[GitHub] jai1 commented on a change in pull request #1297: Add Configuration to set tlsClientAuth

Mon, 26 Mar 2018 01:14:15 -0700 

jai1 commented on a change in pull request #1297: Add Configuration to set 
tlsClientAuth
URL: https://github.com/apache/incubator-pulsar/pull/1297#discussion_r177008602
 
 

 ##########
 File path: 
pulsar-broker/src/test/java/org/apache/pulsar/client/api/TlsProducerConsumerBase.java
 ##########
 @@ -61,24 +67,42 @@ protected void internalSetUpForBroker() throws Exception {
         conf.setTlsEnabled(true);
         conf.setTlsCertificateFilePath(TLS_SERVER_CERT_FILE_PATH);
         conf.setTlsKeyFilePath(TLS_SERVER_KEY_FILE_PATH);
+        conf.setTlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH);
         conf.setClusterName(clusterName);
+        conf.setTlsRequireTrustedClientCertOnConnect(true);
+        Set<String> tlsProtocols = Sets.newConcurrentHashSet();
+        tlsProtocols.add("TLSv1.2");
+        conf.setTlsProtocols(tlsProtocols);
     }
 
-    protected void internalSetUpForClient() throws Exception {
-        String lookupUrl = new URI("pulsar+ssl://localhost:" + 
BROKER_PORT_TLS).toString();
-        pulsarClient = 
PulsarClient.builder().serviceUrl(lookupUrl).tlsTrustCertsFilePath(TLS_SERVER_CERT_FILE_PATH)
-                .enableTls(true).build();
+    protected void internalSetUpForClient(boolean addCertificates, String 
lookupUrl) throws Exception {
+        ClientConfiguration clientConf = new ClientConfiguration();
+        clientConf.setTlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH);
+        clientConf.setUseTls(true);
+        clientConf.setTlsAllowInsecureConnection(false);
+        if (addCertificates) {
+            Map<String, String> authParams = new HashMap<>();
+            authParams.put("tlsCertFile", TLS_CLIENT_CERT_FILE_PATH);
+            authParams.put("tlsKeyFile", TLS_CLIENT_KEY_FILE_PATH);
+            clientConf.setAuthentication(AuthenticationTls.class.getName(), 
authParams);
 
 Review comment:
   > We need to use AuthenticationTls to SEND client certs whenever we enable 
requireTrustedClientCertificate
   
   If TLS is enabled and we want to authenticate using the CNAME in the Client 
Certs (Default TLS authentication that pulsar provides) then we need to use 
AuthenticationTls irrespective of requireTrustedClientCertificate 
   
   If we want to use a different authentication method where the connection is 
TLS but we don't use client certs to authenticate then 
`requireTrustedClientCertificate` should be false.
   
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

Reply via email to