We are able to setup proxy for send 'master-key' certificate for mutual TLS authentication. It should not be possible to configure the master key and server should not choose master key when ssl-cert-nickname is set on default (Let the server decide.)
- Tested with OpenDJ: 7.0.0-SNAPSHOT 432a9c1d10a
- we can follow steps of example at installation Guide for Trying DS Directory Proxy Server
- Install two DS directory servers for evaluation, then configure and initialize replication between them
- Create a proxy account with permission to use proxied authorization on the DS directory servers
- Set up the DS directory proxy server to forward requests to the DS directory servers
- Check configure the properties of the Backend "proxyRoot" at proxy
- Searches the directory through the proxy
- This search can have two results - that is correctly done without problem (because server decide use ssl-key-pair) or failed with The LDAP bind request failed: 49 (Invalid Credentials) (because server decide use master-key).
- set up ssl-cert-nickname on "master-key"
- It should not be possible set up ssl-cert-nickname on master key, and also should not be possible for the server to choose to send it for mutual TLS authentication.
- It cause invalid credentials in result (for previous steps with search)
Note: keystore for the proxy:
The dates on that one make it invalid by design: