Repository: ambari Updated Branches: refs/heads/trunk c4078c650 -> 8bd16add8
AMBARI-12518: Support CA signed certificates for 2-way SSL : Make truststore file and keystore/truststore types configurable (jluniya) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/8bd16add Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/8bd16add Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/8bd16add Branch: refs/heads/trunk Commit: 8bd16add847833a54e8efc6681700b77f569531a Parents: c4078c6 Author: Jayush Luniya <[email protected]> Authored: Wed Jul 29 09:42:26 2015 -0700 Committer: Jayush Luniya <[email protected]> Committed: Wed Jul 29 09:42:26 2015 -0700 ---------------------------------------------------------------------- .../server/configuration/Configuration.java | 28 ++++++++++++++++++++ .../ambari/server/controller/AmbariServer.java | 22 ++++++++------- .../server/configuration/ConfigurationTest.java | 15 +++++++++++ 3 files changed, 56 insertions(+), 9 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/8bd16add/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java index 9491f7b..50fc6a6 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java @@ -96,6 +96,9 @@ public class Configuration { public static final String SRVR_CSR_NAME_KEY = "security.server.csr_name"; public static final String SRVR_KEY_NAME_KEY = "security.server.key_name"; public static final String KSTR_NAME_KEY = "security.server.keystore_name"; + public static final String KSTR_TYPE_KEY = "security.server.keystore_type"; + public static final String TSTR_NAME_KEY = "security.server.truststore_name"; + public static final String TSTR_TYPE_KEY = "security.server.truststore_type"; public static final String SRVR_CRT_PASS_FILE_KEY = "security.server.crt_pass_file"; public static final String SRVR_CRT_PASS_KEY = "security.server.crt_pass"; public static final String SRVR_CRT_PASS_LEN_KEY = "security.server.crt_pass.len"; @@ -117,6 +120,9 @@ public class Configuration { public static final String CLIENT_API_SSL_PORT_KEY = "client.api.ssl.port"; public static final String CLIENT_API_SSL_KSTR_DIR_NAME_KEY = "client.api.ssl.keys_dir"; public static final String CLIENT_API_SSL_KSTR_NAME_KEY = "client.api.ssl.keystore_name"; + public static final String CLIENT_API_SSL_KSTR_TYPE_KEY = "client.api.ssl.keystore_type"; + public static final String CLIENT_API_SSL_TSTR_NAME_KEY = "client.api.ssl.truststore_name"; + public static final String CLIENT_API_SSL_TSTR_TYPE_KEY = "client.api.ssl.truststore_type"; public static final String CLIENT_API_SSL_CRT_NAME_KEY = "client.api.ssl.cert_name"; public static final String CLIENT_API_SSL_CRT_PASS_FILE_NAME_KEY = "client.api.ssl.cert_pass_file"; public static final String CLIENT_API_SSL_CRT_PASS_KEY = "client.api.ssl.crt_pass"; @@ -207,7 +213,17 @@ public class Configuration { public static final String SRVR_KEY_NAME_DEFAULT = "ca.key"; public static final String SRVR_CSR_NAME_DEFAULT = "ca.csr"; public static final String KSTR_NAME_DEFAULT = "keystore.p12"; + public static final String KSTR_TYPE_DEFAULT = "PKCS12"; + // By default self-signed certificates are used and we can use keystore as truststore in PKCS12 format + // When CA signed certificates are used truststore should be created in JKS format (truststore.jks) + public static final String TSTR_NAME_DEFAULT = "keystore.p12"; + public static final String TSTR_TYPE_DEFAULT = "PKCS12"; public static final String CLIENT_API_SSL_KSTR_NAME_DEFAULT = "https.keystore.p12"; + public static final String CLIENT_API_SSL_KSTR_TYPE_DEFAULT = "PKCS12"; + // By default self-signed certificates are used and we can use keystore as truststore in PKCS12 format + // When CA signed certificates are used truststore should be created in JKS format (truststore.jks) + public static final String CLIENT_API_SSL_TSTR_NAME_DEFAULT = "https.keystore.p12"; + public static final String CLIENT_API_SSL_TSTR_TYPE_DEFAULT = "PKCS12"; public static final String CLIENT_API_SSL_CRT_PASS_FILE_NAME_DEFAULT = "https.pass.txt"; public static final String CLIENT_API_SSL_KEY_NAME_DEFAULT = "https.key"; public static final String CLIENT_API_SSL_CRT_NAME_DEFAULT = "https.crt"; @@ -532,6 +548,12 @@ public class Configuration { SRVR_CSR_NAME_KEY, SRVR_CSR_NAME_DEFAULT)); configsMap.put(KSTR_NAME_KEY, properties.getProperty( KSTR_NAME_KEY, KSTR_NAME_DEFAULT)); + configsMap.put(KSTR_TYPE_KEY, properties.getProperty( + KSTR_TYPE_KEY, KSTR_TYPE_DEFAULT)); + configsMap.put(TSTR_NAME_KEY, properties.getProperty( + TSTR_NAME_KEY, TSTR_NAME_DEFAULT)); + configsMap.put(TSTR_TYPE_KEY, properties.getProperty( + TSTR_TYPE_KEY, TSTR_TYPE_DEFAULT)); configsMap.put(SRVR_CRT_PASS_FILE_KEY, properties.getProperty( SRVR_CRT_PASS_FILE_KEY, SRVR_CRT_PASS_FILE_DEFAULT)); configsMap.put(PASSPHRASE_ENV_KEY, properties.getProperty( @@ -551,6 +573,12 @@ public class Configuration { CLIENT_API_SSL_KSTR_DIR_NAME_KEY, configsMap.get(SRVR_KSTR_DIR_KEY))); configsMap.put(CLIENT_API_SSL_KSTR_NAME_KEY, properties.getProperty( CLIENT_API_SSL_KSTR_NAME_KEY, CLIENT_API_SSL_KSTR_NAME_DEFAULT)); + configsMap.put(CLIENT_API_SSL_KSTR_TYPE_KEY, properties.getProperty( + CLIENT_API_SSL_KSTR_TYPE_KEY, CLIENT_API_SSL_KSTR_TYPE_DEFAULT)); + configsMap.put(CLIENT_API_SSL_TSTR_NAME_KEY, properties.getProperty( + CLIENT_API_SSL_TSTR_NAME_KEY, CLIENT_API_SSL_TSTR_NAME_DEFAULT)); + configsMap.put(CLIENT_API_SSL_TSTR_TYPE_KEY, properties.getProperty( + CLIENT_API_SSL_TSTR_TYPE_KEY, CLIENT_API_SSL_TSTR_TYPE_DEFAULT)); configsMap.put(CLIENT_API_SSL_CRT_PASS_FILE_NAME_KEY, properties.getProperty( CLIENT_API_SSL_CRT_PASS_FILE_NAME_KEY, CLIENT_API_SSL_CRT_PASS_FILE_NAME_DEFAULT)); configsMap.put(CLIENT_API_SSL_KEY_NAME_KEY, properties.getProperty( http://git-wip-us.apache.org/repos/asf/ambari/blob/8bd16add/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java index 28b0fc6..5644ca5 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java @@ -316,25 +316,27 @@ public class AmbariServer { Map<String, String> configsMap = configs.getConfigsMap(); String keystore = configsMap.get(Configuration.SRVR_KSTR_DIR_KEY) + File.separator + configsMap.get(Configuration.KSTR_NAME_KEY); + String truststore = configsMap.get(Configuration.SRVR_KSTR_DIR_KEY) + + File.separator + configsMap.get(Configuration.TSTR_NAME_KEY); String srvrCrtPass = configsMap.get(Configuration.SRVR_CRT_PASS_KEY); sslConnectorTwoWay.setKeystore(keystore); - sslConnectorTwoWay.setTruststore(keystore); + sslConnectorTwoWay.setTruststore(truststore); sslConnectorTwoWay.setPassword(srvrCrtPass); sslConnectorTwoWay.setKeyPassword(srvrCrtPass); sslConnectorTwoWay.setTrustPassword(srvrCrtPass); - sslConnectorTwoWay.setKeystoreType("PKCS12"); - sslConnectorTwoWay.setTruststoreType("PKCS12"); + sslConnectorTwoWay.setKeystoreType(configsMap.get(Configuration.KSTR_TYPE_KEY)); + sslConnectorTwoWay.setTruststoreType(configsMap.get(Configuration.TSTR_TYPE_KEY)); sslConnectorTwoWay.setNeedClientAuth(configs.getTwoWaySsl()); //SSL Context Factory SslContextFactory contextFactoryOneWay = new SslContextFactory(true); contextFactoryOneWay.setKeyStorePath(keystore); - contextFactoryOneWay.setTrustStore(keystore); + contextFactoryOneWay.setTrustStore(truststore); contextFactoryOneWay.setKeyStorePassword(srvrCrtPass); contextFactoryOneWay.setKeyManagerPassword(srvrCrtPass); contextFactoryOneWay.setTrustStorePassword(srvrCrtPass); - contextFactoryOneWay.setKeyStoreType("PKCS12"); - contextFactoryOneWay.setTrustStoreType("PKCS12"); + contextFactoryOneWay.setKeyStoreType(configsMap.get(Configuration.KSTR_TYPE_KEY)); + contextFactoryOneWay.setTrustStoreType(configsMap.get(Configuration.TSTR_TYPE_KEY)); contextFactoryOneWay.setNeedClientAuth(false); disableInsecureProtocols(contextFactoryOneWay); @@ -427,6 +429,8 @@ public class AmbariServer { if (configs.getApiSSLAuthentication()) { String httpsKeystore = configsMap.get(Configuration.CLIENT_API_SSL_KSTR_DIR_NAME_KEY) + File.separator + configsMap.get(Configuration.CLIENT_API_SSL_KSTR_NAME_KEY); + String httpsTruststore = configsMap.get(Configuration.CLIENT_API_SSL_KSTR_DIR_NAME_KEY) + + File.separator + configsMap.get(Configuration.CLIENT_API_SSL_TSTR_NAME_KEY); LOG.info("API SSL Authentication is turned on. Keystore - " + httpsKeystore); String httpsCrtPass = configsMap.get(Configuration.CLIENT_API_SSL_CRT_PASS_KEY); @@ -436,12 +440,12 @@ public class AmbariServer { SslSelectChannelConnector sapiConnector = new SslSelectChannelConnector(contextFactoryApi); sapiConnector.setPort(configs.getClientSSLApiPort()); sapiConnector.setKeystore(httpsKeystore); - sapiConnector.setTruststore(httpsKeystore); + sapiConnector.setTruststore(httpsTruststore); sapiConnector.setPassword(httpsCrtPass); sapiConnector.setKeyPassword(httpsCrtPass); sapiConnector.setTrustPassword(httpsCrtPass); - sapiConnector.setKeystoreType("PKCS12"); - sapiConnector.setTruststoreType("PKCS12"); + sapiConnector.setKeystoreType(configsMap.get(Configuration.CLIENT_API_SSL_KSTR_TYPE_KEY)); + sapiConnector.setTruststoreType(configsMap.get(Configuration.CLIENT_API_SSL_KSTR_TYPE_KEY)); sapiConnector.setMaxIdleTime(configs.getConnectionMaxIdleTime()); apiConnector = sapiConnector; } http://git-wip-us.apache.org/repos/asf/ambari/blob/8bd16add/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java b/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java index 00a77f5..2a1ac3c 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java @@ -158,8 +158,23 @@ public class ConfigurationTest { Assert.assertFalse(conf.getConfigsMap().get(Configuration.SRVR_CRT_NAME_KEY). equals(conf.getConfigsMap().get(Configuration.CLIENT_API_SSL_CRT_NAME_KEY))); + Assert.assertEquals("keystore.p12", conf.getConfigsMap().get( + Configuration.KSTR_NAME_KEY)); + Assert.assertEquals("PKCS12", conf.getConfigsMap().get( + Configuration.KSTR_TYPE_KEY)); + Assert.assertEquals("keystore.p12", conf.getConfigsMap().get( + Configuration.TSTR_NAME_KEY)); + Assert.assertEquals("PKCS12", conf.getConfigsMap().get( + Configuration.TSTR_TYPE_KEY)); + Assert.assertEquals("https.keystore.p12", conf.getConfigsMap().get( Configuration.CLIENT_API_SSL_KSTR_NAME_KEY)); + Assert.assertEquals("PKCS12", conf.getConfigsMap().get( + Configuration.CLIENT_API_SSL_KSTR_TYPE_KEY)); + Assert.assertEquals("https.keystore.p12", conf.getConfigsMap().get( + Configuration.CLIENT_API_SSL_TSTR_NAME_KEY)); + Assert.assertEquals("PKCS12", conf.getConfigsMap().get( + Configuration.CLIENT_API_SSL_TSTR_TYPE_KEY)); Assert.assertEquals(passFile.getName(), conf.getConfigsMap().get( Configuration.CLIENT_API_SSL_CRT_PASS_FILE_NAME_KEY)); Assert.assertEquals(password, conf.getConfigsMap().get(Configuration.CLIENT_API_SSL_CRT_PASS_KEY));
