[
https://issues.apache.org/jira/browse/GEODE-5338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16617764#comment-16617764
]
ASF subversion and git services commented on GEODE-5338:
--------------------------------------------------------
Commit 7890652974c3268b098074ca12c74973b2639a6d in geode's branch
refs/heads/develop from [~sai.boorlaga...@gmail.com]
[ https://gitbox.apache.org/repos/asf?p=geode.git;h=7890652 ]
GEODE-5338: Geode client to support Trust and Keystore rotation (#2244)
A new SSL property 'ssl-use-default-context' is added to let Geode use
default SSL context. When set to true Geode uses default SSL context as
returned by SSLContext.getInstance('Default') or uses the context as set
by using SSLContext.setDefault().
Hostname validation is enabled when using default context
> Geode client to support Trust and Keystore rotation
> ---------------------------------------------------
>
> Key: GEODE-5338
> URL: https://issues.apache.org/jira/browse/GEODE-5338
> Project: Geode
> Issue Type: Improvement
> Components: docs, security
> Reporter: Pulkit Chandra
> Assignee: Sai Boorlagadda
> Priority: Major
> Labels: pull-request-available
> Fix For: 1.8.0
>
> Time Spent: 3h 40m
> Remaining Estimate: 0h
>
> WHY: Cloud Foundry provides ability to rotate certs pretty frequently. By
> default the certs are rotated every day and change be changed to rotate every
> hour. Which creates a issue with Java applications. This rotation is
> essential to provide a strong security stance on client applications.
> WHAT: Today Geode client applications, when establishing a TLS connection to
> the servers requires a path to the certificate, since these files would be
> changing we need a mechanism in Geode which will watch for these changes and
> use the new certs without causing service disruption.
>
> Solution options:
> Some options to consider
> # Cloud Foundry has a lib which watches for changes to these certs (which
> are in pem format)and converts them and creates inmemory objects of
> TrustStore and KeyStore. If we have a mechanism in Geode to pass these
> objects instead of path to them, we might have a solution. Also, these
> objects gets updates after rotation so the geode code needs to consider that
> as well.
> # Geode can develop its own capability to watch for change on the files and
> convert them to right format using OpenSSL and create files and pass them in.
> Update these file everytime someone updates the certs
> # Geode starts accepting pem files and watches them directly for changes.
>
> Key Outcomes to watch for:
> 1. Provide ability to rotate cert easily without downtime.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
