[
https://issues.apache.org/jira/browse/HDDS-2731?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17331531#comment-17331531
]
Marton Elek commented on HDDS-2731:
-----------------------------------
And the concept is explained by [~vivekratnavel] in this video:
https://www.youtube.com/watch?v=FlJ-MCYwkhE&list=PLCaV-jpCBO8VgvgdC2Z1t51TeiW0kHfDC&index=2
> Certificate Revocation Support for Ozone CA
> -------------------------------------------
>
> Key: HDDS-2731
> URL: https://issues.apache.org/jira/browse/HDDS-2731
> Project: Apache Ozone
> Issue Type: Improvement
> Reporter: Marton Elek
> Assignee: Xiaoyu Yao
> Priority: Major
> Attachments: Certificate Revocation Support for Ozone CA.rtf, Ozone
> SCM CA Key_Certificate Rotation - HDDS-2731.pdf, Ozone SCM CA Key_Certificate
> Rotation V2.pdf
>
>
> Currently, in Ozone, communication between Ozone Manager, SCM and Data Nodes
> takes place over TLS protocol, which is, through issued security artifacts
> i.e. [X509 certificates|https://en.wikipedia.org/wiki/X.509]. These
> certificates reside at SCM storage. The “known and trusted” data nodes are
> provisioned with corresponding certificates and for smooth communication in
> the system, these certificates are also stored on client certificate cache.
> Problem is, once these certificates are invalidated on SCM, whether its Admin
> or Expired Certs or Cert Rotation Process (future), these certs are not
> removed or invalidated on Data Node’s Local Cache. This means that tokens
> issues by Ozone Manager (OM), can still be used to access blocks from Data
> Nodes since the client certificate case still holds the invalidated
> certificate.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
