- Java version 1.8 to 17 cannot manage use of certificates for client authentication and server authentication from the same keystore.
- Java does not consider extended key usage to determine which certificate to present when a client during SSL handshake is challenged to present its client authentication certificate.
- As a result an arbitrary certificate is chosen that will not match during client authentication.
- This problem affects mutual authentication between Controller instances and between JOC Cockpit and Controller instances.
- Users who apply a single certificate for client and server authentication are not affected by this problem.
- This is a known problem of the JDK
- tracked with JDK selects wrong certificate during two-way SSL handshake
- to be resolved for Java 18 with Change the default key manager to PKIX
- Later use of a Java 18 is not an option for JS7 as this not an LTS release. It might take 12 to 24 months to have a Java LTS release that resolves the problem.
- The Controller and Agent therefore should use a separate keystore file for client authentication certificates (and private keys).
- The configuration for the private.conf file includes:
- The solution should be compatible to use of a single certificate for client and server authentication from a keystore.
- The java.security file specifies the following default:
- Users of current Java 1.8 updates can modify this value to
- Users of Java 11 can modify this value to