Configured private key alias not used by server in SSL browser session, still uses 'cis_server_strong'.
Article ID: KB0078701
Updated On:
| Products | Versions |
|---|---|
| TIBCO Data Virtualization | v7.0.x, v8.x |
Description
How this manifests:
After configuring TDV to enable SSL client sessions with your own certificate and private key added into our keystore, your browser's Manager session warns you of an unsafe connection or unknown host.
When you use the browser to examine the certificates in your session, it shows that the alias is still 'cis_server_strong', despite having configured the TDV server's config setting "Keystore Key Alias" to use
<your private key's alias>.
Our server bootup routine will correctly display your intended <your private key's alias>. when booting in DEBUG mode, further conflicting this scenario.
Example of snippet from bootup in cs_server.log:
After configuring TDV to enable SSL client sessions with your own certificate and private key added into our keystore, your browser's Manager session warns you of an unsafe connection or unknown host.
When you use the browser to examine the certificates in your session, it shows that the alias is still 'cis_server_strong', despite having configured the TDV server's config setting "Keystore Key Alias" to use
<your private key's alias>.
Our server bootup routine will correctly display your intended <your private key's alias>. when booting in DEBUG mode, further conflicting this scenario.
Example of snippet from bootup in cs_server.log:
keystore information:
keystore type "JKS"
keystore provider "SUN version 1.8"
keystore size "1" keys
key alias "<your private key's alias>"
key algorithm "RSA"
key format "PKCS#8"
key size "2048" (bits : value of zero means unknown key size)
Issue/Introduction
This concerns the configuration of the server to utilize SSL from your own cert and private key.
Resolution
At the time of this writing, there is an open bug (CIS-73788) where our server will continue to prioritize our default alias 'cis_server_strong' if it is present in the keystore. It is normally valid for a keystore to contain multiple aliases.
The workaround is to use the java keytool to delete the 'cis_server_strong' alias from our keystore.
Example: keytool -delete -alias cis_server_strong -keystore <your keystore jks file>
After removing the 'cis_server_strong' alias from the keystore, restart the TDV server.
The browser Manager session will then identify your correct alias and show a safe connection to TDV.
Please feel welcome to ask Tibco Support about the status of bug CIS-73788. At the time of writing, there is no specific release planned for the fix yet.
The workaround is to use the java keytool to delete the 'cis_server_strong' alias from our keystore.
Example: keytool -delete -alias cis_server_strong -keystore <your keystore jks file>
After removing the 'cis_server_strong' alias from the keystore, restart the TDV server.
The browser Manager session will then identify your correct alias and show a safe connection to TDV.
Please feel welcome to ask Tibco Support about the status of bug CIS-73788. At the time of writing, there is no specific release planned for the fix yet.
Feedback
Yes
No
Powered by
