[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable

[ASF GitHub Bot (JIRA)]

     [ 
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200724&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200724
 ]

ASF GitHub Bot logged work on KNOX-1756:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 19/Feb/19 16:08
            Start Date: 19/Feb/19 16:08
    Worklog Time Spent: 10m 
      Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756 
- Knox Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/54#discussion_r258095744
 
 

 ##########
 File path: 
gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreService.java
 ##########
 @@ -307,22 +283,15 @@ public Key getSigningKey(String alias, char[] 
passphrase) throws KeystoreService
 
   @Override
   public Key getSigningKey(String keystoreName, String alias, char[] 
passphrase) throws KeystoreServiceException {
-    Key key = null;
     readLock.lock();
     try {
-      KeyStore ks = getSigningKeystore(keystoreName);
-      if (passphrase == null) {
-        passphrase = masterService.getMasterSecret();
-        LOG.assumingKeyPassphraseIsMaster();
-      }
-      if (ks != null) {
-        try {
-          key = ks.getKey(alias, passphrase);
-        } catch (UnrecoverableKeyException | NoSuchAlgorithmException | 
KeyStoreException e) {
-          LOG.failedToGetKeyForGateway( alias, e );
-        }
+      try {
 
 Review comment:
   Do we need nested try blocks here?
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


Issue Time Tracking
-------------------

    Worklog Id:     (was: 200724)

> Knox Gateway TLS Keystore and Alias Should be Configurable
> ----------------------------------------------------------
>
>                 Key: KNOX-1756
>                 URL: https://issues.apache.org/jira/browse/KNOX-1756
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>    Affects Versions: 1.3.0
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>            Priority: Major
>              Labels: keystore, ssl
>             Fix For: 1.3.0
>
>          Time Spent: 1h
>  Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is 
> hardcoded to {{<calculated from configs>/keystores/gateway.jks}} and the 
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the 
> ability for external management facilities to setup a custom TLS key and 
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS 
> certificate.
> Knox has configuration hooks for the following (optional) properties
>  * Home Directory
>  ** Gateway-site property: GATEWAY_HOME
>  ** System property: GATEWAY_HOME
>  ** Environment variable: GATEWAY_HOME
>  * Data Directory
>  ** System property: GATEWAY_DATA_HOME
>  ** Environment variable: GATEWAY_DATA_HOME
>  ** Gateway-site property: gateway.data.dir
>  ** Calculated: [Home Directory] + [Path Separator] + “data”
>  * Security Directory
>  ** Gateway-site property: gateway.security.dir
>  ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other 
> directory calculations. This inconsistency may be confusing to users and thus 
> should be fixed to be
>  * System property: GATEWAY_HOME
>  * Environment variable: GATEWAY_HOME
>  * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] + 
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the 
> Knox Gateway should allow the TLS keystore file and alias name to be 
> configurable. The following properties should be made available:
>  * TLS Keystore File Path
>  ** Gateway-site property: gateway.tls.keystore.path
>  ** Calculated: [Security Directory] + [Path Separator] + "keystores"  +[Path 
> Separator]+  "gateway.jks"
>  * TLS Keystore Password Alias (value to be stored in the Knox Gateway 
> credential store)
>  ** Gateway-site property: gateway.tls.keystore.password.alias
>  ** Calculated: "gateway-identity-keystore-password"
>  * TLS Keystore Type
>  ** Gateway-site property: gateway.tls.keystore.type
>  ** Calculated: :”jks”
>  * TLS Key Alias
>  ** Gateway-site property: gateway.tls.key.alias
>  ** Calculated: “gateway-identity”
>  * TLS Key Passphrase Alias (value to be stored in the Knox Gateway 
> credential store)
>  ** Gateway-site property: gateway.tls.key.passphrase.alias
>  ** Calculated: "gateway-identity-passphrase"
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)