[jira] [Commented] (ARTEMIS-1157) Do not update ssl client keystore/truststore path on topology update

Tue, 31 Jul 2018 07:40:06 -0700 


    [ 
https://issues.apache.org/jira/browse/ARTEMIS-1157?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16563773#comment-16563773
 ] 

Sinaver Idris commented on ARTEMIS-1157:
----------------------------------------

[~jbertram], sure, I will use the proper mailing list for my question. Thanks!
Although, I think my question is related to current JIRA, since you pointed out 
about using System Properties on server and client sides, as a way to override 
keystore/password configuration and avoid sharing it in topology information, 
which solves the issue partially, but introduces another security issue.
I agree, that for the most use cases it is not an issue unless you really need 
to care about security, which we do :)

> Do not update ssl client keystore/truststore path on topology update
> --------------------------------------------------------------------
>
>                 Key: ARTEMIS-1157
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-1157
>             Project: ActiveMQ Artemis
>          Issue Type: Improvement
>    Affects Versions: 2.0.0
>            Reporter: Philipp Aeschlimann
>            Priority: Major
>         Attachments: ArtemisMqCrashDemoClient.java, broker.xml
>
>
> We have a 2 node cluster where clients and the refrenced connectors in the 
> cluster-connection do use ssl client auth (all working so far). Now if a 
> failover ocures - live server goes down - the clients try to re-connect with 
> the client keystore path that is defined on the connector in the server.
> We know that it is possible to overwrite this behavoir by using 
> org.apache.activemq.ssl.keyStore system property. But we have multiple 
> keystores and want to use them. Would it be possible, that this settings:
> org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants.KEYSTORE_*
> org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants.TRUSTSTORE_*
> will not be updated from the server? I can not think of a scenario, where it 
> would make sense that the server tells the client where the client has to 
> look for his keystore and truststore settings.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to