[
https://issues.apache.org/jira/browse/KNOX-1756?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16759510#comment-16759510
]
Larry McCay commented on KNOX-1756:
-----------------------------------
[~rlevas] -
This seems like a good area for improvement!
I don't think that the following is actually accurate:
bq. Currently, the TLS keystore password is stored in the Knox gateway's
credential store. A proper solution will need to allow a custom keystore
password to be stored there rather than in a plaintext configuration file.
The keystore password should be the Knox master secret which is not stored in a
keystore.
The private-key passphrase can optionally be stored in the credential
store/keystore - by default it is also the master secret.
There are other related improvements that would make sense as well.
For instance, the self-signed cert that is created via "knoxcli create-cert"
and by starting initially with no keystore found needs to be improved. It is
currently limited with the CN="localhost|actual-hostname" and should be made
more modern.
In addition, the current DN uses hardcoded values of Test and Hadoop, etc.
We will obviously want to keep an eye on backward compatibility on upgrade.
> Knox Gateway TLS Keystore and Alias Should be Configurable
> ----------------------------------------------------------
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Affects Versions: 1.3.0
> Reporter: Robert Levas
> Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{<calculated from configs>/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a TLS key and certificate
> for the Knox Gateway. For example, a host-wide, CA-signed, TLS certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> *Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” +
> [Path Separator] + “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * Keystore Directory
> ** Gateway-site property: gateway.keystore.dir
> ** Calculated: [Security Directory] + [Path Separator] + “keystores”
> * TLS Keystore File Name
> ** Gateway-site property: gateway.tls.keystore.name
> ** Calculated: “gateway.jks”
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.file
> ** Calculated: [Keystore Directory] + [Path Separator] + [TLS Keystore File
> Name]
> * TLS Keystore Password
> ** Gateway-site property: gateway.tls.keystore.password
> ** Calculated: <null>
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> The “TLS Keystore File Name” and “TLS Keystore File Path” properties are
> redundant, but “TLS Keystore File Name” is provided to allow for consistency
> with how the _*signing*_ keystore file name is specified.
> * Signing Keystore File Name
> ** Gateway-site property: gateway.signing.keystore.name
> ** Calculated: <null>
> * Signing Keystore File Path
> ** Calculated: [Keystore Directory] + [Path Separator] + [Signing Keystore
> File Name]
> Currently, the TLS keystore password is stored in the Knox gateway's
> credential store. A proper solution will need to allow a custom keystore
> password to be stored there rather than in a plaintext configuration file.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
