Story #15211: separate client and server certificate

api/api-archive-search/archive-search/src/main/resources/application-dev.yml

@@ -25,10 +25,10 @@ server:
   host:
   port: 8089
   ssl:
-    key-store: ../../../dev-deployment/environments/keystores/server/localhost/keystore_archive-search.jks
+    key-store: ../../../dev-deployment/environments/keystores/vitamui-services/server/archive-search/keystore_archive-search.jks
     key-store-password: changeme
     key-password: changeme
-    trust-store: ../../../dev-deployment/environments/keystores/server/truststore_server.jks
+    trust-store: ../../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
     trust-store-password: changeme
     client-auth: want
     enabled-protocols: TLSv1.2,TLSv1.3
@@ -53,10 +53,10 @@ archive-search:
     secure: true
     ssl-configuration:
       truststore:
-        key-path: ../../../dev-deployment/environments/keystores/server/truststore_server.jks
+        key-path: ../../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
         key-password: changeme
       keystore:
-        key-path: ../../../dev-deployment/environments/keystores/server/localhost/keystore_archive-search.jks
+        key-path: ../../../dev-deployment/environments/keystores/vitamui-services/clients/archive-search/keystore_archive-search.jks
         key-password: changeme
         type: JKS
       hostname-verification: false

api/api-archive-search/archive-search/src/test/resources/application.yml

@@ -24,10 +24,10 @@ archive-search:
     secure: true
     ssl-configuration:
       truststore:
-        key-path: ../../../dev-deployment/environments/keystores/server/truststore_server.jks
+        key-path: ../../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
         key-password: changeme
       keystore:
-        key-path: ../../../dev-deployment/environments/keystores/server/localhost/keystore_archive-search.jks
+        key-path: ../../../dev-deployment/environments/keystores/vitamui-services/server/archive-search/keystore_archive-search.jks
         key-password: changeme
         type: JKS
       hostname-verification: false

api/api-collect/collect/src/main/resources/application-dev.yml

@@ -25,10 +25,10 @@ server:
   host:
   port: 8090
   ssl:
-    key-store: ../../../dev-deployment/environments/keystores/server/localhost/keystore_collect.jks
+    key-store: ../../../dev-deployment/environments/keystores/vitamui-services/server/collect/keystore_collect.jks
     key-store-password: changeme
     key-password: changeme
-    trust-store: ../../../dev-deployment/environments/keystores/server/truststore_server.jks
+    trust-store: ../../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
     trust-store-password: changeme
     client-auth: want
     enabled-protocols: TLSv1.2,TLSv1.3
@@ -51,10 +51,10 @@ collect:
     secure: true
     ssl-configuration:
       truststore:
-        key-path: ../../../dev-deployment/environments/keystores/server/truststore_server.jks
+        key-path: ../../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
         key-password: changeme
       keystore:
-        key-path: ../../../dev-deployment/environments/keystores/server/localhost/keystore_collect.jks
+        key-path: ../../../dev-deployment/environments/keystores/vitamui-services/clients/collect/keystore_collect.jks
         key-password: changeme
         type: JKS
       hostname-verification: false

api/api-gateway/src/main/resources/application-dev.yml

@@ -1,11 +1,11 @@
 server:
   port: 8070
   ssl:
-    key-store: ../../dev-deployment/environments/keystores/server/localhost/keystore_api-gateway.jks
+    key-store: ../../dev-deployment/environments/keystores/vitamui-services/server/api-gateway/keystore_api-gateway.jks
     key-store-password: changeme
     key-password: changeme
     client-auth: need
-    trust-store: ../../dev-deployment/environments/keystores/server/truststore_server.jks
+    trust-store: ../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
     trust-store-password: changeme
   max-http-request-header-size: 16KB
 

api/api-iam/iam/src/main/resources/application-dev.yml

@@ -22,10 +22,10 @@ server:
   host:
   port: 8083
   ssl:
-    key-store: ../../../dev-deployment/environments/keystores/server/localhost/keystore_iam.jks
+    key-store: ../../../dev-deployment/environments/keystores/vitamui-services/server/iam/keystore_iam.jks
     key-store-password: changeme
     key-password: changeme
-    trust-store: ../../../dev-deployment/environments/keystores/server/truststore_server.jks
+    trust-store: ../../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
     trust-store-password: changeme
     client-auth: want
     enabled-protocols: TLSv1.2,TLSv1.3
@@ -53,10 +53,10 @@ cas-client:
   secure: true
   ssl-configuration:
     truststore:
-      key-path: ../../../dev-deployment/environments/keystores/server/truststore_server.jks
+      key-path: ../../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
       key-password: changeme
     keystore:
-      key-path: ../../../dev-deployment/environments/keystores/server/localhost/keystore_iam.jks
+      key-path: ../../../dev-deployment/environments/keystores/vitamui-services/clients/iam/keystore_iam.jks
       key-password: changeme
       type: JKS
     hostname-verification: false
@@ -112,11 +112,11 @@ provisioning-client:
         secure: false
         ssl-configuration:
           keystore:
-            key-path: ../../../dev-deployment/environments/keystores/server/localhost/keystore_iam.jks
+            key-path: ../../../dev-deployment/environments/keystores/vitamui-services/clients/iam/keystore_iam.jks
             key-password: changeme
             type: JKS
           truststore:
-            key-path: ../../../dev-deployment/environments/keystores/server/truststore_server.jks
+            key-path: ../../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
             key-password: changeme
             type: JKS
           hostname-verification: false
@@ -126,11 +126,11 @@ provisioning-client:
         secure: true
         ssl-configuration:
           keystore:
-            key-path: ../../../dev-deployment/environments/keystores/server/localhost/keystore_iam.jks
+            key-path: ../../../dev-deployment/environments/keystores/vitamui-services/clients/iam/keystore_iam.jks
             key-password: changeme
             type: JKS
           truststore:
-            key-path: ../../../dev-deployment/environments/keystores/server/truststore_server.jks
+            key-path: ../../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
             key-password: changeme
             type: JKS
           hostname-verification: false

api/api-iam/iam/src/test/resources/application.yml

@@ -62,10 +62,10 @@ cas-client:
   secure: true
   ssl-configuration:
     truststore:
-      key-path: ../../../dev-deployment/environments/keystores/server/truststore_server.jks
+      key-path: ../../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
       key-password: changeme
     keystore:
-      key-path: ../../../dev-deployment/environments/keystores/server/localhost/keystore_iam.jks
+      key-path: ../../../dev-deployment/environments/keystores/vitamui-services/server/iam/keystore_iam.jks
       key-password: changeme
       type: JKS
     hostname-verification: false

api/api-ingest/ingest/src/main/resources/application-dev.yml

@@ -15,10 +15,10 @@ server:
   host:
   port: 8088
   ssl:
-    key-store: ../../../dev-deployment/environments/keystores/server/localhost/keystore_ingest.jks
+    key-store: ../../../dev-deployment/environments/keystores/vitamui-services/server/ingest/keystore_ingest.jks
     key-store-password: changeme
     key-password: changeme
-    trust-store: ../../../dev-deployment/environments/keystores/server/truststore_server.jks
+    trust-store: ../../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
     trust-store-password: changeme
     client-auth: want
     enabled-protocols: TLSv1.2,TLSv1.3
@@ -43,10 +43,10 @@ ingest:
     secure: true
     ssl-configuration:
       truststore:
-        key-path: ../../../dev-deployment/environments/keystores/server/truststore_server.jks
+        key-path: ../../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
         key-password: changeme
       keystore:
-        key-path: ../../../dev-deployment/environments/keystores/server/localhost/keystore_ingest.jks
+        key-path: ../../../dev-deployment/environments/keystores/vitamui-services/clients/ingest/keystore_ingest.jks
         key-password: changeme
         type: JKS
       hostname-verification: false

api/api-ingest/ingest/src/test/resources/application.yml

@@ -24,10 +24,10 @@ ingest:
     secure: true
     ssl-configuration:
       truststore:
-        key-path: ../../../dev-deployment/environments/keystores/server/truststore_server.jks
+        key-path: ../../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
         key-password: changeme
       keystore:
-        key-path: ../../../dev-deployment/environments/keystores/server/localhost/keystore_archive-search.jks
+        key-path: ../../../dev-deployment/environments/keystores/vitamui-services/server/archive-search/keystore_archive-search.jks
         key-password: changeme
         type: JKS
       hostname-verification: false

api/api-pastis/pastis/src/main/resources/application-dev.yml

@@ -35,10 +35,10 @@ server:
   host:
   port: 8015
   ssl:
-    key-store: ../../../dev-deployment/environments/keystores/server/localhost/keystore_pastis.jks
+    key-store: ../../../dev-deployment/environments/keystores/vitamui-services/server/pastis/keystore_pastis.jks
     key-store-password: changeme
     key-password: changeme
-    trust-store: ../../../dev-deployment/environments/keystores/server/truststore_server.jks
+    trust-store: ../../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
     trust-store-password: changeme
     client-auth: want
     enabled-protocols: TLSv1.1,TLSv1.2,TLSv1.3
@@ -62,10 +62,10 @@ pastis:
     secure: true
     ssl-configuration:
       truststore:
-        key-path: ../../../dev-deployment/environments/keystores/server/truststore_server.jks
+        key-path: ../../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
         key-password: changeme
       keystore:
-        key-path: ../../../dev-deployment/environments/keystores/server/localhost/keystore_pastis.jks
+        key-path: ../../../dev-deployment/environments/keystores/vitamui-services/clients/pastis/keystore_pastis.jks
         key-password: changeme
         type: JKS
       hostname-verification: false

api/api-referential/referential/src/main/resources/application-dev.yml

@@ -19,10 +19,10 @@ server:
   port: 8087
   tomcat.connection-timeout: 60000
   ssl:
-    key-store: ../../../dev-deployment/environments/keystores/server/localhost/keystore_referential.jks
+    key-store: ../../../dev-deployment/environments/keystores/vitamui-services/server/referential/keystore_referential.jks
     key-store-password: changeme
     key-password: changeme
-    trust-store: ../../../dev-deployment/environments/keystores/server/truststore_server.jks
+    trust-store: ../../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
     trust-store-password: changeme
     client-auth: want
     enabled-protocols: TLSv1.2,TLSv1.3
@@ -49,10 +49,10 @@ referential:
     secure: true
     ssl-configuration:
       truststore:
-        key-path: ../../../dev-deployment/environments/keystores/server/truststore_server.jks
+        key-path: ../../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
         key-password: changeme
       keystore:
-        key-path: ../../../dev-deployment/environments/keystores/server/localhost/keystore_referential.jks
+        key-path: ../../../dev-deployment/environments/keystores/vitamui-services/clients/referential/keystore_referential.jks
         key-password: changeme
         type: JKS
       hostname-verification: false

api/api-referential/referential/src/test/resources/application.yml

@@ -26,10 +26,10 @@ referential:
     secure: true
     ssl-configuration:
       truststore:
-        key-path: ../../../dev-deployment/environments/keystores/server/truststore_server.jks
+        key-path: ../../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
         key-password: changeme
       keystore:
-        key-path: ../../../dev-deployment/environments/keystores/server/localhost/keystore_archive-search.jks
+        key-path: ../../../dev-deployment/environments/keystores/vitamui-services/server/archive-search/keystore_archive-search.jks
         key-password: changeme
         type: JKS
       hostname-verification: false

cas/cas-server/src/main/config/cas-server-application-dev.yml

@@ -9,12 +9,12 @@ spring:
 server:
   ssl:
     #client-auth: want
-    key-store: ../../dev-deployment/environments/keystores/server/localhost/keystore_cas-server.jks
+    key-store: ../../dev-deployment/environments/keystores/vitamui-services/server/cas-server/keystore_cas-server.jks
     key-store-password: changeme
     key-password: changeme
     enabled-protocols: TLSv1.2,TLSv1.3
     ciphers: ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384
-    #trust-store: ../../dev-deployment/environments/keystores/server/truststore_server.jks
+    #trust-store: ../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
     #trust-store-password: changeme
   host: dev.vitamui.com
   port: 8080
@@ -49,11 +49,11 @@ iam-client:
   secure: true
   ssl-configuration:
     keystore:
-      key-path: ../../dev-deployment/environments/keystores/server/localhost/keystore_cas-server.jks
+      key-path: ../../dev-deployment/environments/keystores/vitamui-services/clients/cas-server/keystore_cas-server.jks
       key-password: changeme
       type: JKS
     truststore:
-      key-path: ../../dev-deployment/environments/keystores/server/truststore_server.jks
+      key-path: ../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
       key-password: changeme
     hostname-verification: false
 

cas/cas-server/src/main/config/cas-server-application-recette.yml

@@ -9,7 +9,7 @@ spring:
 
 server:
   ssl:
-    key-store: ../../../../dev-deployment/environments/keystores/server/localhost/keystore_cas-server.jks
+    key-store: ../../../../dev-deployment/environments/keystores/vitamui-services/server/cas-server/keystore_cas-server.jks
     key-store-password: changeme
     key-password: changeme
     enabled-protocols: TLSv1.2,TLSv1.3
@@ -29,11 +29,11 @@ iam-client:
   secure: true
   ssl-configuration:
     keystore:
-      key-path: ../../dev-deployment/environments/keystores/server/localhost/keystore_cas-server.jks
+      key-path: ../../dev-deployment/environments/keystores/vitamui-services/server/cas-server/keystore_cas-server.jks
       key-password: changeme
       type: JKS
     truststore:
-      key-path: ../../dev-deployment/environments/keystores/server/truststore_server.jks
+      key-path: ../../dev-deployment/environments/keystores/vitamui-services/truststore_vitamui.jks
       key-password: changeme
     hostname-verification: false
 

deployment/ansible-vitamui/app_api_gateway.yml

@@ -7,6 +7,7 @@
   vars:
     vitamui_struct: "{{ vitamui.api_gateway }}"
     vitamui_certificate_type: external
-    password_keystore: "{{ keystores_server_api_gateway }}"
+    password_keystore_server: "{{ keystores_server_vitamui_services_api_gateway }}"
+    password_keystore_client: "{{ keystores_client_vitamui_services_api_gateway }}"
     password_truststore: "{{ truststores_client_external }}"
     vitam_cert: "{{ vitam_certs.vitamui }}"

deployment/ansible-vitamui/app_archive_search.yml

@@ -7,6 +7,7 @@
   vars:
     vitamui_struct: "{{ vitamui.archive_search }}"
     vitamui_certificate_type: external
-    password_keystore: "{{ keystores_server_archive_search }}"
+    password_keystore_server: "{{ keystores_server_vitamui_services_archive_search }}"
+    password_keystore_client: "{{ keystores_client_vitamui_services_archive_search }}"
     password_truststore: "{{ truststores_client_external }}"
     vitam_cert: "{{ vitam_certs.vitamui }}"

deployment/ansible-vitamui/app_collect.yml

@@ -7,6 +7,7 @@
   vars:
     vitamui_struct: "{{ vitamui.collect }}"
     vitamui_certificate_type: external
-    password_keystore: "{{ keystores_server_collect }}"
+    password_keystore_server: "{{ keystores_server_vitamui_services_collect }}"
+    password_keystore_client: "{{ keystores_client_vitamui_services_collect }}"
     password_truststore: "{{ truststores_client_external }}"
     vitam_cert: "{{ vitam_certs.vitamui }}"

deployment/ansible-vitamui/app_ingest.yml

@@ -7,6 +7,7 @@
   vars:
     vitamui_struct: "{{ vitamui.ingest }}"
     vitamui_certificate_type: external
-    password_keystore: "{{ keystores_server_ingest }}"
+    password_keystore_server: "{{ keystores_server_vitamui_services_ingest }}"
+    password_keystore_client: "{{ keystores_client_vitamui_services_ingest }}"
     password_truststore: "{{ truststores_client_external }}"
     vitam_cert: "{{ vitam_certs.vitamui }}"

deployment/ansible-vitamui/app_pastis.yml

@@ -7,6 +7,7 @@
   vars:
     vitamui_struct: "{{ vitamui.pastis }}"
     vitamui_certificate_type: external
-    password_keystore: "{{ keystores_server_pastis }}"
+    password_keystore_server: "{{ keystores_server_vitamui_services_pastis }}"
+    password_keystore_client: "{{ keystores_client_vitamui_services_pastis }}"
     password_truststore: "{{ truststores_client_external }}"
     vitam_cert: "{{ vitam_certs.vitamui }}"

deployment/ansible-vitamui/app_referential.yml

@@ -7,6 +7,7 @@
   vars:
     vitamui_struct: "{{ vitamui.referential }}"
     vitamui_certificate_type: external
-    password_keystore: "{{ keystores_server_referential }}"
+    password_keystore_server: "{{ keystores_server_vitamui_services_referential }}"
+    password_keystore_client: "{{ keystores_client_vitamui_services_referential }}"
     password_truststore: "{{ truststores_client_external }}"
     vitam_cert: "{{ vitam_certs.vitamui }}"

deployment/ansible-vitamui/vitamui_apps.yml

@@ -9,8 +9,8 @@
   vars:
     vitamui_struct: "{{ vitamui.security }}"
     vitamui_certificate_type: server
-    password_keystore: "{{ keystores_server_security }}"
-    password_truststore: "{{ truststores_server }}"
+    password_keystore_server: "{{ keystores_server_vitamui_services_security }}"
+    password_truststore: "{{ truststores_vitamui }}"
   tags: security
 
 # External apps
@@ -22,7 +22,8 @@
   vars:
     vitamui_struct: "{{ vitamui.iam }}"
     vitamui_certificate_type: external
-    password_keystore: "{{ keystores_server_iam }}"
+    password_keystore_server: "{{ keystores_server_vitamui_services_iam }}"
+    password_keystore_client: "{{ keystores_client_vitamui_services_iam }}"
     password_truststore: "{{ truststores_client_external }}"
     vitam_cert: "{{ vitam_certs.vitamui }}"
   tags: iam
@@ -36,6 +37,7 @@
   vars:
     vitamui_struct: "{{ vitamui.cas_server }}"
     vitamui_certificate_type: external
-    password_keystore: "{{ keystores_server_cas_server }}"
+    password_keystore_server: "{{ keystores_server_vitamui_services_cas_server }}"
+    password_keystore_client: "{{ keystores_client_vitamui_services_cas_server }}"
     password_truststore: "{{ truststores_client_external }}"
   tags: cas-server

deployment/pki/config/crt-config

@@ -54,8 +54,8 @@ issuerAltName                   = issuer:copy
 subjectAltName                  = ${ENV::OPENSSL_SAN}
 basicConstraints                = critical,CA:FALSE
 keyUsage                        = digitalSignature, keyEncipherment
-nsCertType                      = server, client
-extendedKeyUsage                = serverAuth, clientAuth
+nsCertType                      = server
+extendedKeyUsage                = serverAuth
 
 [ extension_client ]
 nsComment                       = "Certificat Client SSL"