[fedora-java] Tomcat, NSS and OpenJDK

Adam Young ayoung at redhat.com
Tue Oct 4 00:58:26 UTC 2011 

Tomcat has a class called "Realm" which is basically a way of managing 
the set of authentication mechanisms.  PKI seems To use an older 
approach which bypasses the Realm  config in Tomcat.  I started looking 
at what it would take to close the distance between the two.  In doing 
so, I found something interesting in the openjdk code base:

In /usr/lib/jvm/java-1.6.0/jre/lib/security/java.security,  there is a 
section that looks like this:
#
# List of providers and their preference orders (see above):
#
security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
...
# the NSS security provider was not enabled for this build; it can be 
enabled
# if NSS (libnss3) is available on the machine. The nss.cfg file may need
# editing to reflect the location of the NSS installation.
#security.provider.9=sun.security.pkcs11.SunPKCS11 
${java.home}/lib/security/nss.cfg


So it seems that Sun had, at least in the past, supported  NSS as a 
Sercurity provider.  For the member of the Java team not familiar with 
NSS (I wasn't) It is the Network Security Services and is the basis for, 
amongst other things, how Mozilla stores passwords and certificates.  
PKI makes pretty heavy use of NSS, via the Opensource Java bindings in JSS.

This page here has more info:

http://download.oracle.com/javase/1.5.0/docs/guide/security/p11guide.html#Intro

It seems like the Oracle JDK has had support in the past for NSS as a 
JAAS module.  To close the acronym loop with Tomcat, Tomcat has a JAAS 
Realm  class.  What this says to me is that, at one point, Java 
developers could have configured Tomcat to use NSS as the authentication 
mechanism for an application.

This class ships in the  file:

/usr/lib/jvm/java-1.6.0-openjdk.x86_64/jre/lib/ext/sunpkcs11.jar

And The native library is in

/usr/lib/jvm/java-1.6.0-openjdk.x86_64/jre/lib/amd64/libj2pkcs11.so


So it looks like we might have an additional Java implementation of NSS 
available, one that can potentially provide  NSS support for Tomcat and 
JBoss  via JAAS.  It looks like all it requires is a change to the 
configuration file that we ship.  I'm not quite sure how we would go 
about doing this in an automated fashion, short of pulling in libnss3 as 
part of Open JDK support.  I'm guessing that if we enable it and the nss 
library is missing it errors our in some ugly manner, but I have not 
tested it.

Is anyone familiar with this code?  Would it be acceptable to activate 
this security module by default and to pull in libnss with Java?  Is 
there some automated way to enable this if NSS is installed?

More information about the java-devel mailing list