Uploaded image for project: 'JS - JobScheduler'
  1. JS - JobScheduler
  2. JS-1959

Add keystore for client authentication certificates to Controller and Agent

    XMLWordPrintable

    Details

      Description

      Current Situation

      • Java version 1.8 to 17 cannot manage use of certificates for client authentication and server authentication from the same keystore.
        • Java does not consider extended key usage to determine which certificate to present when a client during SSL handshake is challenged to present its client authentication certificate.
        • As a result an arbitrary certificate is chosen that will not match during client authentication.
        • This problem affects mutual authentication between Controller instances and between JOC Cockpit and Controller instances.
      • Users who apply a single certificate for client and server authentication are not affected by this problem.
      • This is a known problem of the JDK

      Desired Behavior

      • Later use of a Java 18 is not an option for JS7 as this not an LTS release. It might take 12 to 24 months to have a Java LTS release that resolves the problem.
      • The Controller and Agent therefore should use a separate keystore file for client authentication certificates (and private keys).
        • The configuration for the private.conf file includes:
                  keystore {
                      # Default: ${js7.config-directory}"/private/https-keystore.p12"
                      file=${js7.config-directory}"/private/https-keystore.p12"
                      key-password=jobscheduler
                      store-password=jobscheduler
                  }
                  clientKeystore {
                      # Default: ${js7.config-directory}"/private/https-client-keystore.p12"
                      file=${js7.config-directory}"/private/https-keystore.p12"
                      key-password=jobscheduler
                      store-password=jobscheduler
                  }
      
      • The solution should be compatible to use of a single certificate for client and server authentication from a keystore.

      Workaround

      • The java.security file specifies the following default:
      ssl.KeyManagerFactory.algorithm=SunX509
      
      • Users of current Java 1.8 updates can modify this value to
      ssl.KeyManagerFactory.algorithm=NewSunX509
      
      • Users of Java 11 can modify this value to
      ssl.KeyManagerFactory.algorithm=PKIX
      

        Attachments

          Activity

            People

            • Assignee:
              jz Joacim Zschimmer
              Reporter:
              ap Andreas Püschel
              Approver:
              Andreas Püschel
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: