Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-17779

Fuse console client auth fails when multiple cert authorities are present in jolokia caCert file

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Major Major
    • fuse-7.11-GA
    • fuse-7.4-GA
    • Fuse Console, Hawtio
    • None
    • False
    • False
    • % %
    • Todo
    • Hide

      Use a configmap to mount a new CA cert file with only the single trusted CA, and configure Jolokia to use that file instead via an environment variable

      name: AB_JOLOKIA_OPTS
      value: caCert=/path/to/custom-service-ca.crt

      Show
      Use a configmap to mount a new CA cert file with only the single trusted CA, and configure Jolokia to use that file instead via an environment variable name: AB_JOLOKIA_OPTS value: caCert=/path/to/custom-service-ca.crt

      The Jolokia process uses the caCert parameter to determine which client certificates are trusted for client authentication. Jolokia expects a single cert in the following location:

      $ oc rsh $APP_POD cat /opt/jolokia/etc/jolokia.properties | egrep "useSsl|caCert"
      useSslClientAuthentication=true
      caCert=/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
      

      If multiple CA certs are present in that location, and the signer of the Fuse Console client cert is not first in the list, client authentication will fail with a PKIX path building error. The expected CA cert is the service serving signer cert:

      $ oc exec $APP_POD -- cat /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt | openssl x509 -text -noout | grep Issuer
      Issuer: CN = openshift-service-serving-signer@1636040859
      

      In some cases, multiple certs are present and Jolokia only trusts the first in the list, for example:

       Issuer:  CN=kube-apiserver-lb-signer, OU=openshift
      

            mmelko@redhat.com Matej Melko
            rhn-support-shiggs Stephen Higgs
            Juri Solovjov Juri Solovjov
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: