Details
-
Type:
Improvement
-
Status: New
-
Priority:
Major
-
Resolution: Unresolved
-
Affects Version/s: 3.20.0, 3.24.0
-
Fix Version/s: None
-
Component/s: Docker, Proxy Repository, SSL, Yum
-
Labels:
-
Story Points:8
-
Notability:n/a
Description
Given a RHEL Satellite Server hosting YUM packages, under 4 different paths, but at the same host name.
An admin wishes to create 4 YUM proxy repos to this same hostname at 4 different base paths at the same host name.
PKI Auth to the entitlement server is supported ( NEXUS-12488 ) , however the private key for which NXRM to respond with is determined by the underlying KeyManager implementation:
The default is to:
The JSSE handshake code currently calls into this class via chooseClientAlias() and chooseServerAlias() to find the certificates to use. As implemented here, both always return the first alias returned by getClientAliases() and getServerAliases(). In turn, these methods are implemented by calling getAliases(), which performs the actual lookup.
An admin who imports 4 private keys to a keystore file, one each to unique proxy repository remote URL, has no way to specify which private key of the 4 to use. Therefore the first of the 4 is chosen, and this means only 1 of the 4 repos can be made to work.
Expected
Provide a supported way for an NXRM admin to specify which private key entry to use with a host requiring PKI auth.
Attachments
Issue Links
- is related to
-
NEXUS-12488 remote https repository with TLS client certificate loaded in NXRM JVM keystore not trusted
-
- Closed
-
- relates
-
NEXUS-25463 Spike add native PKI certificate management support
-
- New
-