Page 1 of 1

OWS certificates - How to

Posted: 06 Jul 2021, 12:01
by c.sottile
Hi all,

some questions about using certificates in OWS.

From the OWS console (itw-settings) you can set system-level (\openwebstart\jre\lib\security\) and user-level certificates ([user]\.config\icedtea-web\security\)

1. What logic does OWS use to query the system keystore and user keystore?
2. What are the preconditions to consider if you need to add certificates to OpenWebStart keystores?

Thx,
Carmelo

Re: OWS certificates - How to

Posted: 06 Jul 2021, 15:19
by Stephan Classen
OWS will look in different locations for certificates.

it distinguishes between system and user level.
The default location for the user level is "[user]\.config\icedtea-web\security\" and the default for the system is "[JVM]\jre\lib\security\".
Be aware of the fact that [JVM] will change as there are two distinct JVMs involved in launching an application.

There are settings to control all of the store locations:
- deployment.user.security.trusted.cacerts
- deployment.user.security.trusted.jssecacerts
- deployment.user.security.trusted.certs
- deployment.user.security.trusted.jssecerts
- deployment.user.security.trusted.clientauthcerts
- deployment.system.security.cacerts
- deployment.system.security.jssecacerts
- deployment.system.security.trusted.certs
- deployment.system.security.trusted.jssecerts
- deployment.system.security.trusted.clientautcerts

Re: OWS certificates - How to

Posted: 07 Jul 2021, 15:31
by c.sottile
Is it allowed to constrain OWS to use specific keystores?
Does OWS apply some priority between user and system keystores?
Is it also allowed to constrain OWS to use only system keystores?

Re: OWS certificates - How to

Posted: 08 Jul 2021, 11:46
by Stephan Classen
The order is SYSTEM then USER.
There is no way to block either one of them.
But you can point them to the same file effectively making them the same

Re: OWS certificates - How to

Posted: 09 Jul 2021, 11:12
by c.sottile
Ok thanks a lot for your feedback.

Other question! Is it possible to constrain OWS to access Windows KeyStore? Windows-ROOT or Windows-MY?
Our customer is a large company and his deployment system periodically update this key-store on user local machines.

Re: OWS certificates - How to

Posted: 14 Jul 2021, 14:26
by c.sottile
Hi all
any feedback for me?

thanks

Re: OWS certificates - How to

Posted: 15 Jul 2021, 09:13
by Janak Mulani
https://manpages.debian.org/buster/iced ... 1.en.html lists properties like:

Code: Select all

deployment.system.security.cacerts
    $JAVA_HOME/lib/security/cacerts (Possible: include an absolute path to a file or directory)
deployment.system.security.jssecacerts
    $JAVA_HOME/lib/security/jssecacerts (Possible: include an absolute path to a file or directory)
deployment.system.security.policy
    null (Possible: include any valid url (eg. http://icedtea.classpath.org/hg/))
deployment.system.security.trusted.certs
    $JAVA_HOME/lib/security/trusted.certs (Possible: include an absolute path to a file or directory)
deployment.system.security.trusted.clientautcerts
    $JAVA_HOME/lib/security/trusted.clientcerts (Possible: include an absolute path to a file or directory)
deployment.system.security.trusted.jssecerts
    $JAVA_HOME/lib/security/trusted.jssecerts (Possible: include an absolute path to a file or directory)

Code: Select all

deployment.user.security.trusted.cacerts
    $XDG_CONFIG_HOME/icedtea-web/security/trusted.cacerts (Possible: include an absolute path to a file or directory)
deployment.user.security.trusted.certs
    $XDG_CONFIG_HOME/icedtea-web/security/trusted.certs (Possible: include an absolute path to a file or directory)
deployment.user.security.trusted.clientauthcerts
    $XDG_CONFIG_HOME/icedtea-web/security/trusted.clientcerts (Possible: include an absolute path to a file or directory)
deployment.user.security.trusted.jssecacerts
    $XDG_CONFIG_HOME/icedtea-web/security/trusted.jssecacerts (Possible: include an absolute path to a file or directory)
deployment.user.security.trusted.jssecerts
    $XDG_CONFIG_HOME/icedtea-web/security/trusted.jssecerts (Possible: include an absolute path to a file or directory)
Please try setting these properties in deployment.properties file and see if it works.

Re: OWS certificates - How to

Posted: 28 Jul 2021, 15:57
by c.sottile
Hello,

I tried to carry out a test as you suggested but I see that OWS expects in any case the keystores to be defined inside a file.
From the logs it doesn't seem that it refers to accesses to the windows store through SunMSCAPI.


I take this opportunity to ask you some other questions:

1. In which context are the "trusted.clientautcerts" used by OWS? Is there an authenticity check on the customer consuming the JNLP?

2. I understand the "trusted.cacerts" and "trusted.certs" are used to verify the jars signature. Are they also used for something else?

3. To what are the certificates, pointing to the "trusted.certs" store, referring to? Are they pointing to unauthorized CAs for private use or to Intermediate CAs?


Waiting for your feedback.

Thanks,
Carmelo

Re: OWS certificates - How to

Posted: 30 Jul 2021, 16:20
by Stephan Classen
OWS expects all of the above to be java key stores (.jks)

to your questions, this are the answers from top of my head. Could be that I forget about some details...

1. This is used for authentication in a mTLS connection (maybe there is a typo in the property name (h missing))
2. there are also used for validating SSL connections
3. trusted.certs are pointing to leaf certificates. so no CA