Details
-
Improvement
-
Resolution: Fixed
-
Major
-
None
-
None
-
None
Description
We are working to integrate x.509 certificate authentication into our environment. Currently the java client uses a single keystore file for both trust store (containing the root and intermediate ca certificates used to validate the server certificate) as well as the client certificate that is supplied to the server.
This causes a number of problems in our environment. We maintain a "global" trust store file that is distributed to all our machines and contains the root and intermediate ca certs. However the per-client certificate is stored in a separate file and we have not found an acceptable way to merge these into a single file for compatibility with the couchbase client.
Our security team has reviewed the couchbase client code and mentioned that they would prefer not to see the same keystore instance shared for the key store and trust store. Specifically they mentioned SSLEngineFactory.java lines 72-73
Can we have the java client accept two separate files instead?