]
Tristan Tarrant updated ISPN-12726:
-----------------------------------
Status: Open (was: New)
Server should support a truststore for client cert validation
-------------------------------------------------------------
Key: ISPN-12726
URL:
https://issues.redhat.com/browse/ISPN-12726
Project: Infinispan
Issue Type: Enhancement
Components: Security, Server
Affects Versions: 12.0.0.Final
Reporter: Tristan Tarrant
Assignee: Tristan Tarrant
Priority: Major
Fix For: 12.1.0.Final
While it is possible to authenticate clients using a certificate, this requires a trust
store realm which means adding all possible client certificates to the trust store. Simple
validation (not authentication) of certificates based on their trust chain is currently
not supported.
We should enhance the SSL server identity to support a truststore without requiring a
trust realm.
{code:xml}
<security-realm name="default">
<server-identities>
<ssl>
<keystore path="server.pfx"
keystore-password="secret" alias="server"/>
<truststore path="ca.pfx" password="secret"/>
</ssl>
</server-identities>
</security-realm>
{code}
If a truststore is present, client cert will be required on incoming connections.