Hi, I have tested and verified that, it's not needed to add the trusted certificates in JVM trust store for X509 authenticator, if we have properly configured the trust store in catalina-server.xml. It's not correct to add those certificates in JVM trust store, since it'll be affected globally for all the wso2 and non wso2 products as well. We should update the wso2 documentation correctly, created a doc Jira in [1].
[1] https://wso2.org/jira/browse/DOCUMENTATION-7697 Thanks and Regards On Wed, Jan 24, 2018 at 9:33 AM, Shakila Sasikaran <shak...@wso2.com> wrote: > Hi, > > As I understand, If we want to make SSL connection and the certificate > issued by the CA is not listed in the Java trust store, the connection will > fail even if the root certificate is recognised by the browser. Because > when the SSL connection is made, the runtime validates the server’s > identity against the CA certificate which is included in the local database. > > Therefore, IMO we have to add it to the JVM. > > Thanks > > On Wed, Jan 24, 2018 at 8:46 AM, Samisa Abeysinghe <sam...@wso2.com> > wrote: > >> My message got blocked due to customer name and got that removed. >> >> You have copied internal groups with the dev mails. (dev@org with >> iam-group) This is asking for trouble. Either keep it public or private. >> >> Thanks, >> Samisa... >> >> >> Samisa Abeysinghe >> >> Chief Engineering and Delivery Officer >> >> WSO2 Inc. >> http://wso2.com >> >> >> On Wed, Jan 24, 2018 at 8:34 AM, Indunil Upeksha Rathnayake < >> indu...@wso2.com> wrote: >> >>> Hi Samisa, >>> >>> This mail has been sent to dev@wso2.org, before the support ticket was >>> raised. Please note that the rajas is the person who worked with X509 >>> authenticator, so added his personal email, since this is a discussion in >>> dev. >>> >>> Thanks and Regards >>> >>> On Wed, Jan 24, 2018 at 8:21 AM, Samisa Abeysinghe <sam...@wso2.com> >>> wrote: >>> >>>> Who is hmrajas1...@gmail.com and why have we copied that email address >>>> in a private company discussion that is security related??? >>>> >>>> Also, is this related to support.wso2.com/jira/browse/NGTDEV-5? >>>> >>>> If yes, we need to get back to support ticket and respond within today! >>>> >>>> Thanks, >>>> Samisa... >>>> >>>> >>>> Samisa Abeysinghe >>>> >>>> Chief Engineering and Delivery Officer >>>> >>>> WSO2 Inc. >>>> http://wso2.com >>>> >>>> >>>> On Fri, Jan 19, 2018 at 10:02 AM, Indunil Upeksha Rathnayake < >>>> indu...@wso2.com> wrote: >>>> >>>>> Adding rajas and connector team members >>>>> >>>>> On Thu, Jan 18, 2018 at 5:58 PM, Indunil Upeksha Rathnayake < >>>>> indu...@wso2.com> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> As per the documentation in [1], the certificate of CA, which issued >>>>>> the client certificate, should be added into the JVM trust store. Please >>>>>> find the following concerns regarding this. >>>>>> >>>>>> - We should add the CA certificate which issued the client >>>>>> certificate, as a certificate authority in the browser. So that will >>>>>> be >>>>>> added to the root certificate store in browser. >>>>>> >>>>>> The CA certificates in root certificate store, will determine which >>>>>> endpoints we will be allowed to communicate with, in this case it will >>>>>> allow the client to connect to whichever server presents a certificate >>>>>> which was signed by one of the certificate authorities. >>>>>> >>>>>> - During the mutual SSL with X509 authenticator, there is no need >>>>>> to consider JVM trust store in client side, since this is a direct >>>>>> call >>>>>> from browser to the server. >>>>>> >>>>>> >>>>>> - During the mutual SSL with X509 authenticator, there is no need >>>>>> to consider JVM trust store in server side, since in server side, we >>>>>> have a >>>>>> configured trust store. JVM trsust store is needed, if only the server >>>>>> configured trust store is not loaded into the SSLContext. >>>>>> >>>>>> >>>>>> So that, AFAIU, it is not needed to add CA certificate into JVM trust >>>>>> store either in client or server side. WDYT? >>>>>> >>>>>> Appreciate your ideas on this. >>>>>> >>>>>> [1] https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509C >>>>>> ertificate+Authenticator#ConfiguringX509CertificateAuthentic >>>>>> ator-Workingwithcertificates >>>>>> >>>>>> Thanks and Regards >>>>>> -- >>>>>> Indunil Upeksha Rathnayake >>>>>> Software Engineer | WSO2 Inc >>>>>> Email indu...@wso2.com >>>>>> Mobile 0772182255 <077%20218%202255> >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Indunil Upeksha Rathnayake >>>>> Software Engineer | WSO2 Inc >>>>> Email indu...@wso2.com >>>>> Mobile 0772182255 <077%20218%202255> >>>>> >>>> >>>> >>> >>> >>> -- >>> Indunil Upeksha Rathnayake >>> Software Engineer | WSO2 Inc >>> Email indu...@wso2.com >>> Mobile 0772182255 <077%20218%202255> >>> >> >> > > > -- > Shakila Sasikaran > Software Engineer > Mobile :+94 (0) 77 526 6848 <+94%2077%20526%206848> > shak...@wso2.com > WSO2, Inc. > lean . enterprise . middleware > http://www.wso2.com/ > -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Email indu...@wso2.com Mobile 0772182255
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev