[
https://issues.apache.org/jira/browse/HDDS-9015?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Arpit Agarwal updated HDDS-9015:
--------------------------------
Parent: HDDS-9111 (was: HDDS-7391)
> Block CSR request in SCM for "hdds.x509.rootca.certificate.polling.interval"
> time period
> -----------------------------------------------------------------------------------------
>
> Key: HDDS-9015
> URL: https://issues.apache.org/jira/browse/HDDS-9015
> Project: Apache Ozone
> Issue Type: Sub-task
> Reporter: Sammi Chen
> Assignee: Sammi Chen
> Priority: Major
> Labels: pull-request-available
>
> Once the root CA rotation and sub CA rotation finished, leader SCM will start
> to serve CSR request from other services, like existing OM, DN, Recon, or
> newly added OM, DN and SCM.
> But the problem is every service's certificate is signed without
> coordination, so that there will be some services whose certificates are
> already signed by new Root CA, and some services whose certificates are still
> old certificates and the cert renew not happened yet, then these services
> cannot talk to each other because some already got the new certificate and
> new root CA certificate, but some are not.
> Blocking the CSR for a "hdds.x509.rootca.certificate.polling.interval" period
> of time will guarantee that all services get the root CA certificate during
> this duration, so the above cannot talk to each case can be avoided.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
