Author: krisden
Date: Mon Mar 18 18:33:00 2019
New Revision: 1855785
URL: http://svn.apache.org/viewvc?rev=1855785&view=rev
Log:
KNOX-1818 - Update documentation with KNOX-1812 and KNOX-1111 configurable
truststore information (Robert Levas via Kevin Risden)
Modified:
knox/site/books/knox-1-3-0/user-guide.html
knox/site/index.html
knox/site/issue-management.html
knox/site/licenses.html
knox/site/mailing-lists.html
knox/site/project-info.html
knox/site/team.html
knox/trunk/books/1.3.0/book.md
knox/trunk/books/1.3.0/book_service-details.md
knox/trunk/books/1.3.0/config.md
knox/trunk/books/1.3.0/config_mutual_authentication_ssl.md
Modified: knox/site/books/knox-1-3-0/user-guide.html
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-1-3-0/user-guide.html?rev=1855785&r1=1855784&r2=1855785&view=diff
==============================================================================
--- knox/site/books/knox-1-3-0/user-guide.html (original)
+++ knox/site/books/knox-1-3-0/user-guide.html Mon Mar 18 18:33:00 2019
@@ -130,6 +130,7 @@
<li><a href="#Elasticsearch">Elasticsearch</a></li>
<li><a href="#Common+Service+Config">Common Service Config</a></li>
<li><a href="#Default+Service+HA+support">Default Service HA
support</a></li>
+ <li><a href="#TLS/SSL+Certificate+Trust">TLS/SSL Certificate
Trust</a></li>
</ul>
</li>
<li><a href="#UI+Service+Details">UI Service Details</a></li>
@@ -761,13 +762,18 @@ https://{gateway-host}:{gateway-port}/{g
<td><code>false</code></td>
</tr>
<tr>
+ <td><code>gateway.truststore.password.alias</code></td>
+ <td>OPTIONAL Alias for the password to the truststore file holding the
trusted client certificates. NOTE: An alias with the provided name should be
created using <code>knoxcli.sh create-alias</code> inorder to provide the
password; else the master secret will be used.</td>
+ <td><code>gateway-truststore-password</code></td>
+ </tr>
+ <tr>
<td><code>gateway.truststore.path</code></td>
<td>Location of the truststore for client certificates to be trusted</td>
- <td><code>gateway.jks</code></td>
+ <td><code>null</code></td>
</tr>
<tr>
<td><code>gateway.truststore.type</code></td>
- <td>Indicates the type of truststore</td>
+ <td>Indicates the type of truststore at the path declared in
<code>gateway.truststore.path</code></td>
<td><code>JKS</code></td>
</tr>
<tr>
@@ -781,21 +787,36 @@ https://{gateway-host}:{gateway-port}/{g
<td><code>254</code></td>
</tr>
<tr>
- <td><code>gateway.httpclient.maxConnections</code></td>
- <td>The maximum number of connections that a single HttpClient will
maintain to a single host:port.</td>
- <td><code>32</code></td>
- </tr>
- <tr>
<td><code>gateway.httpclient.connectionTimeout</code></td>
<td>The amount of time to wait when attempting a connection. The natural
unit is milliseconds, but a ‘s’ or ‘m’ suffix may be
used for seconds or minutes respectively.</td>
<td><code>20s</code></td>
</tr>
<tr>
+ <td><code>gateway.httpclient.maxConnections</code></td>
+ <td>The maximum number of connections that a single HttpClient will
maintain to a single host:port.</td>
+ <td><code>32</code></td>
+ </tr>
+ <tr>
<td><code>gateway.httpclient.socketTimeout</code></td>
<td>The amount of time to wait for data on a socket before aborting the
connection. The natural unit is milliseconds, but a ‘s’ or
‘m’ suffix may be used for seconds or minutes respectively.</td>
<td><code>20s</code></td>
</tr>
<tr>
+ <td><code>gateway.httpclient.truststore.password.alias</code></td>
+ <td>OPTIONAL Alias for the password to the truststore file holding the
trusted service certificates. NOTE: An alias with the provided name should be
created using <code>knoxcli.sh create-alias</code> inorder to provide the
password; else the master secret will be used.</td>
+ <td><code>gateway-httpclient-truststore-password</code></td>
+ </tr>
+ <tr>
+ <td><code>gateway.httpclient.truststore.path</code></td>
+ <td>Location of the truststore for service certificates to be
trusted</td>
+ <td><code>null</code></td>
+ </tr>
+ <tr>
+ <td><code>gateway.httpclient.truststore.type</code></td>
+ <td>Indicates the type of truststore at the path declared in
<code>gateway.httpclient.truststore.path</code></td>
+ <td><code>JKS</code></td>
+ </tr>
+ <tr>
<td><code>gateway.httpserver.requestBuffer</code></td>
<td>The size of the HTTP server request buffer in bytes</td>
<td><code>16384</code></td>
@@ -5213,22 +5234,26 @@ APACHE_HOME/bin/apachectl -k stop
</tr>
<tr>
<td>gateway.truststore.path </td>
- <td>Fully qualified path to the trust store to use. Default is the
gateway.jks.</td>
+ <td>Fully qualified path to the trust store to use. Default is the
keystore used to hold the Gateway’s identity. See
<code>gateway.tls.keystore.path</code>.</td>
</tr>
<tr>
<td>gateway.truststore.type </td>
<td>Keystore type of the trust store. Default is JKS. </td>
</tr>
<tr>
+ <td>gateway.truststore.password.alias </td>
+ <td>Alias for the password to the trust store.</td>
+ </tr>
+ <tr>
<td>gateway.trust.all.certs </td>
<td>Allows for all certificates to be trusted. Default is false.</td>
</tr>
</tbody>
</table>
-<p>By only indicating that it is needed with
<code>gateway.client.auth.needed</code>, the
<code>{GATEWAY_HOME}/data/security/keystores/gateway.jks</code> keystore is
used. This is the identity keystore for the server and can also be used as the
truststore. We can specify the path to a dedicated truststore via
<code>gateway.truststore.path</code>. If the truststore password is different
from the gateway master secret then it can be set using</p>
-<pre><code>knoxcli.sh create-alias gateway-truststore-password --value {pwd}
+<p>By only indicating that it is needed with
<code>gateway.client.auth.needed</code>, the keystore identified by
<code>gateway.tls.keystore.path</code> is used. By default this is
<code>{GATEWAY_HOME}/data/security/keystores/gateway.jks</code>. This is the
identity keystore for the server, which can also be used as the truststore. To
use a dedicated truststore, <code>gateway.truststore.path</code> may be set to
the absolute path of the truststore file.<br/>The type of truststore file
should be set using <code>gateway.truststore.type</code>; else, JKS will be
assumed.<br/>If the truststore password is different from the Gateway’s
master secret then it can be set using</p>
+<pre><code>knoxcli.sh create-alias {password-alias} --value {pwd}
</code></pre>
-<p>Otherwise, the master secret will be used. If the truststore is not a JKS
type then it can be set via <code>gateway.truststore.type</code>.</p>
+<p>The password alias name (<code>{password-alias}</code>) is set using
<code>gateway.truststore.password.alias</code>; else, the alias name of
“gateway-truststore-password” should be used.<br/>If a password is
not found using the provided (or default) alias name, then the Gateway’s
master secret will be used.</p>
<h2><a id="TLS+Client+Certificate+Provider">TLS Client Certificate
Provider</a> <a href="#TLS+Client+Certificate+Provider"><img
src="markbook-section-link.png"/></a></h2>
<p>The TLS client certificate authentication provider enables establishing the
user based on the client provided TLS certificate. The user will be the DN from
the certificate. This provider requires that the gateway is configured to
require client authentication with either
<code>gateway.client.auth.wanted</code> or
<code>gateway.client.auth.needed</code> ( <a
href="#Mutual+Authentication+with+SSL">Mutual Authentication with SSL</a> ).</p>
<h3><a id="Configuration">Configuration</a> <a href="#Configuration"><img
src="markbook-section-link.png"/></a></h3>
@@ -8288,6 +8313,38 @@ curl -i -k -u username:password -H "
{"acknowledged":true}
</code></pre>
+<h3><a id="TLS/SSL+Certificate+Trust">TLS/SSL Certificate Trust</a> <a
href="#TLS/SSL+Certificate+Trust"><img
src="markbook-section-link.png"/></a></h3>
+<p>When the Gateway dispatches requests to a configured service using TLS/SSL,
that service’s certificate must be trusted inorder for the connection to
succeed. To do this, the Gateway checks a configured trust store for the
service’s certificate or the certificate of the CA that issued that
certificate. </p>
+<p>If not explicitly set, the Gateway will use its configured identity
keystore as the trust store. By default, this keystore is located at
<code>{GATEWAY_HOME}/data/security/keystores/gateway.jks</code>; however, a
custom identity keystore may be set in the gateway-site.xml file. See
<code>gateway.tls.keystore.password.alias</code>,
<code>gateway.tls.keystore.path</code>, and
<code>gateway.tls.keystore.type</code>. </p>
+<p>The trust store is configured at the Gatway-level. There is no support to
set a different trust store per service. To use a specific trust store, the
following configuration elements may be set in the gateway-site.xml file:</p>
+<table>
+ <thead>
+ <tr>
+ <th>Configuration Element </th>
+ <th>Description </th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td>gateway.httpclient.truststore.path </td>
+ <td>Fully qualified path to the trust store to use. Default is the
keystore used to hold the Gateway’s identity. See
<code>gateway.tls.keystore.path</code>.</td>
+ </tr>
+ <tr>
+ <td>gateway.httpclient.truststore.type </td>
+ <td>Keystore type of the trust store. Default is JKS. </td>
+ </tr>
+ <tr>
+ <td>gateway.httpclient.truststore.password.alias </td>
+ <td>Alias for the password to the trust store.</td>
+ </tr>
+ </tbody>
+</table>
+<p>If <code>gateway.httpclient.truststore.path</code> is not set, the keystore
used to hold the Gateway’s identity will be used as the trust store. </p>
+<p>However, if <code>gateway.httpclient.truststore.path</code> is set, it is
expected that <code>gateway.httpclient.truststore.type</code> and
<code>gateway.httpclient.truststore.password.alias</code> are set
appropriately. If <code>gateway.httpclient.truststore.type</code> is not set,
the Gateway will assume the trust store is a JKS file. If
<code>gateway.httpclient.truststore.password.alias</code> is not set, the
Gateway will assume the alias name is
“gateway-httpclient-truststore-password”. In any case, if the trust
store password is different from the Gateway’s master secret then it can
be set using</p>
+<pre><code>knoxcli.sh create-alias {password-alias} --value {pwd}
+</code></pre>
+<p>If a password is not found using the provided (or default) alias name, then
the Gateway’s master secret will be used.</p>
+<p>All topologies deployed within the Gateway instance will use the configured
trust store to verify a service’s identity. </p>
<h3><a id="Service+Test+API">Service Test API</a> <a
href="#Service+Test+API"><img src="markbook-section-link.png"/></a></h3>
<p>The gateway supports a Service Test API that can be used to test
Knox’s ability to connect to each of the different Hadoop services via a
simple HTTP GET request. To be able to access this API, one must add the
following lines into the topology for which you wish to run the service
test.</p>
<pre><code><service>
Modified: knox/site/index.html
URL:
http://svn.apache.org/viewvc/knox/site/index.html?rev=1855785&r1=1855784&r2=1855785&view=diff
==============================================================================
--- knox/site/index.html (original)
+++ knox/site/index.html Mon Mar 18 18:33:00 2019
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 from
src/site/markdown/index.md at 2019-03-14
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 from
src/site/markdown/index.md at 2019-03-18
| Rendered using Apache Maven Fluido Skin 1.7
-->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20190314" />
+ <meta name="Date-Revision-yyyymmdd" content="20190318" />
<meta http-equiv="Content-Language" content="en" />
<title>Knox Gateway – Announcing Apache Knox 1.2.0!</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.7.min.css" />
@@ -40,7 +40,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2019-03-14</li>
+ <li id="publishDate">Last Published: 2019-03-18</li>
</ul>
</div>
<div class="row-fluid">
Modified: knox/site/issue-management.html
URL:
http://svn.apache.org/viewvc/knox/site/issue-management.html?rev=1855785&r1=1855784&r2=1855785&view=diff
==============================================================================
--- knox/site/issue-management.html (original)
+++ knox/site/issue-management.html Mon Mar 18 18:33:00 2019
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 from
org.apache.maven.plugins:maven-project-info-reports-plugin:3.0.0:issue-management
at 2019-03-14
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 from
org.apache.maven.plugins:maven-project-info-reports-plugin:3.0.0:issue-management
at 2019-03-18
| Rendered using Apache Maven Fluido Skin 1.7
-->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20190314" />
+ <meta name="Date-Revision-yyyymmdd" content="20190318" />
<meta http-equiv="Content-Language" content="en" />
<title>Knox Gateway – Issue Management</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.7.min.css" />
@@ -40,7 +40,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2019-03-14</li>
+ <li id="publishDate">Last Published: 2019-03-18</li>
</ul>
</div>
<div class="row-fluid">
Modified: knox/site/licenses.html
URL:
http://svn.apache.org/viewvc/knox/site/licenses.html?rev=1855785&r1=1855784&r2=1855785&view=diff
==============================================================================
--- knox/site/licenses.html (original)
+++ knox/site/licenses.html Mon Mar 18 18:33:00 2019
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 from
org.apache.maven.plugins:maven-project-info-reports-plugin:3.0.0:licenses at
2019-03-14
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 from
org.apache.maven.plugins:maven-project-info-reports-plugin:3.0.0:licenses at
2019-03-18
| Rendered using Apache Maven Fluido Skin 1.7
-->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20190314" />
+ <meta name="Date-Revision-yyyymmdd" content="20190318" />
<meta http-equiv="Content-Language" content="en" />
<title>Knox Gateway – Project Licenses</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.7.min.css" />
@@ -40,7 +40,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2019-03-14</li>
+ <li id="publishDate">Last Published: 2019-03-18</li>
</ul>
</div>
<div class="row-fluid">
Modified: knox/site/mailing-lists.html
URL:
http://svn.apache.org/viewvc/knox/site/mailing-lists.html?rev=1855785&r1=1855784&r2=1855785&view=diff
==============================================================================
--- knox/site/mailing-lists.html (original)
+++ knox/site/mailing-lists.html Mon Mar 18 18:33:00 2019
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 from
org.apache.maven.plugins:maven-project-info-reports-plugin:3.0.0:mailing-lists
at 2019-03-14
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 from
org.apache.maven.plugins:maven-project-info-reports-plugin:3.0.0:mailing-lists
at 2019-03-18
| Rendered using Apache Maven Fluido Skin 1.7
-->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20190314" />
+ <meta name="Date-Revision-yyyymmdd" content="20190318" />
<meta http-equiv="Content-Language" content="en" />
<title>Knox Gateway – Project Mailing Lists</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.7.min.css" />
@@ -40,7 +40,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2019-03-14</li>
+ <li id="publishDate">Last Published: 2019-03-18</li>
</ul>
</div>
<div class="row-fluid">
Modified: knox/site/project-info.html
URL:
http://svn.apache.org/viewvc/knox/site/project-info.html?rev=1855785&r1=1855784&r2=1855785&view=diff
==============================================================================
--- knox/site/project-info.html (original)
+++ knox/site/project-info.html Mon Mar 18 18:33:00 2019
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 from
org.apache.maven.plugins:maven-site-plugin:3.7.1:CategorySummaryDocumentRenderer
at 2019-03-14
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 from
org.apache.maven.plugins:maven-site-plugin:3.7.1:CategorySummaryDocumentRenderer
at 2019-03-18
| Rendered using Apache Maven Fluido Skin 1.7
-->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20190314" />
+ <meta name="Date-Revision-yyyymmdd" content="20190318" />
<meta http-equiv="Content-Language" content="en" />
<title>Knox Gateway – Project Information</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.7.min.css" />
@@ -40,7 +40,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2019-03-14</li>
+ <li id="publishDate">Last Published: 2019-03-18</li>
</ul>
</div>
<div class="row-fluid">
Modified: knox/site/team.html
URL:
http://svn.apache.org/viewvc/knox/site/team.html?rev=1855785&r1=1855784&r2=1855785&view=diff
==============================================================================
--- knox/site/team.html (original)
+++ knox/site/team.html Mon Mar 18 18:33:00 2019
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 from
org.apache.maven.plugins:maven-project-info-reports-plugin:3.0.0:team at
2019-03-14
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 from
org.apache.maven.plugins:maven-project-info-reports-plugin:3.0.0:team at
2019-03-18
| Rendered using Apache Maven Fluido Skin 1.7
-->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20190314" />
+ <meta name="Date-Revision-yyyymmdd" content="20190318" />
<meta http-equiv="Content-Language" content="en" />
<title>Knox Gateway – Project Team</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.7.min.css" />
@@ -40,7 +40,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2019-03-14</li>
+ <li id="publishDate">Last Published: 2019-03-18</li>
</ul>
</div>
<div class="row-fluid">
Modified: knox/trunk/books/1.3.0/book.md
URL:
http://svn.apache.org/viewvc/knox/trunk/books/1.3.0/book.md?rev=1855785&r1=1855784&r2=1855785&view=diff
==============================================================================
--- knox/trunk/books/1.3.0/book.md (original)
+++ knox/trunk/books/1.3.0/book.md Mon Mar 18 18:33:00 2019
@@ -103,6 +103,7 @@
* #[Elasticsearch]
* #[Common Service Config]
* #[Default Service HA support]
+ * #[TLS/SSL Certificate Trust]
* #[UI Service Details]
* #[Admin UI]
* #[Limitations]
Modified: knox/trunk/books/1.3.0/book_service-details.md
URL:
http://svn.apache.org/viewvc/knox/trunk/books/1.3.0/book_service-details.md?rev=1855785&r1=1855784&r2=1855785&view=diff
==============================================================================
--- knox/trunk/books/1.3.0/book_service-details.md (original)
+++ knox/trunk/books/1.3.0/book_service-details.md Mon Mar 18 18:33:00 2019
@@ -94,4 +94,5 @@ Therefore each request via cURL will res
<<service_avatica.md>>
<<service_livy.md>>
<<service_elasticsearch.md>>
+<<service_ssl_certificate_trust.md>>
<<service_service_test.md>>
Modified: knox/trunk/books/1.3.0/config.md
URL:
http://svn.apache.org/viewvc/knox/trunk/books/1.3.0/config.md?rev=1855785&r1=1855784&r2=1855785&view=diff
==============================================================================
--- knox/trunk/books/1.3.0/config.md (original)
+++ knox/trunk/books/1.3.0/config.md Mon Mar 18 18:33:00 2019
@@ -121,14 +121,18 @@ Property | Description | Default
`gateway.frontend.url`|The URL that should be used during rewriting so that it
can rewrite the URLs with the correct "frontend" URL|none
`gateway.xforwarded.enabled`|Indicates whether support for some X-Forwarded-*
headers is enabled|`true`
`gateway.trust.all.certs`|Indicates whether all presented client certs should
establish trust|`false`
-`gateway.client.auth.needed`|Indicates whether clients are required to
establish a trust relationship with client certificates|`false`
-`gateway.truststore.path`|Location of the truststore for client certificates
to be trusted|`gateway.jks`
-`gateway.truststore.type`|Indicates the type of truststore|`JKS`
+`gateway.client.auth.needed`|Indicates whether clients are required to
establish a trust relationship with client certificates|`false`
+`gateway.truststore.password.alias`|OPTIONAL Alias for the password to the
truststore file holding the trusted client certificates. NOTE: An alias with
the provided name should be created using `knoxcli.sh create-alias` inorder to
provide the password; else the master secret will be
used.|`gateway-truststore-password`
+`gateway.truststore.path`|Location of the truststore for client certificates
to be trusted|`null`
+`gateway.truststore.type`|Indicates the type of truststore at the path
declared in `gateway.truststore.path`|`JKS`
`gateway.jdk.tls.ephemeralDHKeySize`|`jdk.tls.ephemeralDHKeySize`, is defined
to customize the ephemeral DH key sizes. The minimum acceptable DH key size is
1024 bits, except for exportable cipher suites or legacy mode
(`jdk.tls.ephemeralDHKeySize=legacy`)|`2048`
`gateway.threadpool.max`|The maximum concurrent requests the server will
process. The default is 254. Connections beyond this will be queued.|`254`
-`gateway.httpclient.maxConnections`|The maximum number of connections that a
single HttpClient will maintain to a single host:port.|`32`
`gateway.httpclient.connectionTimeout`|The amount of time to wait when
attempting a connection. The natural unit is milliseconds, but a 's' or 'm'
suffix may be used for seconds or minutes respectively.| `20s`
+`gateway.httpclient.maxConnections`|The maximum number of connections that a
single HttpClient will maintain to a single host:port.|`32`
`gateway.httpclient.socketTimeout`|The amount of time to wait for data on a
socket before aborting the connection. The natural unit is milliseconds, but a
's' or 'm' suffix may be used for seconds or minutes respectively.| `20s`
+`gateway.httpclient.truststore.password.alias`|OPTIONAL Alias for the password
to the truststore file holding the trusted service certificates. NOTE: An alias
with the provided name should be created using `knoxcli.sh create-alias`
inorder to provide the password; else the master secret will be
used.|`gateway-httpclient-truststore-password`
+`gateway.httpclient.truststore.path`|Location of the truststore for service
certificates to be trusted|`null`
+`gateway.httpclient.truststore.type`|Indicates the type of truststore at the
path declared in `gateway.httpclient.truststore.path`|`JKS`
`gateway.httpserver.requestBuffer`|The size of the HTTP server request buffer
in bytes|`16384`
`gateway.httpserver.requestHeaderBuffer`|The size of the HTTP server request
header buffer in bytes|`8192`
`gateway.httpserver.responseBuffer`|The size of the HTTP server response
buffer in bytes|`32768`
Modified: knox/trunk/books/1.3.0/config_mutual_authentication_ssl.md
URL:
http://svn.apache.org/viewvc/knox/trunk/books/1.3.0/config_mutual_authentication_ssl.md?rev=1855785&r1=1855784&r2=1855785&view=diff
==============================================================================
--- knox/trunk/books/1.3.0/config_mutual_authentication_ssl.md (original)
+++ knox/trunk/books/1.3.0/config_mutual_authentication_ssl.md Mon Mar 18
18:33:00 2019
@@ -26,14 +26,18 @@ The following table describes the config
| Configuration Element | Description
|
|
-----------------------------------------------|-----------------------------------------------------------|
| gateway.client.auth.needed | True\|False - indicating
the need for client authentication. Default is False.|
-| gateway.truststore.path | Fully qualified path to the
trust store to use. Default is the gateway.jks.|
+| gateway.truststore.path | Fully qualified path to the
trust store to use. Default is the keystore used to hold the Gateway's
identity. See `gateway.tls.keystore.path`.|
| gateway.truststore.type | Keystore type of the trust
store. Default is JKS. |
+| gateway.truststore.password.alias | Alias for the password to
the trust store.|
| gateway.trust.all.certs | Allows for all certificates
to be trusted. Default is false.|
-By only indicating that it is needed with `gateway.client.auth.needed`, the
`{GATEWAY_HOME}/data/security/keystores/gateway.jks` keystore is used. This is
the identity keystore for the server and can also be used as the truststore.
-We can specify the path to a dedicated truststore via
`gateway.truststore.path`. If the truststore password is different from the
gateway master secret then it can be set using
+By only indicating that it is needed with `gateway.client.auth.needed`, the
keystore identified by `gateway.tls.keystore.path` is used. By default this is
`{GATEWAY_HOME}/data/security/keystores/gateway.jks`.
+This is the identity keystore for the server, which can also be used as the
truststore.
+To use a dedicated truststore, `gateway.truststore.path` may be set to the
absolute path of the truststore file.
+The type of truststore file should be set using `gateway.truststore.type`;
else, JKS will be assumed.
+If the truststore password is different from the Gateway's master secret then
it can be set using
- knoxcli.sh create-alias gateway-truststore-password --value {pwd}
+ knoxcli.sh create-alias {password-alias} --value {pwd}
-Otherwise, the master secret will be used.
-If the truststore is not a JKS type then it can be set via
`gateway.truststore.type`.
+The password alias name (`{password-alias}`) is set using
`gateway.truststore.password.alias`; else, the alias name of
"gateway-truststore-password" should be used.
+If a password is not found using the provided (or default) alias name, then
the Gateway's master secret will be used.
