Story #15211: Cleaning PKI. #3509

GiooDev · 2026-01-25T19:25:37Z

Description

Updating PKI

Remove unnecessary timestamping configurations.
Do not generate keystores for UI components.
Generate PEM files for the Certificate Authority (CA), which are mandatory for the nginx ca-bundle.
Generate client certificates without a password. Currently, there is no method to provide a password to nginx.
Migrate keystores and truststores from proprietary JKS (Java KeyStore) format to industry-standard PKCS12 format.
Generate pem certs only for services needed to be loaded in database security/certificates (cas-server & ui-*).

Ansible

Disable HTTPS by default for UI components.
Provides client certificates for UI components (using proxy_ssl_certificate).
Use server certificates for UI components in HTTPS configuration (using ssl_certificate). This currently does not work due to issues with DNS resolution and upstream configuration in nginx.
Add Consul service definitions for UI components, which are mandatory for HTTPS verification (currently disabled, secure: false). The server certificates are now generated with Subject Alternative Names (SAN) including the DNS name.
Update certificates loaded in the database conditionally, based on hosts defined in groups. Unwanted components are not loaded in security/certificates database.
Add the missing parameter ssl_hostname_verification (default: true) for each component.
Deploying keystores and truststores as p12 instead of jks.
Renaming keys in vault-keystores.yml as singular instead of plural.

Schema communication:

graph TD

    %% Service Definitions
    RP[Reverse Proxy]

    subgraph SERVICES_UI[VitamUI-UI Services]
        direction TB
        UPO[ui-portal]
        UID[ui-identity]
        UIA[ui-identity-admin]
        UAS[ui-archive-search]
        URE[ui-referential]
        UCO[ui-collect]
        UPA[ui-pastis]
        UIN[ui-ingest]       
    end

    API_GW[api-gateway]
    CAS[cas-server]

    subgraph VITAM_UI_SERVICES[VitamUI Services]
        direction TB
        subgraph VUI_SERVICES[ ]
            direction TB
            R[referential]
            P[pastis]
            I[ingest]
            C[collect]
            AS[archive_search]
        end
 
        IAM[iam]
        SEC[security]
    end

    %% Communications
    EXTERNAL -->|https| RP
    RP -->|http| SERVICES_UI
    RP -->|https| CAS
    SERVICES_UI -->|mTLS| API_GW
    API_GW -->|https + x-ssl-cert| VITAM_UI_SERVICES
    VUI_SERVICES -->|mTLS| IAM
    VUI_SERVICES -->|https| SEC
    
    IAM <-->|mTLS| CAS
    IAM -->|https| SEC

Type de changement

PKI
Ansiblerie
Correction
Refactorisation de code

Contributeur

Programme Vitam

vitam-prg · 2026-01-25T19:32:23Z

Checkmarx One – Scan Summary & Details – f6cd2abc-ea95-46a7-b7b4-9799499360fc

New Issues (27)

Checkmarx found the following issues in this Pull Request

#	Issue	Source File / Package	Checkmarx Insight
1	CVE-2021-44906	Npm-minimist-0.0.10	details Recommended version: 0.2.4 Description: Minimist is vulnerable to Prototype Pollution via file "index.js", function "setKey()" (lines 69-95). This issue affects minimist versions prior t... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
2	CVE-2023-25344	Npm-swig-templates-2.0.3	details Description: An issue was discovered in swig-templates in versions through 2.0.3 and swig versions 1.0.0-pre1 through 1.4.2, allowing attackers to execute arbit... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
3	CVE-2023-42282	Npm-ip-2.0.0	details Recommended version: 2.0.1 Description: The `isPublic()` function in the NPM package ip doesn't correctly identify certain private IP addresses in uncommon formats, such as 0x7F.1 as priv... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
4	CVE-2021-23372	Npm-mongo-express-1.0.0	details Recommended version: 1.0.1 Description: Versions prior to 1.0.1 of package mongo-express are vulnerable to Denial of Service (DoS) when exporting an empty collection as CSV, due to an unh... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
5	CVE-2023-25345	Npm-swig-templates-2.0.3	details Description: Directory Traversal Vulnerability in all versions of swig-templates and swig allows attackers to read arbitrary files via the "include" or "extends... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
6	CVE-2024-21538	Npm-cross-spawn-7.0.3	details Recommended version: 7.0.5 Description: Versions of the package cross-spawn prior to 6.0.6 and 7.x prior to 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS), due to im... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
7	CVE-2024-29415	Npm-ip-2.0.0	details Description: The ip package 0.0.2 through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, a... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
8	CVE-2024-45296	Npm-path-to-regexp-0.1.7	details Recommended version: 0.1.12 Description: The path-to-regexp turns path strings into regular expressions. In certain cases, path-to-regexp will output a regular expression that can be explo... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
9	CVE-2024-45590	Npm-body-parser-1.20.0	details Recommended version: 1.20.3 Description: The body-parser is Node.js body parsing middleware. The body-parser package versions prior to 1.20.3 and 2.0.x prior to 2.0.0 are vulnerable to Den... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
10	CVE-2024-52798	Npm-path-to-regexp-0.1.7	details Recommended version: 0.1.12 Description: path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploit... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
11	CVE-2026-24842	Npm-tar-7.5.2	details Description: node-tar, a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
12	CVE-2026-24842	Npm-tar-6.2.1	details Description: node-tar, a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
13	Passwords And Secrets - Generic Password	/vitamui_vars.yml: 219	details Query to find passwords and secrets in infrastructure code.
14	CVE-2020-7598	Npm-minimist-0.0.10	details Recommended version: 0.2.4 Description: Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the proto... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
15	CVE-2023-52555	Npm-mongo-express-1.0.0	details Description: In mongo-express versions through 1.02, '/admin' allows Cross-site Request Forgery (CSRF), as demonstrated by deletion of a Collection. Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
16	CVE-2024-27088	Npm-es5-ext-0.10.62	details Recommended version: 0.10.63 Description: The es5-ext contains ECMAScript 5 extensions. Passing functions with very long names or complex default argument names into "function#copy" or "fun... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
17	CVE-2024-29041	Npm-express-4.18.1	details Recommended version: 4.20.0 Description: Express.js minimalist web framework for node. Express.js versions prior to 4.19.2, and 5.0.x prior to 5.0.0-beta.3 are affected by an open redirect... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
18	CVE-2024-43796	Npm-express-4.18.1	details Recommended version: 4.20.0 Description: Express.js minimalist web framework for node. In express versions prior to 4.20.0 and 5.0.x prior to 5.0.0, passing untrusted user input even after... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
19	CVE-2024-43799	Npm-send-0.18.0	details Recommended version: 0.19.0 Description: Send is a library for streaming files from the file system as an HTTP response. Send passes untrusted user input to "SendStream.redirect()" which e... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
20	CVE-2024-43800	Npm-serve-static-1.15.0	details Recommended version: 1.16.0 Description: serve-static serves static files. serve-static passes untrusted user input even after sanitizing it to "redirect()" and may execute untrusted code.... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
21	CVE-2024-47178	Npm-basic-auth-connect-1.0.0	details Recommended version: 1.1.0 Description: The package basic-auth-connect is Connect's Basic Auth middleware in its own module. The basic-auth-connect uses a timing-unsafe equality compariso... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
22	CVE-2024-47764	Npm-cookie-0.3.1	details Recommended version: 0.7.0 Description: The NPM package cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cook... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
23	CVE-2024-47764	Npm-cookie-0.4.1	details Recommended version: 0.7.0 Description: The NPM package cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cook... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
24	CVE-2024-47764	Npm-cookie-0.5.0	details Recommended version: 0.7.0 Description: The NPM package cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cook... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
25	Cx2c8678d9-d5de	Npm-es5-ext-0.10.62	details Description: This package includes functionality which aims to protest or raise an issue and might include undesired behavior. ### About Similar to a malicious... Vulnerable Package
26	CVE-2025-59436	Npm-ip-2.0.0	details Description: The ip (aka node-ip) package might allow Server-Side Request Forgery (SSRF) because the IP address value '017700000001' is improperly categorized a... Attack Vector: LOCAL Attack Complexity: HIGH Vulnerable Package
27	CVE-2025-59437	Npm-ip-2.0.0	details Description: The ip (aka node-ip) package (in NPM) might allow Server-Side Request Forgery (SSRF) because the IP address value "0" is improperly categorized as ... Attack Vector: LOCAL Attack Complexity: HIGH Vulnerable Package

Fixed Issues (1)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	~~Passwords And Secrets - Generic Password~~	/vitamui_vars.yml: 210

Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR

* Removing useless timestamping elements.

…am to resolv on Consul's DNS name instead of IP. The new generated certificates doesn't contains the IP anymore.

…guration for webapp.

Currently, it's stored under vault-certs.yml and we don't have access to it during deployment.

With disabled secure for ui components.

Disable ssl for ui-design-system.

Remove unsupported parameters for this nginx version (revolver) - upstream config.

GiooDev · 2026-01-25T23:36:25Z

deployment/roles/reinit_security_certificates/templates/security.populate_certificates.js.j2

-{{ process('{{ pki_dir }}/vitamui-services/clients/ui-ingest/ui-ingest.pem', 'ui_ingest_context') }}
-{{ process('{{ pki_dir }}/vitamui-services/clients/ui-pastis/ui-pastis.pem', 'ui_pastis_context') }}
-{{ process('{{ pki_dir }}/vitamui-services/clients/ui-collect/ui-collect.pem', 'ui_collect_context') }}
+{{ insertCertificate(pki_dir + '/vitamui-services/clients/ui-portal/ui-portal.pem', 'ui_portal_context') }}


À voir si on charge tous les certificats même si dans certains cas (rare) on a décidé de ne pas déployer certains composants applicatifs ?

GiooDev · 2026-01-26T23:47:26Z

deployment/roles/nginx_webapp/tasks/install.yml

    name: nginx
    state: started
+
+#### Consul configuration ####


En as-t-on besoin ici ? Ou à déplacer dans le block secure ci-dessus ?

Car sans https, on pourrait conserver la configuration upstream avec la liste des ips et ainsi éviter la résolution dns consul pas simple à implémenter avec consul.

GiooDev · 2026-01-27T10:49:54Z

deployment/roles/nginx_webapp/templates/frontend/vhost.conf.j2

+    # proxy_set_header Host $api_gateway_dns;
+    # proxy_pass {{ 'https' if vitamui.api_gateway.secure | default(secure) | bool else 'http' }}://$api_gateway_dns:{{ vitamui.api_gateway.port_service }};
+
    proxy_pass {{ 'https' if vitamui.api_gateway.secure | default(secure) | bool else 'http' }}://API-GATEWAY;


Comment ça fonctionne encore ici en https alors que le nom DNS de API-GATEWAY n'est pas correct ?

GiooDev · 2026-01-27T13:53:04Z

deployment/environments/group_vars/all/vitamui_vars.yml

  ui_identity:
    vitamui_component: ui-identity
    port_service: 8002
+    secure: false


Si on laisse toutes les UI en secure: false (config par défaut, voir non configurable), on pourrait même se passer de leur générer un certificat server.

En effet, elles n'auraient plus besoin que d'un certificat client.

GiooDev · 2026-01-27T13:53:38Z

deployment/pki/scripts/lib/ca.sh

        -out ${REPERTOIRE_CA}/${REPERTOIRE_SORTIE}/ca-root.crt \
        -batch
+
+    pki_logger "Convert CA root certificate to PEM format..."


On convertit en pem pour création du bundle pour nginx.

Ne sera pas nécessaire si on a pas besoin des services UI en https.

GiooDev · 2026-01-27T14:04:30Z

deployment/pki/scripts/lib/stores.sh

-                                    ${JKS_PASSWORD} \
-                                    ${TMP_P12_PASSWORD}
+    # Generate the server keystores for vitamui-services except ui- components
+    for COMPONENT in $( ls ${REPERTOIRE_CERTIFICAT}/vitamui-services/server/ | grep -v -e "README" -e "^ui-" ); do


On ne génère pas les keystores pour les composants UI, c'est inutile.

Les keystores sont nécessaires uniquement pour les composants spring (java).

GiooDev · 2026-01-27T14:04:44Z

deployment/pki/scripts/lib/stores.sh

        # # client-${CLIENT_TYPE} keystores generation
-        for COMPONENT in $( ls ${CERT_SRC_DIR} 2>/dev/null | grep -vF -e "README" -e "external" ); do
+        # Do not generate keystores for ui- components, we don't need them
+        for COMPONENT in $( ls ${CERT_SRC_DIR} 2>/dev/null | grep -v -e "README" -e "external" -e "^ui-" ); do


On ne génère pas les keystores pour les composants UI, c'est inutile.

Les keystores sont nécessaires uniquement pour les composants spring (java).

GiooDev · 2026-01-27T14:05:17Z

deployment/pki/scripts/generate_certs.sh

    generateServerAndClientCertAndStorePassphrase   ui-archive-search   vitamui-services
    generateServerAndClientCertAndStorePassphrase   ui-collect          vitamui-services
    generateServerAndClientCertAndStorePassphrase   ui-pastis           vitamui-services
-    generateServerCertAndStorePassphrase            ui-design-system    vitamui-services


Pas besoin de certificat pour ui-design-system, c'est juste une page de demo des composants UI. On le laisse en http sans possibilité de le passer en https.

GiooDev · 2026-01-27T14:08:25Z

deployment/roles/nginx_webapp/tasks/install.yml

  copy:
-    src: "{{ item }}"
-    dest: "{{ nginx_ssl_dir }}"
+    src: "{{ inventory_dir }}/certs/vitamui-services/clients/{{ vitamui_struct.vitamui_component }}/{{ vitamui_struct.vitamui_component }}.{{ item }}"


Il faut copier le certificat client des UI pour utiliser lors de l'appel suivant.

Configuration proxy_ssl_certificate au niveau de nginx.

GiooDev · 2026-01-27T14:13:10Z

deployment/roles/nginx_webapp/tasks/install.yml

-    mode: "{{ vitamui_defaults.folder.conf_permission }}"
+- block:
+
+    - name: "Add server certificates for {{ vitamui_struct.vitamui_component }} when secure is enabled"


On ne copie la partie ssl que si le secure: true est activé. Autrement ces informations ne sont pas utiles.

À voir si on conserve cette possibilité pour les UI ?

Sinon, mettre à jour la PKI pour ne faire qu'un generateClientCertAndStorePassphrase pour les UI.

…breaking current install.

Refactor and translate into english.

…(Java KeyStore) format to industry-standard PKCS12 format. This eliminates the keytool warning and aligns with modern Java best practices.

…yment.

GiooDev · 2026-02-01T18:27:39Z

deployment/roles/vitamui/templates/iam/application.yml.j2

-    trust-store-password: {{ password_truststore }}
+    trust-store: {{ vitamui_folder_conf }}/truststore_vitamui.p12
+    trust-store-password: {{ truststore_vitamui }}
    client-auth: want


Pourquoi pas need ? Tous les composants appelant iam semblent le faire en mTLS.

GiooDev · 2026-02-03T09:33:04Z

Switched to #3535

GiooDev added this to the IT 164 milestone Jan 25, 2026

GiooDev self-assigned this Jan 25, 2026

GiooDev added OPS REVIEW Mandatory if deployment/ directory is modified. clean Code Clean Code VitamUI labels Jan 25, 2026

GiooDev marked this pull request as draft January 25, 2026 19:25

GiooDev force-pushed the story_15211_ops_cleanup branch 24 times, most recently from 22068ef to a3f51e0 Compare January 27, 2026 11:11

GiooDev force-pushed the story_15211_ops_cleanup branch 2 times, most recently from 7f8bd7c to 3d6d83e Compare January 27, 2026 14:01

GiooDev added 13 commits January 27, 2026 16:01

Story #15211: Cleaning PKI.

53c93f3

* Removing useless timestamping elements.

Story #15211: Cleaning truststore and configuration.

fc64afb

Story #15211: Keep cleaning.

cdafda1

Story #15211: Adding consul DNS resolution for UI and Updating upstre…

38d4d90

…am to resolv on Consul's DNS name instead of IP. The new generated certificates doesn't contains the IP anymore.

Story #15211: Trying to update nginx configuration without upstream.

e501137

Story #15211: Keep trying with more ssl configuration.

281920f

Story #15211: Try with dedicated client and server certificates confi…

059c208

…guration for webapp.

Story #15211: Disable pass for client certificates.

1a03e66

Currently, it's stored under vault-certs.yml and we don't have access to it during deployment.

Story #15211: Do not generate keystores for ui components.

216205d

Story #15211: Switch back to previous upstream configuration.

80edf60

With disabled secure for ui components.

Story #15211: Fixing cas-server resolution while starting.

8d9a0f2

Disable ssl for ui-design-system.

Story #15211: Trying without upstream.

3773517

Remove unsupported parameters for this nginx version (revolver) - upstream config.

Story #15211: Rollback to upstream.

250c029

GiooDev force-pushed the story_15211_ops_cleanup branch from e85d30a to 250c029 Compare January 27, 2026 15:01

GiooDev commented Jan 27, 2026

View reviewed changes

Story #15211: Keep elements commented for testing secured UI without …

a57e703

…breaking current install.

GiooDev force-pushed the story_15211_ops_cleanup branch from 6b9d919 to a57e703 Compare January 28, 2026 11:20

GiooDev added 3 commits January 28, 2026 15:46

Story #15211: Cleaning PKI scripts.

3fc50b4

Refactor and translate into english.

Story #15211: Migrate keystores and truststores from proprietary JKS …

e57457e

…(Java KeyStore) format to industry-standard PKCS12 format. This eliminates the keytool warning and aligns with modern Java best practices.

Story #15211: Renaming variables for keystores and truststores.

1dcff27

GiooDev force-pushed the story_15211_ops_cleanup branch from cd7af33 to 1dcff27 Compare January 28, 2026 16:22

Story #15211: Remove useless keystores for UI components in dev-deplo…

cc8cc65

…yment.

GiooDev force-pushed the story_15211_ops_cleanup branch from 4423187 to cc8cc65 Compare January 28, 2026 16:51

GiooDev modified the milestones: IT 164, IT 165 Jan 28, 2026

GiooDev commented Feb 1, 2026

View reviewed changes

Story #15211: Cleaning PKI. #3509

Are you sure you want to change the base?

Story #15211: Cleaning PKI. #3509

Conversation

GiooDev commented Jan 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

Updating PKI

Ansible

Type de changement

Contributeur

Uh oh!

vitam-prg commented Jan 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

GiooDev commented Feb 3, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

GiooDev commented Jan 25, 2026 •

edited

Loading

vitam-prg commented Jan 25, 2026 •

edited

Loading