[
https://issues.apache.org/jira/browse/HDDS-2731?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Xiaoyu Yao updated HDDS-2731:
-----------------------------
Comment: was deleted
(was: This has been resolved as part of HDDS-2833. )
> Certification Revocation Support for Ozone CA
> ---------------------------------------------
>
> Key: HDDS-2731
> URL: https://issues.apache.org/jira/browse/HDDS-2731
> Project: Hadoop Distributed Data Store
> Issue Type: Improvement
> Reporter: Marton Elek
> Assignee: Abhishek Purohit
> Priority: Major
> Fix For: 1.0.0
>
> Attachments: Certificate Revocation Support for Ozone CA.rtf, Ozone
> SCM CA Key_Certificate Rotation - HDDS-2731.pdf
>
>
> Currently, in Ozone, communication between Ozone Manager, SCM and Data Nodes
> takes place over TLS protocol, which is, through issued security artifacts
> i.e. [X509 certificates|https://en.wikipedia.org/wiki/X.509]. These
> certificates reside at SCM storage. The “known and trusted” data nodes are
> provisioned with corresponding certificates and for smooth communication in
> the system, these certificates are also stored on client certificate cache.
> Problem is, once these certificates are invalidated on SCM, whether its Admin
> or Expired Certs or Cert Rotation Process (future), these certs are not
> removed or invalidated on Data Node’s Local Cache. This means that tokens
> issues by Ozone Manager (OM), can still be used to access blocks from Data
> Nodes since the client certificate case still holds the invalidated
> certificate.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
