Product Knowledge Base

Space shortcuts

Page tree

Versions Compared

Old Version 5

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version Current

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagebash
titleAdd HTTPS mutual authentication to Jetty
linenumberstrue
## force use of client authentication certificates
jetty.sslContext.needClientAuth=true
jetty.sslContext.wantClientAuth=true
jetty.sslContext.endpointIdentificationAlgorithm=

Hints

  • Line 2: if needClientAuth is set to true then a Client Certificate is required. If this setting is false and the wantCientAuth setting is true then users have the option for user/password based authentication or certificate based authentication.
  • Line 4: this setting looks weird, however, it is required due to a bug in Jetty 9.4, see https://github.com/eclipse/jetty.project/issues/3466. With later releases of Jetty that fix this bug the setting will not be required.

...

Client Certificate Management

Self-signed certificates and certificates signed by trusted root certification authorities can be used.

For use with self-signed certificates the root certificate has to be added to the Client's certificate store. Certificates from trusted root certification authorities frequently are available from a Client's key store.

Certificate Store

The client holds its private key and certificate in its key store. 

  • The private key is created by the client when generating a key pair for a self-signed certificate and respectively when creating a certificate signing request (CSR) for its CA.
  • For CA signed certificates the client's certificate store includes the certificate chain, i.e. client certificate and root certificate/intermediate certificate(s) that have been used to sign the client's certificate.
  • Frequently private key and certificate(s) are stored in a PKCS12 key store that comes with a .pfx or .p12 file extension. However, other file formats for private key and certificate(s) are available.
  • The clients' key store has to be imported into the client's certificate store. The location of the certificate store depends on the client application that is used to access JOC Cockpit:
    • Browser Clients
      • FireFox (any platform): supports use of an individual certificate store that is available with the browser, see Options -> Privacy & Security -> Certificates.
      • Chrome, Vivaldi, Edge (Windows): supports use of the Windows Certificate Store
      • Chrome, Vivaldi (Linux): supports use of an individual certificate store that is available with the browser, see Options -> Privacy
      • Chrome, Safari (Mac OS): supports use of the Mac OS Certificate Store
    • REST Clients
      • JS7 PowerShell Module (Connect-JS7): Windows, Linux, Mac OS: supports use of a Key Store (.p12); Windows: supports use of the Windows Certificate Store
      • JobScheduler PowerShell Module (Connect-JobScheduler): Windows, Linux, Mac OS: supports use of a Key Store (.p12); Windows: supports use of the Windows Certificate Store
      • Other REST Clients: REST clients implemented with programming languages or scripting languages follow individual approaches to manage a certificate store.

...

X.509 Certificates with RSA or ECDSA encryption algorithms can be used.

Certificate Management

Self-signed certificates and certificates signed by trusted root certification authorities can be used.For use with self-signed certificates the root certificate has to be added to the Client's certificate store. Certificates from trusted root certification authorities frequently are available from a Client's key store.

Certificate Verification

When connecting from a Client, e.g. a browser, to the JOC Cockpit server then JOC Cockpit will challenge the Client to present its Client Authentication Certificate.

...