Bug #4031
closed
More features in supporting SSL in morpho
Added by Jing Tao about 15 years ago.
Updated over 11 years ago.
Category:
morpho - general
Description
1. Update certificate before it expires.
Option 1: Morpho automatically download the certificate from a given url. The url can be a apache one, like http://knb.ecoinformatics.org/certificate or metacat api, like http://knb.ecoinformatics.org/knb/metacat?action=getCertificate.
Option 2: release a patch of morpho before knb certificate expires. The patch (jar file) contains the java code and certificate, which can delete old knb cert and put new cert into keystore.
2. Morpho has mechanism to update certificate - It should NOT just replace old keystore since it may contains user's owner certificates. It just deletes the old certificate (if exists) and put new one into the keystore.
3. Give user a GUI to import their own certificate into keystore.
I think our understanding and use of SSL has improved over the past three years. For Morpho 2.0 we have removed the custom trust store from Morpho which would only allow use to trust the KNB, SANParks and a couple dev.nceas servers when using https.
Instead we will rely on the default JVM trust store that a user can augment in cases where the CA that issued their server's certificate is not a commercial CA.
For DataONE MNs this can sometimes be the case, though we discourage it.
the DataONE libclient library also augments the default trust store with CAs that we know to trust (including CILogon and DataONE CA). I think this is the way to approach SSL trust and we should not build a custom UI for managing a custom truststore.
Original Bugzilla ID was 4031
Also available in: Atom
PDF