[ 
https://issues.apache.org/jira/browse/IGNITE-28867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18095442#comment-18095442
 ] 

Anton Vinogradov commented on IGNITE-28867:
-------------------------------------------

[Ignite PR Checker|https://ignite-pr-checker.is-a.dev/?pr=13335] verdict for PR 
13335 · RunAll build [9198685|https://ci2.ignite.apache.org/build/9198685] · 
147 suites ran, 0 reused

(!) *3 broken suite(s)* (failed without a reliable run):
- Cache (Failover) 4: execution timeout · non-zero exit code · Number of tests 
17 is 55% less than 38 in build #176
- Platform .NET (Windows) 2: execution timeout · non-zero exit code · 1 failed 
test detected
- Platform .NET (Windows) 3: execution timeout · non-zero exit code

(/) No test blockers otherwise; 14 pre-existing/flaky filtered out.

> Implement TLS certificate hot redeployment via control.sh --ssl reload
> ----------------------------------------------------------------------
>
>                 Key: IGNITE-28867
>                 URL: https://issues.apache.org/jira/browse/IGNITE-28867
>             Project: Ignite
>          Issue Type: Task
>            Reporter: Mikhail Petrov
>            Assignee: Anton Vinogradov
>            Priority: Major
>              Labels: ise
>             Fix For: 2.19
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Currently, Ignite node TLS certificates are loaded only once during node 
> startup and then used to establish secure connections between `node to node`, 
> `node to thin client`. As a result, updating a certificate requires 
> restarting the  Ignite node, causing unnecessary downtime and requiring 
> additional administrative effort.
> We need to implement hot redeployment of TLS certificates, allowing the 
> Ignite node to reload the certificates at runtime without requiring a node 
> restart. Existing TLS sessions should remain unaffected, while all new TLS 
> handshakes should use the updated credentials.
> Basic Steps
> 1. Introduce a mechanism to trigger certificate reloading (for example, 
> through `control.sh`).
> 2. Create a new `SslContext` instance by invoking `SslContextFactory`.
> 3. Replace the active `SslContext` used for TLS connection establishment. All 
> newly established connections must use the updated certificates, while 
> existing connections will continue to operate without interruption.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to