Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-24420

add support for specifying which private key entry to use per proxy repository outbound PKI auth

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: New
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.20.0, 3.24.0
    • Fix Version/s: None
    • Component/s: Docker, Proxy Repository, SSL, Yum
    • Labels:
    • Story Points:
      8
    • Notability:
      n/a

      Description

      Given a RHEL Satellite Server hosting YUM packages, under 4 different paths, but at the same host name.

      An admin wishes to create 4 YUM proxy repos to this same hostname at 4 different base paths at the same host name.

      PKI Auth to the entitlement server is supported ( NEXUS-12488 ) , however the private key for which NXRM to respond with is determined by the underlying KeyManager implementation:

      https://hg.openjdk.java.net/jdk8u/jdk8u/jdk/file/4687075d8ccf/src/share/classes/sun/security/ssl/SunX509KeyManagerImpl.java#l52

      The default is to:

      The JSSE handshake code currently calls into this class via chooseClientAlias() and chooseServerAlias() to find the certificates to use. As implemented here, both always return the first alias returned by getClientAliases() and getServerAliases(). In turn, these methods are implemented by calling getAliases(), which performs the actual lookup.

      An admin who imports 4 private keys to a keystore file, one each to unique proxy repository remote URL, has no way to specify which private key of the 4 to use. Therefore the first of the 4 is chosen, and this means only 1 of the 4 repos can be made to work.

      Expected

      Provide a supported way for an NXRM admin to specify which private key entry to use with a host requiring PKI auth.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              plynch Peter Lynch
              Last Updated By:
              Dawid Sawa Dawid Sawa
              Team:
              NXRM - Mad Max
              Votes:
              1 Vote for this issue
              Watchers:
              8 Start watching this issue

                Dates

                Created:
                Updated:
                Date of First Response:

                  tigCommentSecurity.panel-title