[
https://issues.apache.org/jira/browse/HDDS-7486?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
István Fajth updated HDDS-7486:
-------------------------------
Labels: pki pull-request-available (was: pull-request-available)
> Support KeyStoreFactory which supports keyManager and trustManager reload
> -------------------------------------------------------------------------
>
> Key: HDDS-7486
> URL: https://issues.apache.org/jira/browse/HDDS-7486
> Project: Apache Ozone
> Issue Type: Sub-task
> Components: Security
> Reporter: Sammi Chen
> Assignee: Sammi Chen
> Priority: Major
> Labels: pki, pull-request-available
> Fix For: 1.4.0
>
>
> To enable private key and certificate hotswap in OM and DN without a service
> restart, we need to replace the private key and certificates used in running
> grpc servers/clients.
>
> To build a secure netty or grpc server/client, SslContextBuilder is used
> hold the ssl context. SslContextBuilder currently supports several ways to
> configure the key, cert of service itself and trust certs to verify remote
> peer.
> For trust certs, user can use one of following ways to configure, provide a
> a. trustManager
> b. trustManagerFactory
> c. a list of trust certificates objects
>
> For key and cert of service itself, user can provide
> a. a private key file, and a cert chain file
> b. a private key file input stream and a cert chain file input stream
> c. a PrivateKey object and a list of certs objects
> d. a keyManager
> e. a keyManagerFactory
>
> Of all the ways that SslContextBuilder accepts, only the keyManager and
> keyManagerFactory have the room to do a dynamic key and cert refresh at
> runtime. keyManager is easier to do that than keyManagerFactory.
> So this task is to implement a Ozone customized KeyStoreFactory which will
> provide the customized KeyManager and trustManager which is capable of reload
> and refresh used key and certs at runtime.
>
> For a established tls/ssl connection, usually it will not be impacted when
> the certificate is expired after the connection established. But the new
> client will fail because the connection from client to server will fail due
> to the expired server certificate.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
