[
https://issues.apache.org/jira/browse/KNOX-1812?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Work on KNOX-1812 started by Robert Levas.
------------------------------------------
> The Knox Gateway truststore should be configurable
> --------------------------------------------------
>
> Key: KNOX-1812
> URL: https://issues.apache.org/jira/browse/KNOX-1812
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Reporter: Robert Levas
> Assignee: Robert Levas
> Priority: Major
> Labels: truststore
> Fix For: 1.3.0
>
>
> The Knox Gateway truststore should be configurable
> Knox relies on a trust store for various purposes
> * The *KnoxCLI* (via a KnoxSession) uses a truststore to trust the connection
> to the Knox Gateway server
> ** The truststore is determined by the Java system properties
> ({{javax.net.ssl.trustStore}}, {{javax.net.ssl.trustStorePassword}}) or the
> JVM's cacerts file
> * The *Knox Gateway* server uses a truststore to trust the connections going
> out to the services (if connecting via TLS/SSL)
> ** The truststore is set to be the same keystore as the Gateway's identitiy
> keystore.
> ** See
> {{org.apache.knox.gateway.dispatch.DefaultHttpClientFactory#createHttpClient}}.
> * The *Knox Gateway* server uses a truststore to trust the user/client
> connecting to it when clientauth is enabled
> ** The truststore is set to be the same keystore as the Gateway's identity
> keystore unless one is explicitly specified in the gateway-site.xml file
> ({{gateway.truststore.path}}, {{gateway.truststore.type}}). If a truststore
> is explicitly set, the password for the truststore is looked up, using alias
> name "{{gateway-truststore-password}}", from the alias service.
> ** See
> {{org.apache.knox.gateway.services.security.impl.JettySSLService#buildSslContextFactory}}.
> By making the outgoing connection truststore (#2, from above) configurable,
> it will be possible to use the same truststore for both incoming and outgoing
> connections, which will be convenient when services communicate with each
> other via the Knox Gateway.
> To make sure the truststore configuration is flexible and backwards
> compatible with older versions of Knox, new properties should be introduced
> in the gateway-site.xml file:
> * {{gateway.httpclient.truststore.path}}
> * {{gateway.httpclient.truststore.type}}
> * {{gateway.httpclient.truststore.password.alias}}
> Note: This naming convention goes along with the following properties used to
> configure the Gateway's HTTPClient instance:
> * {{gateway.httpclient.maxConnections}}
> * {{gateway.httpclient.connectionTimeout}}
> * {{gateway.httpclient.socketTimeout}}
> If {{gateway.httpclient.truststore.path}} is not set in the configuration,
> then Gateway's identity keystore will be used (which is the current
> implementation); else, the configured truststore details will be used.
>
> Also, to keep things consistent, the password alias name for the _clientauth_
> truststore should be configurable using the property name:
> * {{gateway.truststore.password.alias}} (default:
> "{{gateway-truststore-password}}")
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
