[
https://issues.apache.org/jira/browse/HDDS-7486?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sammi Chen updated HDDS-7486:
-----------------------------
Description:
To enable private key and certificate hotswap in OM and DN without a service
restart, we need to replace the private key and certificates used in running
grpc servers/clients.
To build a secure netty or grpc server/client, SslContextBuilder is used hold
the ssl context. SslContextBuilder currently supports several ways to
configure the key, cert of service itself and trust certs to verify remote
peer.
For trust certs, user can use one of following ways to configure, provide a
a. trustManager
b. trustManagerFactory
c. a list of trust certificates objects
For key and cert of service itself, user can provide
a. a private key file, and a cert chain file
b. a private key file input stream and a cert chain file input stream
c. a PrivateKey object and a list of certs objects
d. a keyManager
e. a keyManagerFactory
Of all the ways that SslContextBuilder accepts, only the keyManager and
keyManagerFactory have the room to do a dynamic key and cert refresh at
runtime. And keyManager is easier to achieve that than keyManagerFactory.
So this task is to implement a Ozone customized
> Support KeyStoreFactory which supports keyManager and trustManager reload
> -------------------------------------------------------------------------
>
> Key: HDDS-7486
> URL: https://issues.apache.org/jira/browse/HDDS-7486
> Project: Apache Ozone
> Issue Type: Sub-task
> Reporter: Sammi Chen
> Assignee: Sammi Chen
> Priority: Major
> Labels: pull-request-available
>
> To enable private key and certificate hotswap in OM and DN without a service
> restart, we need to replace the private key and certificates used in running
> grpc servers/clients.
>
> To build a secure netty or grpc server/client, SslContextBuilder is used
> hold the ssl context. SslContextBuilder currently supports several ways to
> configure the key, cert of service itself and trust certs to verify remote
> peer.
> For trust certs, user can use one of following ways to configure, provide a
> a. trustManager
> b. trustManagerFactory
> c. a list of trust certificates objects
>
> For key and cert of service itself, user can provide
> a. a private key file, and a cert chain file
> b. a private key file input stream and a cert chain file input stream
> c. a PrivateKey object and a list of certs objects
> d. a keyManager
> e. a keyManagerFactory
>
> Of all the ways that SslContextBuilder accepts, only the keyManager and
> keyManagerFactory have the room to do a dynamic key and cert refresh at
> runtime. And keyManager is easier to achieve that than keyManagerFactory.
>
> So this task is to implement a Ozone customized
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
