Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-23362

deleting SSL Trusted Certificates after migrating from OrientDB to PostgreSQL/H2 results in WARN log spam

    Details

      Description

      After migration to the newDB (h2 and postgres), on removal of an SSL certificate, I see the below WARN. This warning is not observable on non-h2 3.22-SNAPSHOT nor in 3.21.1 pre-migration orient.

      2020-03-30 20:07:11,609+0300 INFO  [qtp337450615-194] admin com.sonatype.nexus.ssl.plugin.internal.TrustStoreImpl - Certificate removed successfully from trust-store with Fingerprint : 28:BB:D0:9C:B2:31:CB:81:0D:D3:9B:6C:41:4D:23:D1:FC:26:AD:38, Name : CN=new_test.test.com and SHA1 Identifier : 28BBD09CB231CB810DD39B6C414D23D1FC26AD38
      2020-03-30 20:07:11,643+0300 WARN  [qtp337450615-192] admin com.sonatype.nexus.ssl.plugin.internal.keystore.KeyStoreManagerImpl - Trust-store reports it contains certificate for alias '28:bb:d0:9c:b2:31:cb:81:0d:d3:9b:6c:41:4d:23:d1:fc:26:ad:38' but certificate is null
      

      Analysis found that Orient DB trustCerts are saved lowercase like
      trustCerts = 28:bb:d0:9c:b2:31:cb:81:0d:d3:9b:6c:41:4d:23:d1:fc:26:ad:38 and alias(fingerprint) received in uppercase
      alias = 28:BB:D0:9C:B2:31:CB:81:0D:D3:9B:6C:41:4D:23:D1:FC:26:AD:38.

      When we're using H2 or Postgres DBs (migrated from Orient) we can see WARN message saying that trustCerts record is still present on delete. It wasn't deleted because the alias(fingerprint) was received in uppercase and the saved record is in lowercase.

      This is not an issue for DBs migrated with no SSL certificates either.

      Expected

      Any in memory cache of certificates needs to be properly updated on cert delete. Avoid the WARN log messages as they don't match what is actually stored in the database.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              jtom Joe Tom
              Last Updated By:
              Peter Lynch Peter Lynch
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Date of First Response:

                  tigCommentSecurity.panel-title