OWS certificates - How to

The public knowledge pool and discussion forum of the OWS community. Do not post confidential information here!
c.sottile
Posts: 14
Joined: 21 Jun 2021, 15:40

OWS certificates - How to

Post by c.sottile »

Hi all,

some questions about using certificates in OWS.

From the OWS console (itw-settings) you can set system-level (\openwebstart\jre\lib\security\) and user-level certificates ([user]\.config\icedtea-web\security\)

1. What logic does OWS use to query the system keystore and user keystore?
2. What are the preconditions to consider if you need to add certificates to OpenWebStart keystores?

Thx,
Carmelo

Stephan Classen
Posts: 232
Joined: 27 Mar 2020, 09:55

Re: OWS certificates - How to

Post by Stephan Classen »

OWS will look in different locations for certificates.

it distinguishes between system and user level.
The default location for the user level is "[user]\.config\icedtea-web\security\" and the default for the system is "[JVM]\jre\lib\security\".
Be aware of the fact that [JVM] will change as there are two distinct JVMs involved in launching an application.

There are settings to control all of the store locations:
- deployment.user.security.trusted.cacerts
- deployment.user.security.trusted.jssecacerts
- deployment.user.security.trusted.certs
- deployment.user.security.trusted.jssecerts
- deployment.user.security.trusted.clientauthcerts
- deployment.system.security.cacerts
- deployment.system.security.jssecacerts
- deployment.system.security.trusted.certs
- deployment.system.security.trusted.jssecerts
- deployment.system.security.trusted.clientautcerts

c.sottile
Posts: 14
Joined: 21 Jun 2021, 15:40

Re: OWS certificates - How to

Post by c.sottile »

Is it allowed to constrain OWS to use specific keystores?
Does OWS apply some priority between user and system keystores?
Is it also allowed to constrain OWS to use only system keystores?

Stephan Classen
Posts: 232
Joined: 27 Mar 2020, 09:55

Re: OWS certificates - How to

Post by Stephan Classen »

The order is SYSTEM then USER.
There is no way to block either one of them.
But you can point them to the same file effectively making them the same

c.sottile
Posts: 14
Joined: 21 Jun 2021, 15:40

Re: OWS certificates - How to

Post by c.sottile »

Ok thanks a lot for your feedback.

Other question! Is it possible to constrain OWS to access Windows KeyStore? Windows-ROOT or Windows-MY?
Our customer is a large company and his deployment system periodically update this key-store on user local machines.

c.sottile
Posts: 14
Joined: 21 Jun 2021, 15:40

Re: OWS certificates - How to

Post by c.sottile »

Hi all
any feedback for me?

thanks

Janak Mulani
Posts: 725
Joined: 24 Mar 2020, 13:37

Re: OWS certificates - How to

Post by Janak Mulani »

https://manpages.debian.org/buster/iced ... 1.en.html lists properties like:

Code: Select all

deployment.system.security.cacerts
    $JAVA_HOME/lib/security/cacerts (Possible: include an absolute path to a file or directory)
deployment.system.security.jssecacerts
    $JAVA_HOME/lib/security/jssecacerts (Possible: include an absolute path to a file or directory)
deployment.system.security.policy
    null (Possible: include any valid url (eg. http://icedtea.classpath.org/hg/))
deployment.system.security.trusted.certs
    $JAVA_HOME/lib/security/trusted.certs (Possible: include an absolute path to a file or directory)
deployment.system.security.trusted.clientautcerts
    $JAVA_HOME/lib/security/trusted.clientcerts (Possible: include an absolute path to a file or directory)
deployment.system.security.trusted.jssecerts
    $JAVA_HOME/lib/security/trusted.jssecerts (Possible: include an absolute path to a file or directory)

Code: Select all

deployment.user.security.trusted.cacerts
    $XDG_CONFIG_HOME/icedtea-web/security/trusted.cacerts (Possible: include an absolute path to a file or directory)
deployment.user.security.trusted.certs
    $XDG_CONFIG_HOME/icedtea-web/security/trusted.certs (Possible: include an absolute path to a file or directory)
deployment.user.security.trusted.clientauthcerts
    $XDG_CONFIG_HOME/icedtea-web/security/trusted.clientcerts (Possible: include an absolute path to a file or directory)
deployment.user.security.trusted.jssecacerts
    $XDG_CONFIG_HOME/icedtea-web/security/trusted.jssecacerts (Possible: include an absolute path to a file or directory)
deployment.user.security.trusted.jssecerts
    $XDG_CONFIG_HOME/icedtea-web/security/trusted.jssecerts (Possible: include an absolute path to a file or directory)
Please try setting these properties in deployment.properties file and see if it works.

c.sottile
Posts: 14
Joined: 21 Jun 2021, 15:40

Re: OWS certificates - How to

Post by c.sottile »

Hello,

I tried to carry out a test as you suggested but I see that OWS expects in any case the keystores to be defined inside a file.
From the logs it doesn't seem that it refers to accesses to the windows store through SunMSCAPI.


I take this opportunity to ask you some other questions:

1. In which context are the "trusted.clientautcerts" used by OWS? Is there an authenticity check on the customer consuming the JNLP?

2. I understand the "trusted.cacerts" and "trusted.certs" are used to verify the jars signature. Are they also used for something else?

3. To what are the certificates, pointing to the "trusted.certs" store, referring to? Are they pointing to unauthorized CAs for private use or to Intermediate CAs?


Waiting for your feedback.

Thanks,
Carmelo

Stephan Classen
Posts: 232
Joined: 27 Mar 2020, 09:55

Re: OWS certificates - How to

Post by Stephan Classen »

OWS expects all of the above to be java key stores (.jks)

to your questions, this are the answers from top of my head. Could be that I forget about some details...

1. This is used for authentication in a mTLS connection (maybe there is a typo in the property name (h missing))
2. there are also used for validating SSL connections
3. trusted.certs are pointing to leaf certificates. so no CA

Post Reply