07-28 23:24, Antoine Louiset wrote: > Hi Markus, > > The p12 directory seems to be used to set truststore certificates for > JBoss (see > http://signserver.org/manual/complete.en.html#4.%20Configure%20web%20server%20keystores) > but I think this truststore is just used in the tests of signserver and > could be used for the java trust keystore. Jboss and glassfish have > their own truststore and keystore, why don't you use them ? That is correct. The truststore in the p12 folder is used both by JBoss and the tests. So if you are going to run the tests you can put a truststore in the p12 folder. I believe the reason for handling it this way is that different application servers have different locations for the truststore and the tests would not know where to find it. In fact where JBoss finds it depends on what is written in the server.xml, so it could also be different if SignServer isn't used for deploying it. The solution we use, to not depend on different application servers and configurations is to decide that it should be placed in the p12 folder of SignServer. > > In the signserver_build.properties file, there are several properties > which are written for the use of JBoss but we do not know if they are > needed for Glassfish : httpsserver.bindaddress.* | database.url | > deploy.hostname.node* Some are explained in the installation guide, such as "database.url" which is said to be used by JBoss and some comments talks about JBoss in the sample configuration file. But the documentation is lacking for many of the other properties in this aspect. > > What is the aim of deploy.ssh.* properties ? I think the idea is to be able to deploy to a remote server by transferring the files (signserver.ear etc) over SSH. Not sure if it is working though as I can not find any documentation about it. You are very welcome to test it out if you want and let us know if it is working. If not we might consider either fixing it and adding documentation for it or remove it. > > Why j2ee.web-nohttps has to be set to true to launch the tests while > https is used in these tests ? j2ee.web-nohttps is controlling wither the keystores and truststores should be deployed (to JBoss) or not. The tests should not depend on this setting so if it says somewhere that it must be set to true I would suspect that to be a bug in the documentation. Please report a bug with where you seen it in that case. > > The most important thing for me today is tests ! I run them, I resolve > the problem about trustanchors. I join the results, I do not understand > the errors and the fails, have you ever seen them ? >From the test report you attached I can see two different failures which probably is also the cause of all the errors. 1. ExtendedHardCodedCryptoTokenTest testStrongCryptoAvailable JCE crypto policy was not installed as the key length was limited expected:<2147483647> but was:<64> This means that you are running the Oracle JDK and have not installed JCE crypto policy. See the installation guide. 2. LimitKeyUsagesTest test01Limit Error Signer 5802 expired at Fri Apr 20 16:18:57 CEST 2012 Looks like the demo signer certificate used has expired. I will run the tests on your continues integration server and see if we have the same problem there. They might just have to be renewed. > > How can I send my script to install signserver ? If it is less then 40 KB you can just send it to the mailing list, otherwise try to upload it somewhere and send the link or send it directly to me. > > I take this mail to congratulate you and your team for this project > which is really good. Thanks to you for reporting the issues you find. Best regards, Markus > > Have a nice weekend. > > Best regards, > -- Kind regards, Markus Kilås Security Consultant & Developer PrimeKey Solutions AB Anderstorpsv. 16 171 54 Solna Sweden Phone: +46 70 424 94 85 Skype: markusatskype Email: mar...@pr... www.primekey.se |
