[
https://issues.apache.org/jira/browse/KNOX-1812?focusedWorklogId=211038&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-211038
]
ASF GitHub Bot logged work on KNOX-1812:
----------------------------------------
Author: ASF GitHub Bot
Created on: 11/Mar/19 14:55
Start Date: 11/Mar/19 14:55
Worklog Time Spent: 10m
Work Description: risdenk commented on pull request #69: KNOX-1812 - The
Knox Gateway truststore should be configurable
URL: https://github.com/apache/knox/pull/69#discussion_r264269183
##########
File path:
gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/JettySSLServiceTest.java
##########
@@ -281,13 +286,14 @@ public void
TestBuildSslContextFactoryExplicitTrustStore() throws Exception {
Path truststorePath = Paths.get(basedir, "target", "test-classes",
"keystores", "server-truststore.jks");
String truststoreType = "jks";
char[] truststorePassword = "horton".toCharArray();
+ String truststorePasswordAlias = "trust_store_password";
- GatewayConfig config = createGatewayConfig(true, true,
identityKeystorePath, identityKeystoreType, identityKeyAlias, truststorePath,
truststoreType);
+ GatewayConfig config = createGatewayConfig(true, true,
identityKeystorePath, identityKeystoreType, identityKeyAlias, truststorePath,
truststoreType, truststorePasswordAlias);
AliasService aliasService = createMock(AliasService.class);
expect(aliasService.getGatewayIdentityKeystorePassword()).andReturn(identityKeystorePassword).atLeastOnce();
expect(aliasService.getGatewayIdentityPassphrase()).andReturn(identityKeyPassphrase).atLeastOnce();
-
expect(aliasService.getPasswordFromAliasForGateway(eq("gateway-truststore-password"))).andReturn(truststorePassword).atLeastOnce();
+
expect(aliasService.getPasswordFromAliasForGateway(eq("trust_store_password"))).andReturn(truststorePassword).atLeastOnce();
Review comment:
I think this can be truststorePasswordAlias instead of the string?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 211038)
Time Spent: 0.5h (was: 20m)
> The Knox Gateway truststore should be configurable
> --------------------------------------------------
>
> Key: KNOX-1812
> URL: https://issues.apache.org/jira/browse/KNOX-1812
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Reporter: Robert Levas
> Assignee: Robert Levas
> Priority: Major
> Labels: truststore
> Fix For: 1.3.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> The Knox Gateway truststore should be configurable
> Knox relies on a trust store for various purposes
> * The *KnoxCLI* (via a KnoxSession) uses a truststore to trust the connection
> to the Knox Gateway server
> ** The truststore is determined by the Java system properties
> ({{javax.net.ssl.trustStore}}, {{javax.net.ssl.trustStorePassword}}) or the
> JVM's cacerts file
> * The *Knox Gateway* server uses a truststore to trust the connections going
> out to the services (if connecting via TLS/SSL)
> ** The truststore is set to be the same keystore as the Gateway's identitiy
> keystore.
> ** See
> {{org.apache.knox.gateway.dispatch.DefaultHttpClientFactory#createHttpClient}}.
> * The *Knox Gateway* server uses a truststore to trust the user/client
> connecting to it when clientauth is enabled
> ** The truststore is set to be the same keystore as the Gateway's identity
> keystore unless one is explicitly specified in the gateway-site.xml file
> ({{gateway.truststore.path}}, {{gateway.truststore.type}}). If a truststore
> is explicitly set, the password for the truststore is looked up, using alias
> name "{{gateway-truststore-password}}", from the alias service.
> ** See
> {{org.apache.knox.gateway.services.security.impl.JettySSLService#buildSslContextFactory}}.
> By making the outgoing connection truststore (#2, from above) configurable,
> it will be possible to use the same truststore for both incoming and outgoing
> connections, which will be convenient when services communicate with each
> other via the Knox Gateway.
> To make sure the truststore configuration is flexible and backwards
> compatible with older versions of Knox, new properties should be introduced
> in the gateway-site.xml file:
> * {{gateway.httpclient.truststore.path}}
> * {{gateway.httpclient.truststore.type}}
> * {{gateway.httpclient.truststore.password.alias}}
> Note: This naming convention goes along with the following properties used to
> configure the Gateway's HTTPClient instance:
> * {{gateway.httpclient.maxConnections}}
> * {{gateway.httpclient.connectionTimeout}}
> * {{gateway.httpclient.socketTimeout}}
> If {{gateway.httpclient.truststore.path}} is not set in the configuration,
> then Gateway's identity keystore will be used (which is the current
> implementation); else, the configured truststore details will be used.
>
> Also, to keep things consistent, the password alias name for the _clientauth_
> truststore should be configurable using the property name:
> * {{gateway.truststore.password.alias}} (default:
> "{{gateway-truststore-password}}")
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
