Skip to content

Story #15211: separate client and server certificate #3445

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mkhediri wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

Story #15211: separate client and server certificate #3445

mkhediri wants to merge 2 commits into from
+9,216 −5,370

Conversation

@mkhediri
Copy link
Contributor

@mkhediri mkhediri commented Jan 5, 2026

Description

Séparation des certificats client et serveur pour les échanges mTLS

@mkhediri mkhediri added this to the IT 163 milestone Jan 5, 2026
@mkhediri mkhediri self-assigned this Jan 5, 2026
@vitam-prg
Copy link
Collaborator

vitam-prg commented Jan 5, 2026
edited
Loading

Logo
Checkmarx One – Scan Summary & Detailscf1e4124-5817-41d4-a8ff-da5abb294b70

Fixed Issues (57)

Great job! The following issues were fixed in this Pull Request

Severity Issue Source File / Package
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 213
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 212
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 213
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 213
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 279
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 228
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 245
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 279
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 245
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 262
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 228
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 280
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 279
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 245
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 246
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 229
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 228
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 262
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 263
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 262
LOW Log_Forging /api/api-referential/referential/src/main/java/fr/gouv/vitamui/referential/server/rest/OperationController.java: 115
LOW Log_Forging /api/api-referential/referential/src/main/java/fr/gouv/vitamui/referential/server/rest/OperationController.java: 104
LOW Log_Forging /api/api-referential/referential/src/main/java/fr/gouv/vitamui/referential/server/rest/OperationController.java: 157
LOW Log_Forging /api/api-referential/referential/src/main/java/fr/gouv/vitamui/referential/server/rest/OperationController.java: 132
LOW Log_Forging /api/api-referential/referential/src/main/java/fr/gouv/vitamui/referential/server/rest/OperationController.java: 212
LOW Log_Forging /api/api-referential/referential/src/main/java/fr/gouv/vitamui/referential/server/rest/OperationController.java: 203
LOW Log_Forging /api/api-referential/referential/src/main/java/fr/gouv/vitamui/referential/server/rest/OperationController.java: 192
LOW Log_Forging /api/api-referential/referential/src/main/java/fr/gouv/vitamui/referential/server/rest/OperationController.java: 145
LOW Log_Forging /api/api-referential/referential/src/main/java/fr/gouv/vitamui/referential/server/rest/OperationController.java: 157
LOW Log_Forging /api/api-referential/referential/src/main/java/fr/gouv/vitamui/referential/server/rest/OperationController.java: 144
LOW Log_Forging /api/api-referential/referential/src/main/java/fr/gouv/vitamui/referential/server/rest/OperationController.java: 116
LOW Log_Forging /api/api-referential/referential/src/main/java/fr/gouv/vitamui/referential/server/rest/OperationController.java: 104
LOW Log_Forging /api/api-referential/referential/src/main/java/fr/gouv/vitamui/referential/server/rest/OperationController.java: 132
LOW Log_Forging /api/api-referential/referential/src/main/java/fr/gouv/vitamui/referential/server/rest/OperationController.java: 132
LOW Log_Forging /api/api-referential/referential/src/main/java/fr/gouv/vitamui/referential/server/rest/OperationController.java: 117
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 171
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 170
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 190
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 295
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 305
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 315
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 189
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 190
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 191
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 305
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 95
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 171
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 96
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 171
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 127
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 95
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 156
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 97
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 128
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 192
LOW Log_Forging /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/ProjectController.java: 190
LOW Missing_CSP_Header /ui/ui-frontend/projects/vitamui-library/src/app/modules/components/header/menu/menu.component.html: 23

Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR

@mkhediri mkhediri added the OPS REVIEW Mandatory if deployment/ directory is modified. label Jan 5, 2026
@GiooDev GiooDev self-requested a review January 6, 2026 08:39
lotfivitam
lotfivitam requested changes Jan 6, 2026
View reviewed changes
Copy link
Contributor

@lotfivitam lotfivitam left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Il manque la doc de migration

deployment/pki/scripts/lib/certs.sh

generateHostCertAndStorePassphrase "${COMPONENT}" "${HOSTS_GROUP}"

generateClientCertAndStorePassphrase "${COMPONENT}" "client-vitam"
Copy link
Contributor

@lotfivitam lotfivitam Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ce ne sont pas plutôt des clients "vitam-ui"?

deployment/scripts/mongod/v8.1/0-00_security.populate_certificates.js.j2
Comment on lines +28 to 39
{{ process(pki_dir + '/client-vitam/clients/cas-server/cas-server.pem', 'cas_context') }}

{{ process(pki_dir + '/server/hosts/%host%/ui-portal.pem', 'ui_portal_context', 'hosts_ui_portal') }}
{{ process(pki_dir + '/server/hosts/%host%/ui-identity.pem', 'ui_identity_context', 'hosts_ui_identity') }}
{{ process(pki_dir + '/server/hosts/%host%/ui-identity-admin.pem', 'ui_admin_identity_context', 'hosts_ui_identity_admin') }}
{{ process(pki_dir + '/server/hosts/%host%/ui-referential.pem', 'ui_referential_context', 'hosts_ui_referential') }}
{{ process(pki_dir + '/server/hosts/%host%/ui-archive-search.pem', 'ui_archive_search_context', 'hosts_ui_archive_search') }}
{{ process(pki_dir + '/server/hosts/%host%/ui-ingest.pem', 'ui_ingest_context', 'hosts_ui_ingest') }}
{{ process(pki_dir + '/server/hosts/%host%/ui-pastis.pem', 'ui_pastis_context', 'hosts_ui_pastis') }}
{{ process(pki_dir + '/server/hosts/%host%/ui-collect.pem', 'ui_collect_context', 'hosts_ui_collect') }}
{{ process(pki_dir + '/client-vitam/clients/ui-portal/ui-portal.pem', 'ui_portal_context') }}
{{ process(pki_dir + '/client-vitam/clients/ui-identity/ui-identity.pem', 'ui_identity_context') }}
{{ process(pki_dir + '/client-vitam/clients/ui-identity-admin/ui-identity-admin.pem', 'ui_admin_identity_context') }}
{{ process(pki_dir + '/client-vitam/clients/ui-referential/ui-referential.pem', 'ui_referential_context') }}
{{ process(pki_dir + '/client-vitam/clients/ui-archive-search/ui-archive-search.pem', 'ui_archive_search_context') }}
{{ process(pki_dir + '/client-vitam/clients/ui-ingest/ui-ingest.pem', 'ui_ingest_context') }}
{{ process(pki_dir + '/client-vitam/clients/ui-pastis/ui-pastis.pem', 'ui_pastis_context') }}
{{ process(pki_dir + '/client-vitam/clients/ui-collect/ui-collect.pem', 'ui_collect_context') }}

print("END v8.1.0-00_security.populate_certificates.js");
Copy link
Contributor

@lotfivitam lotfivitam Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Les scripts mongo sont immutables. Il faut rajouter un nouveau script versionné pour gérer les migrations.

Copy link
Contributor

@GiooDev GiooDev Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Si ça doit être backporté jusqu'en V8.1, alors le renommer en 3-00, sinon le déplacer dans le répertoire v9.1 si pas besoin de backport.

deployment/roles/vitamui/templates/iam/application.yml.j2
Comment on lines +71 to +74
keystore:
key-path: {{ vitamui_folder_conf }}/keystore_client_{{ vitamui_struct.service_name | default(service_name) }}.jks
key-password: {{ password_client_keystore }}
type: JKS
Copy link
Contributor

@lotfivitam lotfivitam Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment ça pouvait fonctionner avant sans certificat?

api/api-archive-search/archive-search/src/main/resources/application-dev.yml
key-password: changeme
keystore:
key-path: ../../../dev-deployment/environments/keystores/server/localhost/keystore_archive-search.jks
key-path: ../../../dev-deployment/environments/keystores/client-vitam/keystore_archive-search.jks
Copy link
Contributor

@lotfivitam lotfivitam Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Les certificats sont générés actuellement par instance. Pour chaque hostname, un certificat client était créé.

En d'autres termes, si on a 3 instances archive-search sur les vm-1, vm-2 et vm-3, la PKI existante générait un certificat par hostname.

Y'a t-il une raison à ce changement de doctrine?

Perso, je n'ai pas de contre indication réelle à générer un certificat client commun si ça permet de simplifier la PKI, mais dans ce cas, il faudrait que ça soit fait également pour les certificats serveur.

@GiooDev

GiooDev
GiooDev requested changes Jan 7, 2026
View reviewed changes
Copy link
Contributor

@GiooDev GiooDev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ne pas oublier de mettre à jour deployment/roles/reinit_security_certificates/templates/security.populate_certificates.js.j2

Ne pas oublier de mettre à jour la documentation de migration associée.

deployment/scripts/mongod/v8.1/0-00_security.populate_certificates.js.j2
Comment on lines +28 to 39
{{ process(pki_dir + '/client-vitam/clients/cas-server/cas-server.pem', 'cas_context') }}

{{ process(pki_dir + '/server/hosts/%host%/ui-portal.pem', 'ui_portal_context', 'hosts_ui_portal') }}
{{ process(pki_dir + '/server/hosts/%host%/ui-identity.pem', 'ui_identity_context', 'hosts_ui_identity') }}
{{ process(pki_dir + '/server/hosts/%host%/ui-identity-admin.pem', 'ui_admin_identity_context', 'hosts_ui_identity_admin') }}
{{ process(pki_dir + '/server/hosts/%host%/ui-referential.pem', 'ui_referential_context', 'hosts_ui_referential') }}
{{ process(pki_dir + '/server/hosts/%host%/ui-archive-search.pem', 'ui_archive_search_context', 'hosts_ui_archive_search') }}
{{ process(pki_dir + '/server/hosts/%host%/ui-ingest.pem', 'ui_ingest_context', 'hosts_ui_ingest') }}
{{ process(pki_dir + '/server/hosts/%host%/ui-pastis.pem', 'ui_pastis_context', 'hosts_ui_pastis') }}
{{ process(pki_dir + '/server/hosts/%host%/ui-collect.pem', 'ui_collect_context', 'hosts_ui_collect') }}
{{ process(pki_dir + '/client-vitam/clients/ui-portal/ui-portal.pem', 'ui_portal_context') }}
{{ process(pki_dir + '/client-vitam/clients/ui-identity/ui-identity.pem', 'ui_identity_context') }}
{{ process(pki_dir + '/client-vitam/clients/ui-identity-admin/ui-identity-admin.pem', 'ui_admin_identity_context') }}
{{ process(pki_dir + '/client-vitam/clients/ui-referential/ui-referential.pem', 'ui_referential_context') }}
{{ process(pki_dir + '/client-vitam/clients/ui-archive-search/ui-archive-search.pem', 'ui_archive_search_context') }}
{{ process(pki_dir + '/client-vitam/clients/ui-ingest/ui-ingest.pem', 'ui_ingest_context') }}
{{ process(pki_dir + '/client-vitam/clients/ui-pastis/ui-pastis.pem', 'ui_pastis_context') }}
{{ process(pki_dir + '/client-vitam/clients/ui-collect/ui-collect.pem', 'ui_collect_context') }}

print("END v8.1.0-00_security.populate_certificates.js");
Copy link
Contributor

@GiooDev GiooDev Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Si ça doit être backporté jusqu'en V8.1, alors le renommer en 3-00, sinon le déplacer dans le répertoire v9.1 si pas besoin de backport.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@GiooDev GiooDev GiooDev requested changes

@lotfivitam lotfivitam lotfivitam requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@mkhediri mkhediri

Labels

OPS REVIEW Mandatory if deployment/ directory is modified.

Projects

None yet

Milestone

IT 163

Development

Successfully merging this pull request may close these issues.

5 participants

@mkhediri @vitam-prg @GiooDev @lotfivitam