Details
-
Feature
-
Status: Released (View Workflow)
-
High
-
Resolution: Fixed
-
2.0.0
Description
Current Situation
- Java version 1.8 to 17 cannot manage use of certificates for client authentication and server authentication from the same keystore.
- Java does not consider extended key usage to determine which certificate to present when a client during SSL handshake is challenged to present its client authentication certificate.
- As a result an arbitrary certificate is chosen that will not match during client authentication.
- This problem affects mutual authentication between Controller instances and between JOC Cockpit and Controller instances.
- Users who apply a single certificate for client and server authentication are not affected by this problem.
- This is a known problem of the JDK
- tracked with JDK selects wrong certificate during two-way SSL handshake
- to be resolved for Java 18 with Change the default key manager to PKIX
Desired Behavior
- Later use of a Java 18 is not an option for JS7 as this not an LTS release. It might take 12 to 24 months to have a Java LTS release that resolves the problem.
- The Controller and Agent therefore should use a separate keystore file for client authentication certificates (and private keys).
- The configuration for the private.conf file includes:
keystore { # Default: ${js7.config-directory}"/private/https-keystore.p12" file=${js7.config-directory}"/private/https-keystore.p12" key-password="jobscheduler" store-password="jobscheduler" } client-keystore { # Default: ${js7.config-directory}"/private/https-client-keystore.p12" file=${js7.config-directory}"/private/https-keystore.p12" key-password="jobscheduler" store-password="jobscheduler" }
- The solution should be compatible to use of a single certificate for client and server authentication from a keystore.
Workaround
- The java.security file specifies the following default:
ssl.KeyManagerFactory.algorithm=SunX509
- Users of current Java 1.8 updates can modify this value to
ssl.KeyManagerFactory.algorithm=NewSunX509
- Users of Java 11 can modify this value to
ssl.KeyManagerFactory.algorithm=PKIX
Attachments
Issue Links
- links to