...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
## force use of client authentication certificates jetty.sslContext.needClientAuth=true jetty.sslContext.wantClientAuth=true jetty.sslContext.endpointIdentificationAlgorithm= |
Hints
- Line 2: if
needClientAuth
is set totrue
then a Client Certificate is required. If this setting isfalse
and thewantCientAuth
setting istrue
then users have the option for user/password based authentication or certificate based authentication. - Line 4: this setting looks weird, however, it is required due to a bug in Jetty 9.4, see https://github.com/eclipse/jetty.project/issues/3466. With later releases of Jetty that fix this bug the setting will not be required.
...
Client Certificate Management
Self-signed certificates and certificates signed by trusted root certification authorities can be used.
For use with self-signed certificates the root certificate has to be added to the Client's certificate store. Certificates from trusted root certification authorities frequently are available from a Client's key store.
Certificate Store
The client holds its private key and certificate in its key store.
- The private key is created by the client when generating a key pair for a self-signed certificate and respectively when creating a certificate signing request (CSR) for its CA.
- For CA signed certificates the client's certificate store includes the certificate chain, i.e. client certificate and root certificate/intermediate certificate(s) that have been used to sign the client's certificate.
- Frequently private key and certificate(s) are stored in a PKCS12 key store that comes with a .pfx or .p12 file extension. However, other file formats for private key and certificate(s) are available.
- The clients' key store has to be imported into the client's certificate store. The location of the certificate store depends on the client application that is used to access JOC Cockpit:
- Browser Clients
- FireFox (any platform): supports use of an individual certificate store that is available with the browser, see Options -> Privacy & Security -> Certificates.
- Chrome, Vivaldi, Edge (Windows): supports use of the Windows Certificate Store
- Chrome, Vivaldi (Linux): supports use of an individual certificate store that is available with the browser, see Options -> Privacy
- Chrome, Safari (Mac OS): supports use of the Mac OS Certificate Store
- REST Clients
- JS7 PowerShell Module (Connect-JS7): Windows, Linux, Mac OS: supports use of a Key Store (.p12); Windows: supports use of the Windows Certificate Store
- JobScheduler PowerShell Module (Connect-JobScheduler): Windows, Linux, Mac OS: supports use of a Key Store (.p12); Windows: supports use of the Windows Certificate Store
- Other REST Clients: REST clients implemented with programming languages or scripting languages follow individual approaches to manage a certificate store.
- Browser Clients
...
X.509 Certificates with RSA or ECDSA encryption algorithms can be used.
Certificate Management
Self-signed certificates and certificates signed by trusted root certification authorities can be used.For use with self-signed certificates the root certificate has to be added to the Client's certificate store. Certificates from trusted root certification authorities frequently are available from a Client's key store.
Certificate Verification
When connecting from a Client, e.g. a browser, to the JOC Cockpit server then JOC Cockpit will challenge the Client to present its Client Authentication Certificate.
...