kevdoran commented on a change in pull request #153: NIFIREG-220 New test certs URL: https://github.com/apache/nifi-registry/pull/153#discussion_r242668364
########## File path: nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/README.md ########## @@ -12,36 +12,217 @@ See the License for the specific language governing permissions and limitations under the License. --> -# Integration Test Keys +# Test Keys -The integration tests that run a secure NiFi require keystores and truststores for the server and client in order -to establish a two-way TLS connection. +The automated security tests require keys and certificates for TLS connections. +The keys in this directory can be used for that purpose. -The keys/certs for these tests were generated with the tls-toolkit included with NiFi Toolkit v1.4.0. +*** -The steps for generating replacements are: +**NOTICE**: This directory contains keys and certificates for *development and testing* purposes only. - # use NiFi tls-toolkit to generate CA, server key/cert, client key/cert - ./nifi-toolkit-1.4.0/bin/tls-toolkit.sh standalone --certificateAuthorityHostname localhost --hostnames localhost --nifiDnSuffix ", OU=nifi" --keyStorePassword localhostKeystorePassword --trustStorePassword localhostTruststorePassword --clientCertDn "CN=user1, OU=nifi" --clientCertPassword u1Pass --days 3650 --outputDirectory nifireg-integrationtest +**Never use these keystores and truststores in a real-world scenario where actual security is needed.** - # change to tls-toolkit output directory - cd ./nifireg-integrationtest +The CA and private keys (including their protection passwords) have been published on the Internet, so they should never be trusted. - # copy server's key/trust stores - mkdir keys - cp localhost/keystore.jks keys/localhost-ks.jks - cp localhost/truststore.jks keys/localhost-ts.jks +*** - # create a Java Key Store (JKS) from the client key - keytool -importkeystore -destkeystore keys/client-ks.jks -deststorepass clientKeystorePassword -destkeypass u1Pass -srckeystore CN=user1_OU=nifi.p12 -srcstorepass u1Pass -srcstoretype PKCS12 +## Directory Contents +### Certificate Authority (CA) -You should now have a directory with the following contents: +| Hostname / DN | File | Description | Format | Password | +| --- | --- | --- | --- | --- | +| - | ca-cert.pem | CA public cert | PEM (unencrypted) | N/A | +| - | ca-key.pem | CA private (signing) key | PEM | password | +| - | ca-ts.jks | CA cert truststore (shared by clients and servers) | JKS | password | +| - | ca-ts.p12 | CA cert truststore (shared by clients and servers) | PKCS12 | password | +| registry, localhost | registry-cert.pem | NiFi Registry server public cert | PEM (unencrypted) | N/A | +| registry, localhost | registry-key.pem | NiFi Registry server private key | PEM | password | +| registry, localhost | registry-ks.jks | NiFi Registry server key/cert keystore | JKS | password | +| registry, localhost | registry-ks.p12 | NiFi Registry server key/cert keystore | PKCS12 | password | +| CN=user1, OU=nifi | user1-cert.pem | client (user="user1") public cert | PEM (unencrypted) | N/A | +| CN=user1, OU=nifi | user1-key.pem | client (user="user1") private key | PEM | password | +| CN=user1, OU=nifi | user1-ks.jks | client (user="user1") key/cert keystore | JKS | password | +| CN=user1, OU=nifi | user1-ks.p12 | client (user="user1") key/cert keystore | PKCS12 | password | - keys/ - +-- client-ks.jks # client keystore: keystorePass=clientKeystorePassword, keyPass=u1Pass - +-- localhost-ks.jks # server keystore: keystorePass=localhostKeystorePassword, keyPass=localhostKeystorePassword - +-- localhost-ts.jks # server/client truststore (contains CA): truststorePass=localhostTruststorePassword +## Generating Additional Test Keys/Certs -Copy these files to the test/resources/keys/ directory. +If we need to add a service to our test environment that requires a cert signed by the same CA, here are the steps for generating additional keys for thsi directory that are signed by the same CA key. +Requirements: + +- docker +- keytool (included with Java) +- openssl (included/available on most platforms) + +If you do not have docker, you can alternatively use the nifi-toolkit binary which has a dependency on Java 1.8 and is available for download from http://nifi.apache.org. + +### New Service Keys + +The steps for generating a new *service* key/cert pair are (using `proxy` as the example service): + +``` +# make working directory +rm -rf /tmp/test-keys Review comment: Yeah I was on the fence about that. In the end I was more worried that they would be copying old keys to the final output directory mistakenly. could be convinced either way... ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
