OpenJDK 6: working ok OpenJDK 7: working ok Oracle JDK 6: JCE install required Oracle JDK 7: ? - did those jce policy files work for anyone in oracle jdk 1.7?
I believe it is not really user-friendly, but acceptable both from legal (not a lawyer) and usability perspective if we tell the system administrator that if he/she is using Oracle JDK AND want to use encryption with more than X (128 afaik - not much) bit encryption, then it will require the Oracle JCE policies installed in the JDK. It is true that JCE policies are not redistributable, but the same is true for Oracle JDK. These are not distributed with ACS and are part of the java runtime environment. Anyway, this should be clearly documented in the product documentation. Tests: I am just testing a patch that detects the JDK vendor as much as possible and it skips the tests if the environment is not OpenJDK. It can be overridden by build parameters. I will need some feedback on this since I do not have all java versions on my laptop and I could not test with all possible scenarios. Thank you, Laszlo On Tue, Nov 12, 2013 at 3:17 PM, Chip Childers <chipchild...@apache.org>wrote: > IMO - having this as a requirement for a build is a bit of an issue. > First, we can't distribute it (obviously). Second, it's a bit of an > esoteric requirement if you are using a JDK that doesn't include it > automatically. This will lead to confusion. > > Is there a way that we can re-work the tests to accomplish a similar (or > close-enough) goal without this added dependency? > > -chip > > On Tue, Nov 12, 2013 at 08:23:10AM +0100, Laszlo Hornyak wrote: > > It seems OpenJDK 6 and 7 are ok. Oracle jdk 6 needs JCE, oracle jdk 7 may > > need another extension (the JCE for jdk6 did not work for me). > > I would recommend that we @Ignore the failing tests, add some assumption > or > > move them to a special test group which is not executed by default. > > > > > > On Tue, Nov 12, 2013 at 7:28 AM, Koushik Das <koushik....@citrix.com> > wrote: > > > > > The following tests are failing in my environment even with the JCE > > > extensions. > > > > > > /* Test7: If no chain is given, the certificate should be self > > > signed. Else, uploadShould Fail */ > > > runUploadSslCertNoChain(); > > > > > > /* Test8: Chain is given but does not have root certificate */ > > > runUploadSslCertNoRootCert(); > > > > > > /* Test9: The chain given is not the correct chain for the > > > certificate */ > > > runUploadSslCertBadChain(); > > > > > > /* Test12: Given a certificate signed by a CA and a valid CA > > > chain, upload should succeed */ > > > runUploadSslCertWithCAChain(); > > > > > > > > > > > > > > > On 12-Nov-2013, at 11:35 AM, Koushik Das <koushik....@citrix.com> > wrote: > > > > > > > I see the JCE extensions in jdk 1.7 as well. They are present under > > > <java_home>/jre/lib/security. But still I see a test failure. Is there > any > > > other configuration that is required? > > > > > > > > Running org.apache.cloudstack.network.lb.CertServiceTest > > > > Tests run: 2, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 1.456 > > > sec <<< FAILURE! > > > > > > > > -Koushik > > > > > > > > On 12-Nov-2013, at 11:19 AM, Prasanna Santhanam <t...@apache.org> > > > > wrote: > > > > > > > >> My MacOSX 1.6 jdk seems to have the crypto extensions jce builtin > and > > > >> the build+test works. JDK 1.7 install does not have them though. > > > >> > > > >> The JCE kit seems to carry a BCL which is not ASF friendly [1]. But > > > >> this being part of the Java install and not the project it should be > > > >> okay IMO if we note it in our wiki on building the project. > > > >> > > > >> As for legal aspects - I found this which might be of some > relevance. > > > >> http://markmail.org/message/evtkc656gewrkruf > > > >> > > > >> [1] http://www.apache.org/legal/3party.html#transition-examples > > > >> > > > >> On Mon, Nov 11, 2013 at 10:45:12PM +0100, Laszlo Hornyak wrote: > > > >>> Hi, > > > >>> > > > >>> That is a good question, I do not know for sure, but this package > > > needs to > > > >>> be signed by oracle, it is not redistributable and has teritorial > > > import > > > >>> restrictions, so it could be problematic :-( I hope it is not. > Guys, > > > can > > > >>> someone help us here? > > > >>> > > > >>> > > > >>> On Mon, Nov 11, 2013 at 10:21 PM, Syed Ahmed <sah...@cloudops.com> > > > wrote: > > > >>> > > > >>>> Hi Laszlo, > > > >>>> > > > >>>> The CertService uses BouncyCastle for certificate parsing and > > > validation. > > > >>>> The JCE extension provides the API for using BouncyCastle as the > > > provider. > > > >>>> So, JCE is required. I know that BouncyCastle is added in CS. > Would > > > it be > > > >>>> possible to add JCE as a dependency too? > > > >>>> > > > >>>> Thanks, > > > >>>> -Syed > > > >>>> > > > >>>> > > > >>>> On 13-11-10 09:55 AM, Laszlo Hornyak wrote: > > > >>>> > > > >>>>> Hi Sahmed and list, > > > >>>>> > > > >>>>> I ran into some failing tests this weekend related to the patch > > > >>>>> 0076307863e9155273d9e4c14282de429388c9e9 apparently jenkins > fails for > > > >>>>> the same reason. I did a short investigation and it turned out > that > > > in > > > >>>>> order to run the tests correctly, one has to download the sun jce > > > policy > > > >>>>> files and put it in the jdk replacing the original policies. > > > >>>>> > > > >>>>> Questions: > > > >>>>> - Is there a more convenient deployment process? :-) It would be > very > > > >>>>> useful for the jenkins environment as well. > > > >>>>> - I gave it a try and patched the oracle jdk 1.7 with the same > > > plugin, it > > > >>>>> did not work. Do you know a way to make it work again with jdk > 1.7? > > > >>>>> > > > >>>>> Thank you, > > > >>>>> Laszlo > > > >>>>> > > > >>>>> -- > > > >>>>> > > > >>>>> EOF > > > >>>>> > > > >>>> > > > >>>> > > > >>> > > > >>> > > > >>> -- > > > >>> > > > >>> EOF > > > >> > > > >> -- > > > >> Prasanna., > > > >> > > > >> ------------------------ > > > >> Powered by BigRock.com > > > >> > > > > > > > > > > > > > > > > -- > > > > EOF > -- EOF
