Merge remote-tracking branch 'refs/remotes/origin/master'

docs/security/crypto/ssl-connections-client-side-.adoc

@@ -14,16 +14,228 @@ In SSL/TLS connections the server side provides a certificate that needs to be v
 This means that midPoint needs to have a way how to check validity of the certificate provided by SSL/TLS server.
 MidPoint is using standard Java libraries to validate the certificate.
 Java security modules are using a _truststore_ mechanism which is closely related to xref:/midpoint/reference/security/crypto/keystore-configuration/[keystore]. The truststore is a small database of trusted certificates.
-When a certificate needs to be validate Java libraries check if the certificate the authority that issues it is in the truststore.
+When a certificate needs to be validate Java libraries check if the certificates the authority in chain that issues are in the truststore.
+
+[IMPORTANT]
+====
+For real deployments with public or private certification authorities all root and intermediate certificates in chain must be imported into midPoint keystore.
+====
 
 The following procedure describes how to get server certificate into the trustore which makes it a trusted certificate.
 
 
-== Getting the Certificate
+== Getting server certificate
 
 There are many tools to get a server certificate from SSL/TLS connection.
-We prefer to use opensource library OpenSSL (openssl library for windows can be downloaded link:https://code.google.com/p/openssl-for-windows/[here]) . It has a nice _s_client_ utility to do this:
+We prefer to use opensource library OpenSSL (openssl library for windows can be downloaded link:https://code.google.com/p/openssl-for-windows/[here]) . It has a nice _s_client_ utility to do this.
 
+Example how to obtain all server certificates in chain:
+[source]
+----
+openssl s_client -showcerts -servername google.com -connect google.com:443
+Loading 'screen' into random state - done
+CONNECTED(00000260)
+depth=2 /C=US/O=Google Trust Services LLC/CN=GTS Root R1
+verify error:num=20:unable to get local issuer certificate
+verify return:0
+---
+Certificate chain
+ 0 s:/CN=*.google.com
+   i:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
+-----BEGIN CERTIFICATE-----
+MIIPKDCCDhCgAwIBAgIQXZPVtDG27jgQT6mqCHHkAzANBgkqhkiG9w0BAQsFADBG
+MQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExM
+QzETMBEGA1UEAxMKR1RTIENBIDFDMzAeFw0yNDAyMTkwODAzNTRaFw0yNDA1MTMw
+ODAzNTNaMBcxFTATBgNVBAMMDCouZ29vZ2xlLmNvbTCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAM13e70d+ZprybekMI9Vh+kanYwTAUYy0ziIpayXrSgf
+fCQLYi6WdoiGpL76ATZ1Nah3xonRK2VLo7SIMdztsBUfa6Pv0PrsJa34qc2ipr95
+4K9NhUAI6dv1ka7qqAvYOIP4yQwIbFZs5b7YMr0LbvS29V3qnev7IT/Rpe1n2+nL
+R8DPXPYHuKtaIJTmBJ6zegf2v4x/G6MHlKQ+xMwkpoNCyqkKYRidy2f/ENxTZIFn
+Gq9nbebTzAozvTjYzwT/s2x1nRiGNhdcMp4pTeszmjQ9co/SBIyL2pGef39iw20p
+TfwYPGi1WG9kuFKkNUNzfhppQ9e5CNskKi0wM3BJE1sCAwEAAaOCDD8wggw7MA4G
+A1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAA
+MB0GA1UdDgQWBBSW6bOCv2Afuev4kI1nRbhRWOBz1DAfBgNVHSMEGDAWgBSKdH+v
+hc3ulc09nNDiRhTzcTUdJzBqBggrBgEFBQcBAQReMFwwJwYIKwYBBQUHMAGGG2h0
+dHA6Ly9vY3NwLnBraS5nb29nL2d0czFjMzAxBggrBgEFBQcwAoYlaHR0cDovL3Br
+aS5nb29nL3JlcG8vY2VydHMvZ3RzMWMzLmRlcjCCCe8GA1UdEQSCCeYwggniggwq
+Lmdvb2dsZS5jb22CFiouYXBwZW5naW5lLmdvb2dsZS5jb22CCSouYmRuLmRldoIV
+Ki5vcmlnaW4tdGVzdC5iZG4uZGV2ghIqLmNsb3VkLmdvb2dsZS5jb22CGCouY3Jv
+d2Rzb3VyY2UuZ29vZ2xlLmNvbYIYKi5kYXRhY29tcHV0ZS5nb29nbGUuY29tggsq
+Lmdvb2dsZS5jYYILKi5nb29nbGUuY2yCDiouZ29vZ2xlLmNvLmlugg4qLmdvb2ds
+ZS5jby5qcIIOKi5nb29nbGUuY28udWuCDyouZ29vZ2xlLmNvbS5hcoIPKi5nb29n
+bGUuY29tLmF1gg8qLmdvb2dsZS5jb20uYnKCDyouZ29vZ2xlLmNvbS5jb4IPKi5n
+b29nbGUuY29tLm14gg8qLmdvb2dsZS5jb20udHKCDyouZ29vZ2xlLmNvbS52boIL
+Ki5nb29nbGUuZGWCCyouZ29vZ2xlLmVzggsqLmdvb2dsZS5mcoILKi5nb29nbGUu
+aHWCCyouZ29vZ2xlLml0ggsqLmdvb2dsZS5ubIILKi5nb29nbGUucGyCCyouZ29v
+Z2xlLnB0gg8qLmdvb2dsZWFwaXMuY26CESouZ29vZ2xldmlkZW8uY29tggwqLmdz
+dGF0aWMuY26CECouZ3N0YXRpYy1jbi5jb22CD2dvb2dsZWNuYXBwcy5jboIRKi5n
+b29nbGVjbmFwcHMuY26CEWdvb2dsZWFwcHMtY24uY29tghMqLmdvb2dsZWFwcHMt
+Y24uY29tggxna2VjbmFwcHMuY26CDiouZ2tlY25hcHBzLmNughJnb29nbGVkb3du
+bG9hZHMuY26CFCouZ29vZ2xlZG93bmxvYWRzLmNughByZWNhcHRjaGEubmV0LmNu
+ghIqLnJlY2FwdGNoYS5uZXQuY26CEHJlY2FwdGNoYS1jbi5uZXSCEioucmVjYXB0
+Y2hhLWNuLm5ldIILd2lkZXZpbmUuY26CDSoud2lkZXZpbmUuY26CEWFtcHByb2pl
+Y3Qub3JnLmNughMqLmFtcHByb2plY3Qub3JnLmNughFhbXBwcm9qZWN0Lm5ldC5j
+boITKi5hbXBwcm9qZWN0Lm5ldC5jboIXZ29vZ2xlLWFuYWx5dGljcy1jbi5jb22C
+GSouZ29vZ2xlLWFuYWx5dGljcy1jbi5jb22CF2dvb2dsZWFkc2VydmljZXMtY24u
+Y29tghkqLmdvb2dsZWFkc2VydmljZXMtY24uY29tghFnb29nbGV2YWRzLWNuLmNv
+bYITKi5nb29nbGV2YWRzLWNuLmNvbYIRZ29vZ2xlYXBpcy1jbi5jb22CEyouZ29v
+Z2xlYXBpcy1jbi5jb22CFWdvb2dsZW9wdGltaXplLWNuLmNvbYIXKi5nb29nbGVv
+cHRpbWl6ZS1jbi5jb22CEmRvdWJsZWNsaWNrLWNuLm5ldIIUKi5kb3VibGVjbGlj
+ay1jbi5uZXSCGCouZmxzLmRvdWJsZWNsaWNrLWNuLm5ldIIWKi5nLmRvdWJsZWNs
+aWNrLWNuLm5ldIIOZG91YmxlY2xpY2suY26CECouZG91YmxlY2xpY2suY26CFCou
+ZmxzLmRvdWJsZWNsaWNrLmNughIqLmcuZG91YmxlY2xpY2suY26CEWRhcnRzZWFy
+Y2gtY24ubmV0ghMqLmRhcnRzZWFyY2gtY24ubmV0gh1nb29nbGV0cmF2ZWxhZHNl
+cnZpY2VzLWNuLmNvbYIfKi5nb29nbGV0cmF2ZWxhZHNlcnZpY2VzLWNuLmNvbYIY
+Z29vZ2xldGFnc2VydmljZXMtY24uY29tghoqLmdvb2dsZXRhZ3NlcnZpY2VzLWNu
+LmNvbYIXZ29vZ2xldGFnbWFuYWdlci1jbi5jb22CGSouZ29vZ2xldGFnbWFuYWdl
+ci1jbi5jb22CGGdvb2dsZXN5bmRpY2F0aW9uLWNuLmNvbYIaKi5nb29nbGVzeW5k
+aWNhdGlvbi1jbi5jb22CJCouc2FmZWZyYW1lLmdvb2dsZXN5bmRpY2F0aW9uLWNu
+LmNvbYIWYXBwLW1lYXN1cmVtZW50LWNuLmNvbYIYKi5hcHAtbWVhc3VyZW1lbnQt
+Y24uY29tggtndnQxLWNuLmNvbYINKi5ndnQxLWNuLmNvbYILZ3Z0Mi1jbi5jb22C
+DSouZ3Z0Mi1jbi5jb22CCzJtZG4tY24ubmV0gg0qLjJtZG4tY24ubmV0ghRnb29n
+bGVmbGlnaHRzLWNuLm5ldIIWKi5nb29nbGVmbGlnaHRzLWNuLm5ldIIMYWRtb2It
+Y24uY29tgg4qLmFkbW9iLWNuLmNvbYIUZ29vZ2xlc2FuZGJveC1jbi5jb22CFiou
+Z29vZ2xlc2FuZGJveC1jbi5jb22CHiouc2FmZW51cC5nb29nbGVzYW5kYm94LWNu
+LmNvbYINKi5nc3RhdGljLmNvbYIUKi5tZXRyaWMuZ3N0YXRpYy5jb22CCiouZ3Z0
+MS5jb22CESouZ2NwY2RuLmd2dDEuY29tggoqLmd2dDIuY29tgg4qLmdjcC5ndnQy
+LmNvbYIQKi51cmwuZ29vZ2xlLmNvbYIWKi55b3V0dWJlLW5vY29va2llLmNvbYIL
+Ki55dGltZy5jb22CC2FuZHJvaWQuY29tgg0qLmFuZHJvaWQuY29tghMqLmZsYXNo
+LmFuZHJvaWQuY29tggRnLmNuggYqLmcuY26CBGcuY2+CBiouZy5jb4IGZ29vLmds
+ggp3d3cuZ29vLmdsghRnb29nbGUtYW5hbHl0aWNzLmNvbYIWKi5nb29nbGUtYW5h
+bHl0aWNzLmNvbYIKZ29vZ2xlLmNvbYISZ29vZ2xlY29tbWVyY2UuY29tghQqLmdv
+b2dsZWNvbW1lcmNlLmNvbYIIZ2dwaHQuY26CCiouZ2dwaHQuY26CCnVyY2hpbi5j
+b22CDCoudXJjaGluLmNvbYIIeW91dHUuYmWCC3lvdXR1YmUuY29tgg0qLnlvdXR1
+YmUuY29tghR5b3V0dWJlZWR1Y2F0aW9uLmNvbYIWKi55b3V0dWJlZWR1Y2F0aW9u
+LmNvbYIPeW91dHViZWtpZHMuY29tghEqLnlvdXR1YmVraWRzLmNvbYIFeXQuYmWC
+ByoueXQuYmWCGmFuZHJvaWQuY2xpZW50cy5nb29nbGUuY29tghtkZXZlbG9wZXIu
+YW5kcm9pZC5nb29nbGUuY26CHGRldmVsb3BlcnMuYW5kcm9pZC5nb29nbGUuY26C
+GHNvdXJjZS5hbmRyb2lkLmdvb2dsZS5jboIaZGV2ZWxvcGVyLmNocm9tZS5nb29n
+bGUuY26CGHdlYi5kZXZlbG9wZXJzLmdvb2dsZS5jbjAhBgNVHSAEGjAYMAgGBmeB
+DAECATAMBgorBgEEAdZ5AgUDMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmxz
+LnBraS5nb29nL2d0czFjMy9mVkp4YlYtS3Rtay5jcmwwggEEBgorBgEEAdZ5AgQC
+BIH1BIHyAPAAdgBIsONr2qZHNA/lagL6nTDrHFIBy1bdLIHZu7+rOdiEcwAAAY3A
+m5XyAAAEAwBHMEUCIHlRkebho8dI/RUCwPRapoKiOcIhvQddNeZP81myigtOAiEA
+5XNQPZzw0tjFVzTllWCJXqM6MjM0Sm0q6ZmII5nDcscAdgDuzdBk1dsazsVct520
+zROiModGfLzs3sNRSFlGcR+1mwAAAY3Am5XMAAAEAwBHMEUCIHs6XwsGtdpSkEYl
+lrO1q1mqi9ylrfpYWfGCyVJQ4f8uAiEAzujxJjpjIOr7Fs58+Oaij3A+sahNS9aa
+asn5gcHigRIwDQYJKoZIhvcNAQELBQADggEBAIHJiBhis3ZzX4/Wk/K/tdjCnNtv
+blcljLZZ86OeUoAYB1dnZmEEqT3zPm93FlUxe77ghE3fPw9xVSlUHSZ3UaELBS+w
+n/x8ZHB//nDH9Vdwv+oG9O9DT+O4sLpQHSHOJRgbQJCk7+K5BbVWzp+zdNkJzUzX
+M0twXORS0OnUSOBxm+JNgsjDrLlYhSDLO1kinRoeyX27A28CWWP7RTyXs2G4KZAW
+T/VI+eLUSjrDk+jTFP1bYKOTa0hRcrAGWjqT66KUpjHvun32QbItamtsLEpX9VAH
+mLyeS0SHUGaGBNgcPQk8ejUaHMUJkadjrDjf1mC02JdHzsqUl3NuGZ8avR4=
+-----END CERTIFICATE-----
+ 1 s:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
+   i:/C=US/O=Google Trust Services LLC/CN=GTS Root R1
+-----BEGIN CERTIFICATE-----
+MIIFljCCA36gAwIBAgINAgO8U1lrNMcY9QFQZjANBgkqhkiG9w0BAQsFADBHMQsw
+CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU
+MBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMjAwODEzMDAwMDQyWhcNMjcwOTMwMDAw
+MDQyWjBGMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZp
+Y2VzIExMQzETMBEGA1UEAxMKR1RTIENBIDFDMzCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAPWI3+dijB43+DdCkH9sh9D7ZYIl/ejLa6T/belaI+KZ9hzp
+kgOZE3wJCor6QtZeViSqejOEH9Hpabu5dOxXTGZok3c3VVP+ORBNtzS7XyV3NzsX
+lOo85Z3VvMO0Q+sup0fvsEQRY9i0QYXdQTBIkxu/t/bgRQIh4JZCF8/ZK2VWNAcm
+BA2o/X3KLu/qSHw3TT8An4Pf73WELnlXXPxXbhqW//yMmqaZviXZf5YsBvcRKgKA
+gOtjGDxQSYflispfGStZloEAoPtR28p3CwvJlk/vcEnHXG0g/Zm0tOLKLnf9LdwL
+tmsTDIwZKxeWmLnwi/agJ7u2441Rj72ux5uxiZ0CAwEAAaOCAYAwggF8MA4GA1Ud
+DwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEgYDVR0T
+AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUinR/r4XN7pXNPZzQ4kYU83E1HScwHwYD
+VR0jBBgwFoAU5K8rJnEaK0gnhS9SZizv8IkTcT4waAYIKwYBBQUHAQEEXDBaMCYG
+CCsGAQUFBzABhhpodHRwOi8vb2NzcC5wa2kuZ29vZy9ndHNyMTAwBggrBgEFBQcw
+AoYkaHR0cDovL3BraS5nb29nL3JlcG8vY2VydHMvZ3RzcjEuZGVyMDQGA1UdHwQt
+MCswKaAnoCWGI2h0dHA6Ly9jcmwucGtpLmdvb2cvZ3RzcjEvZ3RzcjEuY3JsMFcG
+A1UdIARQME4wOAYKKwYBBAHWeQIFAzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3Br
+aS5nb29nL3JlcG9zaXRvcnkvMAgGBmeBDAECATAIBgZngQwBAgIwDQYJKoZIhvcN
+AQELBQADggIBAIl9rCBcDDy+mqhXlRu0rvqrpXJxtDaV/d9AEQNMwkYUuxQkq/BQ
+cSLbrcRuf8/xam/IgxvYzolfh2yHuKkMo5uhYpSTld9brmYZCwKWnvy15xBpPnrL
+RklfRuFBsdeYTWU0AIAaP0+fbH9JAIFTQaSSIYKCGvGjRFsqUBITTcFTNvNCCK9U
++o53UxtkOCcXCb1YyRt8OS1b887U7ZfbFAO/CVMkH8IMBHmYJvJh8VNS/UKMG2Yr
+PxWhu//2m+OBmgEGcYk1KCTd4b3rGS3hSMs9WYNRtHTGnXzGsYZbr8w0xNPM1IER
+lQCh9BIiAfq0g3GvjLeMcySsN1PCAJA/Ef5c7TaUEDu9Ka7ixzpiO2xj2YC/WXGs
+Yye5TBeg2vZzFb8q3o/zpWwygTMD0IZRcZk0upONXbVRWPeyk+gB9lm+cZv9TSjO
+z23HFtz30dZGm6fKa+l3D/2gthsjgx0QGtkJAITgRNOidSOzNIb2ILCkXhAd4FJG
+AJ2xDx8hcFH1mt0G/FX0Kw4zd8NLQsLxdxP8c4CU6x+7Nz/OAipmsHMdMqUybDKw
+juDEI/9bfU1lcKwrmz3O2+BtjjKAvpafkmO8l7tdufThcV4q5O8DIrGKZTqPwJNl
+1IXNDw9bg1kWRxYtnCQ6yICmJhSFm/Y3m6xv+cXDBlHz4n/FsRC6UfTd
+-----END CERTIFICATE-----
+ 2 s:/C=US/O=Google Trust Services LLC/CN=GTS Root R1
+   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
+-----BEGIN CERTIFICATE-----
+MIIFYjCCBEqgAwIBAgIQd70NbNs2+RrqIQ/E8FjTDTANBgkqhkiG9w0BAQsFADBX
+MQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEQMA4GA1UE
+CxMHUm9vdCBDQTEbMBkGA1UEAxMSR2xvYmFsU2lnbiBSb290IENBMB4XDTIwMDYx
+OTAwMDA0MloXDTI4MDEyODAwMDA0MlowRzELMAkGA1UEBhMCVVMxIjAgBgNVBAoT
+GUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dUUyBSb290IFIx
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAthECix7joXebO9y/lD63
+ladAPKH9gvl9MgaCcfb2jH/76Nu8ai6Xl6OMS/kr9rH5zoQdsfnFl97vufKj6bwS
+iV6nqlKr+CMny6SxnGPb15l+8Ape62im9MZaRw1NEDPjTrETo8gYbEvs/AmQ351k
+KSUjB6G00j0uYODP0gmHu81I8E3CwnqIiru6z1kZ1q+PsAewnjHxgsHA3y6mbWwZ
+DrXYfiYaRQM9sHmklCitD38m5agI/pboPGiUU+6DOogrFZYJsuB6jC511pzrp1Zk
+j5ZPaK49l8KEj8C8QMALXL32h7M1bKwYUH+E4EzNktMg6TO8UpmvMrUpsyUqtEj5
+cuHKZPfmghCN6J3Cioj6OGaK/GP5Afl4/Xtcd/p2h/rs37EOeZVXtL0m79YB0esW
+CruOC7XFxYpVq9Os6pFLKcwZpDIlTirxZUTQAs6qzkm06p98g7BAe+dDq6dso499
+iYH6TKX/1Y7DzkvgtdizjkXPdsDtQCv9Uw+wp9U7DbGKogPeMa3Md+pvez7W35Ei
+Eua++tgy/BBjFFFy3l3WFpO9KWgz7zpm7AeKJt8T11dleCfeXkkUAKIAf5qoIbap
+sZWwpbkNFhHax2xIPEDgfg1azVY80ZcFuctL7TlLnMQ/0lUTbiSw1nH69MG6zO0b
+9f6BQdgAmD06yK56mDcYBZUCAwEAAaOCATgwggE0MA4GA1UdDwEB/wQEAwIBhjAP
+BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTkrysmcRorSCeFL1JmLO/wiRNxPjAf
+BgNVHSMEGDAWgBRge2YaRQ2XyolQL30EzTSo//z9SzBgBggrBgEFBQcBAQRUMFIw
+JQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnBraS5nb29nL2dzcjEwKQYIKwYBBQUH
+MAKGHWh0dHA6Ly9wa2kuZ29vZy9nc3IxL2dzcjEuY3J0MDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwucGtpLmdvb2cvZ3NyMS9nc3IxLmNybDA7BgNVHSAENDAy
+MAgGBmeBDAECATAIBgZngQwBAgIwDQYLKwYBBAHWeQIFAwIwDQYLKwYBBAHWeQIF
+AwMwDQYJKoZIhvcNAQELBQADggEBADSkHrEoo9C0dhemMXoh6dFSPsjbdBZBiLg9
+NR3t5P+T4Vxfq7vqfM/b5A3Ri1fyJm9bvhdGaJQ3b2t6yMAYN/olUazsaL+yyEn9
+WprKASOshIArAoyZl+tJaox118fessmXn1hIVw41oeQa1v1vg4Fv74zPl6/AhSrw
+9U5pCZEt4Wi4wStz6dTZ/CLANx8LZh1J7QJVj2fhMtfTJr9w4z30Z209fOU0iOMy
++qduBmpvvYuR7hZL6Dupszfnw0Skfths18dG9ZKb59UhvmaSGZRVbNQpsg3BZlvi
+d0lIKO2d1xozclOzgjXPYovJJIultzkMu34qQb9Sz/yilrbCgj8=
+-----END CERTIFICATE-----
+---
+Server certificate
+subject=/CN=*.google.com
+issuer=/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
+---
+No client certificate CA names sent
+---
+SSL handshake has read 7076 bytes and written 439 bytes
+---
+New, TLSv1/SSLv3, Cipher is AES128-SHA
+Server public key is 2048 bit
+Compression: NONE
+Expansion: NONE
+SSL-Session:
+    Protocol  : TLSv1
+    Cipher    : AES128-SHA
+    Session-ID:
+    Session-ID-ctx:
+    Master-Key: 4F24E1D13BF6CA43603CB185446DCB8AB1F57CBCC128B2A15C0F4186DFC517ECFF60FFBC472D0FCE6175584565790B31
+    Key-Arg   : None
+    TLS session ticket lifetime hint: 100800 (seconds)
+    TLS session ticket:
+    0000 - 02 4b 12 f2 f4 b7 98 7b-7d 30 dd 33 1f bd 28 ca   .K.....{}0.3..(.
+    0010 - a8 27 ef cf 8d 8f 73 5d-7f 78 fd 67 cb 97 a6 c6   .'....s].x.g....
+    0020 - dc 23 3c 29 f5 7c 6a b8-53 e6 30 6d 1a 14 61 22   .#<).|j.S.0m..a"
+    0030 - 14 01 45 2a e4 98 6b 0e-35 fd 46 17 d8 81 c2 d5   ..E*..k.5.F.....
+    0040 - d2 06 5f 1a 0a 32 1f 9e-64 b1 7e 9a af 50 09 bd   .._..2..d.~..P..
+    0050 - 89 26 62 08 84 6c 80 fa-d6 43 09 63 44 b4 9a 94   .&b..l...C.cD...
+    0060 - 2b d1 7e 33 73 73 6b 9e-a5 99 af 88 1e 70 7d 0c   +.~3ssk......p}.
+    0070 - 5b 72 51 0e 00 e4 6c ae-20 12 ff 4b 01 af 70 69   [rQ...l. ..K..pi
+    0080 - 81 4f 42 cd 95 9e fe 2c-7a 3f 45 a4 21 ad 23 60   .OB....,z?E.!.#`
+    0090 - f4 b3 37 84 69 55 95 9f-69 ec 21 6a 7a 5b da 74   ..7.iU..i.!jz[.t
+    00a0 - 66 9c 60 3f cc 5a fc 5c-b2 b6 aa db 50 06 31 22   f.`?.Z.\....P.1"
+    00b0 - 90 f4 39 73 05 cf 99 f8-3c 05 77 6e 93 a7 95 9b   ..9s....<.wn....
+    00c0 - 26 e8 59 84 f6 d1 21 ce-c0 b0 db 3e 15 b4 4b 33   &.Y...!....>..K3
+    00d0 - 46 52 41 e2 19 9e 45 2e-06 e2 6d                  FRA...E...m
+
+    Start Time: 1710417148
+    Timeout   : 300 (sec)
+    Verify return code: 20 (unable to get local issuer certificate)
+---
+----
+
+Example how to obtain server certificate:
 [source]
 ----
 $ openssl s_client -connect deimos.lab.evolveum.com:3636
@@ -97,6 +309,7 @@ SSL-Session:
 ---
 ----
 
+
 The data between `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` is the server certificate.
 Copy&paste the data into a separate file (*including the boundary lines*) and save it e.g. as `servercert.pem`.
 
@@ -131,4 +344,4 @@ openssl pkcs7 -inform der -in mycert.p7b -out myconvertedcert.cer
 
 == See Also
 
-* xref:/midpoint/reference/security/crypto/keystore-configuration/[Keystore Configuration]
+* xref:/midpoint/reference/security/crypto/keystore-configuration/[Keystore Configuration]

gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/component/data/provider/SelectableBeanDataProvider.java

@@ -212,9 +212,7 @@ protected final Collection<SelectorOptions<GetOperationOptions>> getSearchOption
         } else {
             if (ResourceType.class.equals(getType()) || ShadowType.class.equals(getType())) {
                 GetOperationOptions root = SelectorOptions.findRootOptions(options);
-                if (root == null) {
-                    options.add(new SelectorOptions<>(GetOperationOptions.createNoFetch()));
-                } else {
+                if (root != null) {
                     root.setNoFetch(Boolean.TRUE);
                 }
             }

infra/common/src/main/java/com/evolveum/midpoint/common/cleanup/CleanupActionProcessor.java

@@ -30,8 +30,18 @@ public class CleanupActionProcessor {
 
     private boolean ignoreNamespaces;
 
+    private boolean removeContainerIds;
+
     private final Map<QName, Map<ItemPath, CleanupPathAction>> paths = new HashMap<>();
 
+    public boolean isRemoveContainerIds() {
+        return removeContainerIds;
+    }
+
+    public void setRemoveContainerIds(boolean removeContainerIds) {
+        this.removeContainerIds = removeContainerIds;
+    }
+
     public void setListener(CleanupListener listener) {
         this.listener = listener;
     }
@@ -134,6 +144,10 @@ private boolean processItemRecursively(
             final List<Item<?, ?>> toBeRemoved = new ArrayList<>();
 
             for (PrismContainerValue<?> value : pc.getValues()) {
+                if (removeContainerIds) {
+                    value.setId(null);
+                }
+
                 Collection<Item<?, ?>> items = value.getItems();
                 for (Item<?, ?> i : items) {
                     if (processItemRecursively(i, currentPath.append(i.getElementName()), customItemActions, object, result)) {