Certificate Authority signature constraint to use keyUsage as critical

book

Article ID: 126345

calendar_today

Updated On:

Products

CA Release Automation - Release Operations Center (Nolio) CA Release Automation - DataManagement Server (Nolio)

Issue/Introduction

As per security consideration in our organization we have a constraints to use permitted certificates generated via certificate Authority signature from certificate authority process. As per our security standards it is mandate for us to have certificates with keyUsage=critical

As per the documentation it is mentioned that  "The certificate/keystore used to sign the jar file (during the jarsigner step) cannot have the combination of KeyUsage = critical and ExtendedKeyUsage = serverAuth. The combination is not allowed to sign code."

Question: How can we configure the Secure communication for Release Operation Center (ROC) UI and ASAP studio aligned to our security policy?



 

The consideration for enabling SSL with respect to various component of CA Release Automation (CA RA) is mentioned below:
  1. For a Certificate Authority signature, ensure that the client certificate allows the use of the "ServerAuth" and "ClientAuth". This feature enables the Agent to Execution Server communication.
  2. The certificate/keystore with combination of keyUsage=critical and extendedKeyUsage=serverAuth is not a valid code-signing combination required to enable SSL for ASAP studio.
  3. The certificate with combination having only keyUsage=clientAuth and extendedKeyUsage=clientAuth is not sufficient combination to configure SSL for ROC UI, as the server will not be presenting the certificates to client like web browser

Environment

CA RA: 6.5, 6.6 and higher

Note: It may also be applicable for the lower release versions. However the document is validated with most recent version of RA

Resolution

Solution/Recommendation:
  • Generate two certificates with below combinations
    • Certificate one: keyUsage=critical,digitalsignature extendedKeyUsage=serverAuth,clientAuth
    • Certificate two: keyUsage=critical,digitalsignature extendedKeyUsage=codeSigning
  • Import key's pertaining to both certificate in custom-keystore.jks file
  • Use 1st certificate to enable SSL for ROC i.e. pointing this particular certificate alias etc. in server.xml of Data Management Server
  • Use 2nd certificate to enable SSL for ASAP by using it to generate custom-truststore.jar and signing the same.
Please find step sequence to enable SSL for ASAP studio in case of two different certificates (importing key into custom-keystore is mentioned in details in reference document in additional information) as mentioned above. We are assuming in below steps certificate-one and certificate-two are alias for certificate one and two and below sequence is difference with respect to two certificate for enabling SSL on ASAP.

1: Generate nolio.jks using the certificate created for ROC
                  keytool -importcert -alias certificate-one -file <FILE_NAME> -keystore nolio.jks -v -rfc
2: Packed this nolio.jks into the JAR file custom-truststore.jar
3:  Signed the custom-truststore JAR file with the authorized certificate for code signing.
                    jarsigner -keystore custom-keystore.jks -verbose -keypass **** -storepass **** custom-truststore.jar certificate-two
4: Copied this custom-truststore.jar file into ReleaseAutomationServer\webapps\nolio-app\apps\v2.0.0\lib folder
5: Execute cmd javaws -uninstall
 
Note: For more details around steps on how to enable SSL for CA RA please visit product document the reference of which is provided in additional information section.

Additional Information

Secure Communication CA Release Automation: https://docops.ca.com/ca-release-automation/6-6/en/installation/ca-release-automation-security/secure-communications