Robert Levas created KNOX-1756:
----------------------------------
Summary: Knox Gateway TLS Keystore and Alias Should be Configurable
Key: KNOX-1756
URL: https://issues.apache.org/jira/browse/KNOX-1756
Project: Apache Knox
Issue Type: Improvement
Components: Server
Affects Versions: 1.3.0
Reporter: Robert Levas
Fix For: 1.3.0
h1. Problem
The location of the keystore housing the Knox Gateway TLS certificate is
hardcoded to {{<calculated from configs>/keystores/gateway.jks}} and the
certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
ability for external management facilities to setup a TLS key and certificate
for the Knox Gateway. For example, a host-wide, CA-signed, TLS certificate.
Knox has configuration hooks for the following (optional) properties
* Home Directory
** Gateway-site property: GATEWAY_HOME
** System property: GATEWAY_HOME
** Environment variable: GATEWAY_HOME
* Data Directory
** System property: GATEWAY_DATA_HOME
** Environment variable: GATEWAY_DATA_HOME
** Gateway-site property: gateway.security.dir
** Calculated: [Home Directory] + [Path Separator] + “data”
* Security Directory
** Gateway-site property: gateway.security.dir
** Calculated: [Data Directory] + [Path Separator] + “security”
*Note*: the calculation for the home directory is inconsistent with the other
directory calculations. This inconsistency may be confusing to users and thus
should be fixed to be
* System property: GATEWAY_HOME
* Environment variable: GATEWAY_HOME
*Gateway-site property: gateway.home.dir
The path to the Knox Gateway TLS keystore is calculated as
{noformat}
[Security Directory] + [Path Separator] + “keystores” +
[Path Separator] + “gateway.jks”
{noformat}
h1. Solution
To make it easier to use an externally provided TLS key and certificate, the
Knox Gateway should allow the TLS keystore file and alias name to be
configurable. The following properties should be made available:
* Keystore Directory
** Gateway-site property: gateway.keystore.dir
** Calculated: [Security Directory] + [Path Separator] + “keystores”
* TLS Keystore File Name
** Gateway-site property: gateway.tls.keystore.name
** Calculated: “gateway.jks”
* TLS Keystore File Path
** Gateway-site property: gateway.tls.keystore.file
** Calculated: [Keystore Directory] + [Path Separator] + [TLS Keystore File
Name]
* TLS Keystore Password
** Gateway-site property: gateway.tls.keystore.password
** Calculated: <null>
* TLS Keystore Type
** Gateway-site property: gateway.tls.keystore.type
** Calculated: :”jks”
* TLS Key Alias
** Gateway-site property: gateway.tls.key.alias
** Calculated: “gateway-identity”
The “TLS Keystore File Name” and “TLS Keystore File Path” properties are
redundant, but “TLS Keystore File Name” is provided to allow for consistency
with how the _*signing*_ keystore file name is specified.
* Signing Keystore File Name
** Gateway-site property: gateway.signing.keystore.name
** Calculated: <null>
* Signing Keystore File Path
** Calculated: [Keystore Directory] + [Path Separator] + [Signing Keystore
File Name]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
