Hi all,
some questions about using certificates in OWS.
From the OWS console (itw-settings) you can set system-level (\openwebstart\jre\lib\security\) and user-level certificates ([user]\.config\icedtea-web\security\)
1. What logic does OWS use to query the system keystore and user keystore?
2. What are the preconditions to consider if you need to add certificates to OpenWebStart keystores?
Thx,
Carmelo
OWS certificates - How to
-
- Posts: 232
- Joined: 27 Mar 2020, 09:55
Re: OWS certificates - How to
OWS will look in different locations for certificates.
it distinguishes between system and user level.
The default location for the user level is "[user]\.config\icedtea-web\security\" and the default for the system is "[JVM]\jre\lib\security\".
Be aware of the fact that [JVM] will change as there are two distinct JVMs involved in launching an application.
There are settings to control all of the store locations:
- deployment.user.security.trusted.cacerts
- deployment.user.security.trusted.jssecacerts
- deployment.user.security.trusted.certs
- deployment.user.security.trusted.jssecerts
- deployment.user.security.trusted.clientauthcerts
- deployment.system.security.cacerts
- deployment.system.security.jssecacerts
- deployment.system.security.trusted.certs
- deployment.system.security.trusted.jssecerts
- deployment.system.security.trusted.clientautcerts
it distinguishes between system and user level.
The default location for the user level is "[user]\.config\icedtea-web\security\" and the default for the system is "[JVM]\jre\lib\security\".
Be aware of the fact that [JVM] will change as there are two distinct JVMs involved in launching an application.
There are settings to control all of the store locations:
- deployment.user.security.trusted.cacerts
- deployment.user.security.trusted.jssecacerts
- deployment.user.security.trusted.certs
- deployment.user.security.trusted.jssecerts
- deployment.user.security.trusted.clientauthcerts
- deployment.system.security.cacerts
- deployment.system.security.jssecacerts
- deployment.system.security.trusted.certs
- deployment.system.security.trusted.jssecerts
- deployment.system.security.trusted.clientautcerts
Re: OWS certificates - How to
Is it allowed to constrain OWS to use specific keystores?
Does OWS apply some priority between user and system keystores?
Is it also allowed to constrain OWS to use only system keystores?
Does OWS apply some priority between user and system keystores?
Is it also allowed to constrain OWS to use only system keystores?
-
- Posts: 232
- Joined: 27 Mar 2020, 09:55
Re: OWS certificates - How to
The order is SYSTEM then USER.
There is no way to block either one of them.
But you can point them to the same file effectively making them the same
There is no way to block either one of them.
But you can point them to the same file effectively making them the same
Re: OWS certificates - How to
Ok thanks a lot for your feedback.
Other question! Is it possible to constrain OWS to access Windows KeyStore? Windows-ROOT or Windows-MY?
Our customer is a large company and his deployment system periodically update this key-store on user local machines.
Other question! Is it possible to constrain OWS to access Windows KeyStore? Windows-ROOT or Windows-MY?
Our customer is a large company and his deployment system periodically update this key-store on user local machines.
Re: OWS certificates - How to
Hi all
any feedback for me?
thanks
any feedback for me?
thanks
-
- Posts: 873
- Joined: 24 Mar 2020, 13:37
Re: OWS certificates - How to
https://manpages.debian.org/buster/iced ... 1.en.html lists properties like:
Please try setting these properties in deployment.properties file and see if it works.
Code: Select all
deployment.system.security.cacerts
$JAVA_HOME/lib/security/cacerts (Possible: include an absolute path to a file or directory)
deployment.system.security.jssecacerts
$JAVA_HOME/lib/security/jssecacerts (Possible: include an absolute path to a file or directory)
deployment.system.security.policy
null (Possible: include any valid url (eg. http://icedtea.classpath.org/hg/))
deployment.system.security.trusted.certs
$JAVA_HOME/lib/security/trusted.certs (Possible: include an absolute path to a file or directory)
deployment.system.security.trusted.clientautcerts
$JAVA_HOME/lib/security/trusted.clientcerts (Possible: include an absolute path to a file or directory)
deployment.system.security.trusted.jssecerts
$JAVA_HOME/lib/security/trusted.jssecerts (Possible: include an absolute path to a file or directory)
Code: Select all
deployment.user.security.trusted.cacerts
$XDG_CONFIG_HOME/icedtea-web/security/trusted.cacerts (Possible: include an absolute path to a file or directory)
deployment.user.security.trusted.certs
$XDG_CONFIG_HOME/icedtea-web/security/trusted.certs (Possible: include an absolute path to a file or directory)
deployment.user.security.trusted.clientauthcerts
$XDG_CONFIG_HOME/icedtea-web/security/trusted.clientcerts (Possible: include an absolute path to a file or directory)
deployment.user.security.trusted.jssecacerts
$XDG_CONFIG_HOME/icedtea-web/security/trusted.jssecacerts (Possible: include an absolute path to a file or directory)
deployment.user.security.trusted.jssecerts
$XDG_CONFIG_HOME/icedtea-web/security/trusted.jssecerts (Possible: include an absolute path to a file or directory)
Re: OWS certificates - How to
Hello,
I tried to carry out a test as you suggested but I see that OWS expects in any case the keystores to be defined inside a file.
From the logs it doesn't seem that it refers to accesses to the windows store through SunMSCAPI.
I take this opportunity to ask you some other questions:
1. In which context are the "trusted.clientautcerts" used by OWS? Is there an authenticity check on the customer consuming the JNLP?
2. I understand the "trusted.cacerts" and "trusted.certs" are used to verify the jars signature. Are they also used for something else?
3. To what are the certificates, pointing to the "trusted.certs" store, referring to? Are they pointing to unauthorized CAs for private use or to Intermediate CAs?
Waiting for your feedback.
Thanks,
Carmelo
I tried to carry out a test as you suggested but I see that OWS expects in any case the keystores to be defined inside a file.
From the logs it doesn't seem that it refers to accesses to the windows store through SunMSCAPI.
I take this opportunity to ask you some other questions:
1. In which context are the "trusted.clientautcerts" used by OWS? Is there an authenticity check on the customer consuming the JNLP?
2. I understand the "trusted.cacerts" and "trusted.certs" are used to verify the jars signature. Are they also used for something else?
3. To what are the certificates, pointing to the "trusted.certs" store, referring to? Are they pointing to unauthorized CAs for private use or to Intermediate CAs?
Waiting for your feedback.
Thanks,
Carmelo
-
- Posts: 232
- Joined: 27 Mar 2020, 09:55
Re: OWS certificates - How to
OWS expects all of the above to be java key stores (.jks)
to your questions, this are the answers from top of my head. Could be that I forget about some details...
1. This is used for authentication in a mTLS connection (maybe there is a typo in the property name (h missing))
2. there are also used for validating SSL connections
3. trusted.certs are pointing to leaf certificates. so no CA
to your questions, this are the answers from top of my head. Could be that I forget about some details...
1. This is used for authentication in a mTLS connection (maybe there is a typo in the property name (h missing))
2. there are also used for validating SSL connections
3. trusted.certs are pointing to leaf certificates. so no CA