Galsza commented on code in PR #4808:
URL: https://github.com/apache/ozone/pull/4808#discussion_r1221391185
##########
hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/ssl/ReloadingX509TrustManager.java:
##########
@@ -138,7 +139,8 @@ X509TrustManager loadTrustManager(CertificateClient
caClient)
X509TrustManager trustManager = null;
KeyStore ks = KeyStore.getInstance(type);
ks.load(null, null);
- ks.setCertificateEntry(rootCACertId, rootCACert);
+ insertCertsToKeystore(caClient.getAllRootCaCerts(), ks);
+ insertCertsToKeystore(caClient.getAllCaCerts(), ks);
Review Comment:
For regular cert clients yes, for SCM client no. In the old functionality
the SCM client returns null for getRootCaCertificate, and after that uses the
sub ca. HA-secure acceptance test immediately fail if we don't have the CA
certs here. I believe the functionality where SCM returns null for getting the
root CA should be changed. This could be addressed in a separate issue.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
