You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Zer0Cool <me...@gmail.com> on 2019/04/03 19:02:31 UTC
Importance of JKS Keystore Fields?
Sorry if this is too far removed from Guacamole itself.
CentOS/RHEl 7.x
Guacamole 1.0.0
Nginx (latest)
Tomcat
I setup Guacamole with JKS and create a keystore for Guacamole using a
command like:
keytool -genkey -alias some_alias -keyalg RSA -keysize 2048 -keystore
/var/lib/tomcat/webapps/.keystore -storepass password -keypass password2
-noprompt
I am then prompted for things like name, org, city, state, etc.
I generally leave these all blank (just hitting enter for each until done).
What I am wondering is if these fields are of any importance in a
production, internet facing setup? (using Lets Encrpyt for an SSL cert, not
related to JKS at all)
Is there any benefit to filling it out and/or adverse effects with leaving
them all blank?
Thanks
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Importance of JKS Keystore Fields?
Posted by Zer0Cool <me...@gmail.com>.
Yes they will be run from the same system for all my cases.
Thanks for the feedback.
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Importance of JKS Keystore Fields?
Posted by Nick Couchman <vn...@apache.org>.
On Thu, Apr 4, 2019 at 5:34 PM Zer0Cool <me...@gmail.com> wrote:
> Upon thinking about it however, end users wouldnt see this info for the key
> store, would they?
>
> As far as I understand it, with Nginx being the reverse proxy and handling
> SSL, Lets Encrypt providing a valid Cert (and looking at the cert it uses
> its own subject, etc.), JKS is only used for tomcat, which is behind Nginx.
>
> So as far as I understand it and could be very wrong, wouldnt this keystore
> only be used between tomcat and Nginx?
>
Yes, you are correct - and, if Nginx is running on the same system as
Tomcat, there's really very little point in encrypting the connection
between the two processes on the same system. If they're on different
systems and you're trying to encrypt the connection between those systems,
that makes sense.
-Nick
Re: Importance of JKS Keystore Fields?
Posted by Zer0Cool <me...@gmail.com>.
Upon thinking about it however, end users wouldnt see this info for the key
store, would they?
As far as I understand it, with Nginx being the reverse proxy and handling
SSL, Lets Encrypt providing a valid Cert (and looking at the cert it uses
its own subject, etc.), JKS is only used for tomcat, which is behind Nginx.
So as far as I understand it and could be very wrong, wouldnt this keystore
only be used between tomcat and Nginx?
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Importance of JKS Keystore Fields?
Posted by Nick Couchman <vn...@apache.org>.
>
> I am then prompted for things like name, org, city, state, etc.
>
> I generally leave these all blank (just hitting enter for each until done).
>
> What I am wondering is if these fields are of any importance in a
> production, internet facing setup? (using Lets Encrpyt for an SSL cert, not
> related to JKS at all)
>
> Is there any benefit to filling it out and/or adverse effects with leaving
> them all blank?
>
From a technical perspective, I doubt these fields matter. From a
process/security/identity standpoint, I would imagine it's considered
best-practice and good etiquette to fill in those fields. The idea is that
you're providing some sort of guarantee of identity to the people accessing
the system - that if someone is asked to go to the page and enter
credentials, and they have any concern about whether the site is what
they've been led to believe, those items will help them identify the site
and the organization to which it belongs.
-Nick