[JS-1959] Add keystore for client authentication certificates to Controller and Agent - SOS JIRA

XML

Word

Printable

Details

Type: Feature
Status: Released (View Workflow)
Priority: High
Resolution: Fixed
Affects Version/s: 2.0.0
Fix Version/s: 2.1.0
Component/s: JS7 Agent, JS7 Controller
Labels:
- ACC9123

Description

Current Situation

Java version 1.8 to 17 cannot manage use of certificates for client authentication and server authentication from the same keystore.
- Java does not consider extended key usage to determine which certificate to present when a client during SSL handshake is challenged to present its client authentication certificate.
- As a result an arbitrary certificate is chosen that will not match during client authentication.
- This problem affects mutual authentication between Controller instances and between JOC Cockpit and Controller instances.
Users who apply a single certificate for client and server authentication are not affected by this problem.
This is a known problem of the JDK
- tracked with JDK selects wrong certificate during two-way SSL handshake
- to be resolved for Java 18 with Change the default key manager to PKIX

Desired Behavior

Later use of a Java 18 is not an option for JS7 as this not an LTS release. It might take 12 to 24 months to have a Java LTS release that resolves the problem.
The Controller and Agent therefore should use a separate keystore file for client authentication certificates (and private keys).
- The configuration for the private.conf file includes:

            keystore {
                # Default: ${js7.config-directory}"/private/https-keystore.p12"
                file=${js7.config-directory}"/private/https-keystore.p12"
                key-password="jobscheduler"
                store-password="jobscheduler"
            }
            client-keystore {
                # Default: ${js7.config-directory}"/private/https-client-keystore.p12"
                file=${js7.config-directory}"/private/https-keystore.p12"
                key-password="jobscheduler"
                store-password="jobscheduler"
            }

The solution should be compatible to use of a single certificate for client and server authentication from a keystore.

Workaround

The java.security file specifies the following default:

ssl.KeyManagerFactory.algorithm=SunX509

Users of current Java 1.8 updates can modify this value to

ssl.KeyManagerFactory.algorithm=NewSunX509

Users of Java 11 can modify this value to

ssl.KeyManagerFactory.algorithm=PKIX

Attachments

Issue Links

links to

Change the default key manager to PKIX

JDK selects wrong certificate during two-way SSL handshake

mentioned in: Page Loading...; Page Loading...; Page Loading...

Activity

People

Assignee:: Joacim Zschimmer

Reporter:: Andreas Püschel

Approver:: Andreas Püschel

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 11 October 2021 19:25

Updated:: 29 April 2023 12:05

Resolved:: 18 October 2021 06:55