Caching service is not handling trust store well (in case of Infinispan mode) #4420
Description
Describe the bug
During implementation of #4408 was detected that the JGroups in the Caching service is not handling well the trustStore.
The issue is in the configuration infinispan.xml about key exchange endpoint (see SSL_KEY_EXCHANGE element and missing truststore* attributes.
The each instance of JGroup is comunnicating to others. To establish encrypted connection is used TLS protocol base on keystore/keyring. The private key is loaded well, but the issue is with trust store. Because truststore is not defined it is using public certificate only from keystore. It is not a issue for key ring (they contains private and public in the same location), but for keystores. It makes a requirement to include public certificate in keystore. Otherwise, JGroups instances are not allowed to be connected each other and cannot share cache.
The fix for v2 and v3 is different because each version uses a different version of Infinispan (v2 cannot be upgraded because of Java 8):
v2: There are no attributes like truststore*, so the only one solution is to improve documentation and tell users that in case of keystore it is necessary to include CA certificate in the keystore.
v3: There is a possibility to configure truststore in the configuration
usage_truststore.patch
Note:
Ensure the key exchange endpoint is working well with ICSF
Steps to Reproduce
- Remove public certificate from
keystore\docker\all-services.keystore.p12 - Run IT on GitHub action
- Test suites about infinispan in HA would failed. The log contains an error about bad certificate
Logs
2025-12-10T16:23:10.2186198Z 2025-12-10 16:22:56.390 �[35mZWEACS1:jgroups-8,359c497e85d0-7894:1�[0;39m root �[33mWARN �[0;39m �[36m(o.j.p.ASYM_ENCRYPT)�[0;39m 359c497e85d0-7894: failed fetching group key from 519c122b663c-3215: java.lang.IllegalStateException: failed connecting to 172.18.0.4:7118: Received fatal alert: bad_certificate