WASdev/ci.docker

Default key store file key.p12 is missing

g000444555 opened this issue · 6 comments

In my Dockerfile, I am using as base image the following

FROM ibmcom/websphere-liberty:kernel-java8-ibmjava-ubi

Then I am trying to import a certificate into the default keystore location, first listing the content to verify the certificate is not already there:

keytool -list -v -keystore /opt/ibm/wlp/output/defaultServer/resources/security/key.p12 -storepass secret

And I am getting the error:

keytool error (likely untranslated): java.io.FileNotFoundException: /opt/ibm/wlp/output/defaultServer/resources/security/key.p12 (No such file or directory)

The above used to work until recently. I am not sure when exactly the key.p12 was removed however I am sure I was using it with Liberty 20.0.0.5. With the latter being said, even when I resort into the FROM ibmcom/websphere-liberty:20.0.0.5-kernel-java8-ibmjava-ubi I still encounter the same issue.

Where is the new location for the default key store key.p12?

hi @g000444555 - the kernel image shouldn't have a keys inside of it out-of-the-box. Please refer to this doc for security related information.

What is the easiest way to get the kernel image have a keys inside it? From the documentation, setting the env variable "SEC_TLS_TRUSTDEFAULTCERTS=true" did not generate any *.p12 file. Or would the regular JDK cacerts suppose to take effect when the aforementioned variable is set?

Another approach I tried from the above documentation was to set the environment variable TLS_DIR='/home/default/certs' and export a tls.pem file into the TLS_DIR location right before starting Liberty by invoking /opt/ibm/helpers/runtime/docker-server.sh "$@".

However, the certificate did not take effect:

javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target

Any suggestion would be welcome.

Next thing I am going to try is adding a feature like transportSecurity-1.0 into server.xml
In the meantime, any suggestion is welcome.

The key either mounted into TLS_DIR (default is /etc/x509/certs)
or it is generated at runtime/build time depending on features set.
To have a key at a build time you need transportSecurity-1.0 feature enabled and if you do RUN configure.sh in your file the key is created at build time.
shortcut for enabling transportSecurity-1.0 is to set ENV TLS=true

In summary:

The problem I had was introduced because the upstream base image ibmcom/websphere-liberty silently pushed some breaking changes into the following tags

  1. kernel-java8-ibmjava-ubi
  2. 20.0.0.5-kernel-java8-ibmjava

This update broke my existing image despite the fact that it was previously using the same tag and version of Liberty, which was 20.0.0.5.

In order to fix one of the breaking changes, which is the missing key.p12 keystore file described in this issue, all I had to do was to add the following feature into server.xml:

<feature>transportSecurity-1.0</feature>

I believe such breaking changes should be avoided, especially to versioned tags like 20.0.0.5-kernel-java8-ibmjava At the very least when such changes have to be pushed then a public note in the docker image's documentation needs to be provided for the steps to deal with the changes.

This issue can now be closed.