[ 
https://issues.apache.org/jira/browse/IGNITE-28867?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mikhail Petrov updated IGNITE-28867:
------------------------------------
    Description: 
Currently, Ignite node TLS certificates are loaded only once during node 
startup and then used to establish secure connections between `node <--> node`, 
`node <--> thin client`. As a result, updating a certificate requires 
restarting the  Ignite node, causing unnecessary downtime and requiring 
additional administrative effort.

We need to implement hot redeployment of TLS certificates, allowing the Ignite 
node to reload the certificates at runtime without requiring a node restart. 
Existing TLS sessions should remain unaffected, while all new TLS handshakes 
should use the updated credentials.

Basic Steps

1. Introduce a mechanism to trigger certificate reloading (for example, through 
`control.sh`).
2. Create a new `SslContext` instance by invoking `SslContextFactory`.
3. Replace the active `SslContext` used for TLS connection establishment. All 
newly established connections must use the updated certificates, while existing 
connections will continue to operate without interruption.


  was:
Currently, Ignite node TLS certificates are loaded only once during node 
startup and then used to establish secure connections between node <--> node, 
node <--> thin client. As a result, updating a certificate requires restarting 
the  Ignite node, causing unnecessary downtime and requiring additional 
administrative effort.

We need to implement hot redeployment of TLS certificates, allowing the Ignite 
node to reload the certificates at runtime without requiring a node restart. 
Existing TLS sessions should remain unaffected, while all new TLS handshakes 
should use the updated credentials.

Basic Steps

1. Introduce a mechanism to trigger certificate reloading (for example, through 
`control.sh`).
2. Create a new `SslContext` instance by invoking `SslContextFactory`.
3. Replace the active `SslContext` used for TLS connection establishment. All 
newly established connections must use the updated certificates, while existing 
connections will continue to operate without interruption.



> Implement certificate hot redeployment
> --------------------------------------
>
>                 Key: IGNITE-28867
>                 URL: https://issues.apache.org/jira/browse/IGNITE-28867
>             Project: Ignite
>          Issue Type: Task
>            Reporter: Mikhail Petrov
>            Priority: Major
>
> Currently, Ignite node TLS certificates are loaded only once during node 
> startup and then used to establish secure connections between `node <--> 
> node`, `node <--> thin client`. As a result, updating a certificate requires 
> restarting the  Ignite node, causing unnecessary downtime and requiring 
> additional administrative effort.
> We need to implement hot redeployment of TLS certificates, allowing the 
> Ignite node to reload the certificates at runtime without requiring a node 
> restart. Existing TLS sessions should remain unaffected, while all new TLS 
> handshakes should use the updated credentials.
> Basic Steps
> 1. Introduce a mechanism to trigger certificate reloading (for example, 
> through `control.sh`).
> 2. Create a new `SslContext` instance by invoking `SslContextFactory`.
> 3. Replace the active `SslContext` used for TLS connection establishment. All 
> newly established connections must use the updated certificates, while 
> existing connections will continue to operate without interruption.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to