Menu
▾
▴
Re: [Signserver-develop] Informations and tests
|
From: Antoine L. <ant...@yo...> - 2012-07-30 14:55:09
|
Ok Markus, no problem ! Thanks ! Best regards, Antoine Le 30/07/2012 16:53, Markus Kilås a écrit : > On 2012-07-30 15:08, Antoine Louiset wrote: >> Hi Markus, >> >> Thanks for your fast answer ! >> >> I have just one remark for the JCE installation. I don't find it in the >> installation guide (I read it quickly). > I was really surprised it wasn't there. I have registered > https://jira.primekey.se/browse/DSS-514. > >> I download JCE policy and it resolves one fail. The problem of the >> signer 5802 will resolve one fail and one error. So there will be no >> more fails but I have no idea about the other errors. What do you think >> about them ? > I will try to get back about them. I haven't yet had to time to test it > on my machine. > > Best regards, > Markus > >> Good afternoon ! >> >> >> Antoine >> >> Le 30/07/2012 10:47, Markus Kilås a écrit : >>> Hi Antoine, >>> >>> See answers below. >>> >>> On 2012-07-28 23:24, Antoine Louiset wrote: >>>> Hi Markus, >>>> >>>> The p12 directory seems to be used to set truststore certificates for >>>> JBoss (see >>>> http://signserver.org/manual/complete.en.html#4.%20Configure%20web%20server%20keystores) >>>> >>>> but I think this truststore is just used in the tests of signserver and >>>> could be used for the java trust keystore. Jboss and glassfish have >>>> their own truststore and keystore, why don't you use them ? >>> That is correct. The truststore in the p12 folder is used both by JBoss >>> and the tests. So if you are going to run the tests you can put a >>> truststore in the p12 folder. I believe the reason for handling it this >>> way is that different application servers have different locations for >>> the truststore and the tests would not know where to find it. In fact >>> where JBoss finds it depends on what is written in the server.xml, so it >>> could also be different if SignServer isn't used for deploying it. The >>> solution we use, to not depend on different application servers and >>> configurations is to decide that it should be placed in the p12 folder >>> of SignServer. >>> >>>> In the signserver_build.properties file, there are several properties >>>> which are written for the use of JBoss but we do not know if they are >>>> needed for Glassfish : httpsserver.bindaddress.* | database.url | >>>> deploy.hostname.node* >>> Some are explained in the installation guide, such as "database.url" >>> which is said to be used by JBoss and some comments talks about JBoss in >>> the sample configuration file. But the documentation is lacking for many >>> of the other properties in this aspect. >>> >>>> What is the aim of deploy.ssh.* properties ? >>> I think the idea is to be able to deploy to a remote server by >>> transferring the files (signserver.ear etc) over SSH. Not sure if it is >>> working though as I can not find any documentation about it. You are >>> very welcome to test it out if you want and let us know if it is >>> working. If not we might consider either fixing it and adding >>> documentation for it or remove it. >>> >>>> Why j2ee.web-nohttps has to be set to true to launch the tests while >>>> https is used in these tests ? >>> j2ee.web-nohttps is controlling wither the keystores and truststores >>> should be deployed (to JBoss) or not. The tests should not depend on >>> this setting so if it says somewhere that it must be set to true I would >>> suspect that to be a bug in the documentation. Please report a bug with >>> where you seen it in that case. >>> >>>> The most important thing for me today is tests ! I run them, I resolve >>>> the problem about trustanchors. I join the results, I do not understand >>>> the errors and the fails, have you ever seen them ? >>> From the test report you attached I can see two different failures which >>> probably is also the cause of all the errors. >>> 1. ExtendedHardCodedCryptoTokenTest testStrongCryptoAvailable >>> JCE crypto policy was not installed as the key length was limited >>> expected:<2147483647> but was:<64> >>> >>> This means that you are running the Oracle JDK and have not installed >>> JCE crypto policy. See the installation guide. >>> >>> 2. LimitKeyUsagesTest test01Limit Error Signer 5802 expired at Fri Apr >>> 20 16:18:57 CEST 2012 >>> Looks like the demo signer certificate used has expired. I will run the >>> tests on your continues integration server and see if we have the same >>> problem there. They might just have to be renewed. >>> >>>> How can I send my script to install signserver ? >>> If it is less then 40 KB you can just send it to the mailing list, >>> otherwise try to upload it somewhere and send the link or send it >>> directly to me. >>> >>>> I take this mail to congratulate you and your team for this project >>>> which is really good. >>> Thanks to you for reporting the issues you find. >>> >>> Best regards, >>> Markus >>> >>>> Have a nice weekend. >>>> >>>> Best regards, >>>> >>> > > -- Antoine Louiset Tél : +33 6 76 66 80 34 Responsable du projet Yousign Mail : ant...@yo... |
