Provide CAS-specific truststore for handling proxy calls
Description
CAS currently uses the JDK's default truststore to establish ssh handshakes specially for proxy calls. This can be improved by providing a CAS specific truststore, that would be empty by default. Untrusted proxies can be imported inside this particular store. Separating the store from Java's default always helps with platform upgrades that may cause prev changes to be overwritten.
Note that the default keystore would possibly be used in addition to the already available certs in Java. We simply just want to avoid polluting the default,and allow adopters to carry over their store, irrelevant of jdk version.
Environment
None
Activity
Show:
Misagh MoayyedJuly 15, 2014 at 7:10 AM
All Open JIRA issues are now moved to Github, and tracked under Github Issues. The migration is now complete. Please use Github issue tracking to file and track issues. JIRA issues will be closed.
CAS currently uses the JDK's default truststore to establish ssh handshakes specially for proxy calls. This can be improved by providing a CAS specific truststore, that would be empty by default. Untrusted proxies can be imported inside this particular store. Separating the store from Java's default always helps with platform upgrades that may cause prev changes to be overwritten.
This is proposed under SEC_5:
https://wiki.jasig.org/display/CAS/Proposals+to+mitigate+security+risks
Note that the default keystore would possibly be used in addition to the already available certs in Java. We simply just want to avoid polluting the default,and allow adopters to carry over their store, irrelevant of jdk version.