[Pki-devel] Tomcat, NSS and OpenJDK

Tomcat has a class called "Realm" which is basically a way of managing the set of authentication mechanisms. PKI seems To use an older approach which bypasses the Realm config in Tomcat. I started looking at what it would take to close the distance between the two. In doing so, I found something interesting in the openjdk code base: In /usr/lib/jvm/java-1.6.0/jre/lib/security/java.security, there is a section that looks like this: # # List of providers and their preference orders (see above): # security.provider.1=sun.security.provider.Sun security.provider.2=sun.security.rsa.SunRsaSign ... # the NSS security provider was not enabled for this build; it can be enabled # if NSS (libnss3) is available on the machine. The nss.cfg file may need # editing to reflect the location of the NSS installation. #security.provider.9=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg So it seems that Sun had, at least in the past, supported NSS as a Sercurity provider. For the member of the Java team not familiar with NSS (I wasn't) It is the Network Security Services and is the basis for, amongst other things, how Mozilla stores passwords and certificates. PKI makes pretty heavy use of NSS, via the Opensource Java bindings in JSS. This page here has more info: http://download.oracle.com/javase/1.5.0/docs/guide/security/p11guide.html... It seems like the Oracle JDK has had support in the past for NSS as a JAAS module. To close the acronym loop with Tomcat, Tomcat has a JAAS Realm class. What this says to me is that, at one point, Java developers could have configured Tomcat to use NSS as the authentication mechanism for an application. This class ships in the file: /usr/lib/jvm/java-1.6.0-openjdk.x86_64/jre/lib/ext/sunpkcs11.jar And The native library is in /usr/lib/jvm/java-1.6.0-openjdk.x86_64/jre/lib/amd64/libj2pkcs11.so So it looks like we might have an additional Java implementation of NSS available, one that can potentially provide NSS support for Tomcat and JBoss via JAAS. It looks like all it requires is a change to the configuration file that we ship. I'm not quite sure how we would go about doing this in an automated fashion, short of pulling in libnss3 as part of Open JDK support. I'm guessing that if we enable it and the nss library is missing it errors our in some ugly manner, but I have not tested it. Is anyone familiar with this code? Would it be acceptable to activate this security module by default and to pull in libnss with Java? Is there some automated way to enable this if NSS is installed?