Add keystore for client authentication certificates to JOC Cockpit

Current Situation

• Java version 1.8 to 17 cannot manage use of certificates for client authentication and server authentication from the same keystore.
  • Java does not consider extended key usage to determine which certificate to present when a client during SSL handshake is challenged to present its client authentication certificate.
  • As a result an arbitrary certificate is chosen that will not match during client authentication.
  • This problem affects mutual authentication between Controller instances and between JOC Cockpit and Controller instances.
• Users who apply a single certificate for client and server authentication are not affected by this problem.
• This is a known problem of the JDK
  • tracked with JDK selects wrong certificate during two-way SSL handshake
  • to be resolved for Java 18 with Change the default key manager to PKIX

Desired Behavior

• Later use of a Java 18 is not an option for JS7 as this not an LTS release. It might take 12 to 24 months to have a Java LTS release that resolves the problem.
• The JOC Cockpit offers separate configuration items to present its server authentication certificate to users accessing JOC Cockpit from their browser and to present its client authentication certificate for connections to a Controller:
  • The configuration item for server authentication certificates used for browser client connections is located with the JETTY_BASE/start.ini file with the settings:

            ## Keystore file path (relative to $jetty.base)
            jetty.sslContext.keyStorePath=resources/joc/https-keystore.p12
            ## Truststore file path (relative to $jetty.base)
            jetty.sslContext.trustStorePath=resources/joc/https-truststore.p12
            ## Keystore password
            jetty.sslContext.keyStorePassword=jobscheduler
            ## KeyManager password (same as keystore password for pkcs12 keystore type)
            jetty.sslContext.keyManagerPassword=jobscheduler
            ## Truststore password
            jetty.sslContext.trustStorePassword=jobscheduler

• The configuration item for client authentication used for connections to a Controller configured for HTTPS mutual authentication is located with the JETTY_BASE/resources/joc/joc.properties file using the settings:

            keystore_path = ../../resources/joc/https-keystore.p12
            keystore_type = PKCS12
            keystore_password = jobscheduler
            key_password = jobscheduler

• Users who want to use separate certificates for server authentication and client authentication can use different keystore locations or use the below mentioned workaround for the java.security file.
  • The keystore for the client authentication certificate is configured in the JETTY_BASE/resources/joc/joc.properties file, as mentioned above.
  • The keystore for the server authentication certificate is configured in the JETTY_BASE/start.ini configuration file, as mentioned above.
• Use of a single certificate for client and server authentication can be achieved in two ways
  • Single Keystore:
    Both configuration files - JETTY_BASE/resources/joc/joc.properties and JETTY_BASE/start.ini - have to point to the same keystore holding the server/client auth certificate.
  • Two Keystores:
    Users have to make sure to publish the server/client authentication certificate to both keystores, the one configured in JETTY_BASE/resources/joc/joc.properties and the one configured in the JETTY_BASE/start.ini.

Workaround

• The java.security file specifies the following default:

ssl.KeyManagerFactory.algorithm=SunX509

• Users of current Java 1.8 updates in some cases can modify this value to

ssl.KeyManagerFactory.algorithm=NewSunX509

• Users of Java 11 can modify this value to

ssl.KeyManagerFactory.algorithm=PKIX