First, a little background information. If any of this doesn't make sense, please let me know and I'll try to elaborate further. Please forgive me if I've shared this in the wrong place, as I'm pretty new to the community.
For this scenario, we have a JBoss server running on System z. We want to enable JBoss to use certificates from a keyring managed by one of the native security managers (RACF, TSS, or ACF2) rather than a keystore file in the UNIX file system. Conveniently, IBM provides a keystore provider that interacts with the security managers. The keystore type is JCERACFKS and the provider is com.ibm.crypto.provider.IBMJCE.
In the JBoss documentation, there appears to be a way to configure the security subsystem to use a specific keystore type. I'm referring to the “jsse” element at https://docs.jboss.org/author/display/AS7/Security+subsystem+configuration. I’m a little concerned that this won’t match up with the IBM-provided implementation. From the IBM documentation, there are some additional requirements for using this type of keystore:
- You must set the InputStream for the KeyStore.load method to a com.ibm.crypto.hdwrCCA.provider.RACFInputStream instance.
- You must set the OutputStream for the KeyStore.save method to a com.ibm.crypto.hdwrCCA.provider.RACFOutputStream instance.
I don’t see anything in the description of the jsse element that would suggest there’s a way to control the inputs to the KeyStore load or save method.
Based on this information, here are some of the questions I have:
Is there a way to control the inputs to the KeyStore.load method?
If not, is there a way I can extend the existing code to implement this behavior? If so, what classes would need to be extended and/or implemented to achieve that? Identifying a starting point would help narrow things down.
I'm fairly new to JBoss, so the more specific the answer, the more helpful it will be. I would be very grateful for any suggestions or insight. Thank you!
