[jira] [Commented] (CASSANDRA-17031) Add support for PEM based key material for SSL
[ https://issues.apache.org/jira/browse/CASSANDRA-17031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17489177#comment-17489177 ] Maulin Vasavada commented on CASSANDRA-17031: - documentation combined with a separate ticket [CASSANDRA-16950|https://issues.apache.org/jira/browse/CASSANDRA-16950] > Add support for PEM based key material for SSL > -- > > Key: CASSANDRA-17031 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17031 > Project: Cassandra > Issue Type: Improvement > Components: Messaging/Internode >Reporter: Maulin Vasavada >Assignee: Maulin Vasavada >Priority: Normal > Fix For: 4.1 > > Time Spent: 8h 10m > Remaining Estimate: 0h > > h1. Scope > Currently Cassandra supports standard keystore types for SSL > keys/certificates. The scope of this enhancement is to add support for PEM > based key material (keys/certificate) given that PEM is widely used common > format for the same. We intend to add support for Unencrypted and Password > Based Encrypted (PBE) PKCS#8 formatted Private Keys in PEM format with > standard algorithms (RSA, DSA and EC) along with the certificate chain for > the private key and PEM based X509 certificates. The work here is going to be > built on top of [CEP-9: Make SSLContext creation > pluggable|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable] > for which the code is merged for Apache Cassandra 4.1 release. > We intend to support the key material be configured as direct PEM values > input OR via the file (configured with keystore and truststore configurations > today). We are not going to model PEM as a valid 'store_type' given that > 'store_type' has a [specific > definition|https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html#GUID-AB51DEFD-5238-4F96-967F-082F6D34FBEA]. > > h1. Approach > Create an implementation for > [ISslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/ISslContextFactory.java] > extending > [FileBasedSslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java] > implementation to add PEM formatted key/certificates. > h1. Motivation > PEM is a widely used format for encoding Private Keys and X.509 Certificates > and Apache Cassandra's current implementation lacks the support for > specifying the PEM formatted key material for SSL configurations. This means > operators have to re-create the key material to comply to the supported > formats (using key/trust store types - jks, pkcs12 etc) and deal with an > operational task for managing it. This is an operational overhead we can > avoid by supporting the PEM format making Apache Cassandra even more customer > friendly and drive more adoption. > h1. Proposed Changes > # A new implementation for ISslContextFactory - PEMBasedSslContextFactory > with the following supported configuration > {panel:title=New configurations} > {panel} > |{{encryption_options: }} > {{}}{{ssl_context_factory:}} > {{}}{{class_name: > org.apache.cassandra.security.PEMBasedSslContextFactory}} > {{}}{{parameters:}} > {{ }}{{private_key: certificate chain>}} > {{ }}{{private_key_password: }}{{private}} {{key }}{{if}} {{it is encrypted>}} > {{ }}{{trusted_certificates: }}| > *NOTE:* We could reuse 'keystore_password' instead of the > 'private_key_password'. However PEM encoded private key is not a 'keystore' > in itself hence it would be inappropriate to piggyback on that other than > avoid duplicating similar fields. > # The PEMBasedSslContextFactory will also support file based key material > (and the corresponding HOT Reloading based on file timestamp updates) for the > PEM format via existing 'keystore' and 'truststore' encryption options. > However in that case the 'truststore_password' configuration won't be used > since generally PEM formatted certificates for truststore don't get encrypted > with a password. > # The PEMBasedSslContextFactory will internally create PKCS12 keystore for > private key and the trusted certificates. However, this doesn't impact the > user of the implementation in anyway and it is mentioned for clarity only. > -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17031) Add support for PEM based key material for SSL
[ https://issues.apache.org/jira/browse/CASSANDRA-17031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17488471#comment-17488471 ] Stefan Miklosovic commented on CASSANDRA-17031: --- https://github.com/apache/cassandra/commit/3655b26adf8d3b94095924920d05cc1a16d0f4c0 > Add support for PEM based key material for SSL > -- > > Key: CASSANDRA-17031 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17031 > Project: Cassandra > Issue Type: Improvement > Components: Messaging/Internode >Reporter: Maulin Vasavada >Assignee: Maulin Vasavada >Priority: Normal > Fix For: 4.1 > > Time Spent: 7h 50m > Remaining Estimate: 0h > > h1. Scope > Currently Cassandra supports standard keystore types for SSL > keys/certificates. The scope of this enhancement is to add support for PEM > based key material (keys/certificate) given that PEM is widely used common > format for the same. We intend to add support for Unencrypted and Password > Based Encrypted (PBE) PKCS#8 formatted Private Keys in PEM format with > standard algorithms (RSA, DSA and EC) along with the certificate chain for > the private key and PEM based X509 certificates. The work here is going to be > built on top of [CEP-9: Make SSLContext creation > pluggable|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable] > for which the code is merged for Apache Cassandra 4.1 release. > We intend to support the key material be configured as direct PEM values > input OR via the file (configured with keystore and truststore configurations > today). We are not going to model PEM as a valid 'store_type' given that > 'store_type' has a [specific > definition|https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html#GUID-AB51DEFD-5238-4F96-967F-082F6D34FBEA]. > > h1. Approach > Create an implementation for > [ISslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/ISslContextFactory.java] > extending > [FileBasedSslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java] > implementation to add PEM formatted key/certificates. > h1. Motivation > PEM is a widely used format for encoding Private Keys and X.509 Certificates > and Apache Cassandra's current implementation lacks the support for > specifying the PEM formatted key material for SSL configurations. This means > operators have to re-create the key material to comply to the supported > formats (using key/trust store types - jks, pkcs12 etc) and deal with an > operational task for managing it. This is an operational overhead we can > avoid by supporting the PEM format making Apache Cassandra even more customer > friendly and drive more adoption. > h1. Proposed Changes > # A new implementation for ISslContextFactory - PEMBasedSslContextFactory > with the following supported configuration > {panel:title=New configurations} > {panel} > |{{encryption_options: }} > {{}}{{ssl_context_factory:}} > {{}}{{class_name: > org.apache.cassandra.security.PEMBasedSslContextFactory}} > {{}}{{parameters:}} > {{ }}{{private_key: certificate chain>}} > {{ }}{{private_key_password: }}{{private}} {{key }}{{if}} {{it is encrypted>}} > {{ }}{{trusted_certificates: }}| > *NOTE:* We could reuse 'keystore_password' instead of the > 'private_key_password'. However PEM encoded private key is not a 'keystore' > in itself hence it would be inappropriate to piggyback on that other than > avoid duplicating similar fields. > # The PEMBasedSslContextFactory will also support file based key material > (and the corresponding HOT Reloading based on file timestamp updates) for the > PEM format via existing 'keystore' and 'truststore' encryption options. > However in that case the 'truststore_password' configuration won't be used > since generally PEM formatted certificates for truststore don't get encrypted > with a password. > # The PEMBasedSslContextFactory will internally create PKCS12 keystore for > private key and the trusted certificates. However, this doesn't impact the > user of the implementation in anyway and it is mentioned for clarity only. > -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17031) Add support for PEM based key material for SSL
[ https://issues.apache.org/jira/browse/CASSANDRA-17031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17487537#comment-17487537 ] Stefan Miklosovic commented on CASSANDRA-17031: --- Applied few fixes around examples (not compilable on Java 8 and fixed few deprecated targets), going to merge this branch: https://github.com/instaclustr/cassandra/tree/CASSANDRA-17031 > Add support for PEM based key material for SSL > -- > > Key: CASSANDRA-17031 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17031 > Project: Cassandra > Issue Type: Improvement > Components: Messaging/Internode >Reporter: Maulin Vasavada >Assignee: Maulin Vasavada >Priority: Normal > Fix For: 4.1 > > Time Spent: 7h 50m > Remaining Estimate: 0h > > h1. Scope > Currently Cassandra supports standard keystore types for SSL > keys/certificates. The scope of this enhancement is to add support for PEM > based key material (keys/certificate) given that PEM is widely used common > format for the same. We intend to add support for Unencrypted and Password > Based Encrypted (PBE) PKCS#8 formatted Private Keys in PEM format with > standard algorithms (RSA, DSA and EC) along with the certificate chain for > the private key and PEM based X509 certificates. The work here is going to be > built on top of [CEP-9: Make SSLContext creation > pluggable|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable] > for which the code is merged for Apache Cassandra 4.1 release. > We intend to support the key material be configured as direct PEM values > input OR via the file (configured with keystore and truststore configurations > today). We are not going to model PEM as a valid 'store_type' given that > 'store_type' has a [specific > definition|https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html#GUID-AB51DEFD-5238-4F96-967F-082F6D34FBEA]. > > h1. Approach > Create an implementation for > [ISslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/ISslContextFactory.java] > extending > [FileBasedSslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java] > implementation to add PEM formatted key/certificates. > h1. Motivation > PEM is a widely used format for encoding Private Keys and X.509 Certificates > and Apache Cassandra's current implementation lacks the support for > specifying the PEM formatted key material for SSL configurations. This means > operators have to re-create the key material to comply to the supported > formats (using key/trust store types - jks, pkcs12 etc) and deal with an > operational task for managing it. This is an operational overhead we can > avoid by supporting the PEM format making Apache Cassandra even more customer > friendly and drive more adoption. > h1. Proposed Changes > # A new implementation for ISslContextFactory - PEMBasedSslContextFactory > with the following supported configuration > {panel:title=New configurations} > {panel} > |{{encryption_options: }} > {{}}{{ssl_context_factory:}} > {{}}{{class_name: > org.apache.cassandra.security.PEMBasedSslContextFactory}} > {{}}{{parameters:}} > {{ }}{{private_key: certificate chain>}} > {{ }}{{private_key_password: }}{{private}} {{key }}{{if}} {{it is encrypted>}} > {{ }}{{trusted_certificates: }}| > *NOTE:* We could reuse 'keystore_password' instead of the > 'private_key_password'. However PEM encoded private key is not a 'keystore' > in itself hence it would be inappropriate to piggyback on that other than > avoid duplicating similar fields. > # The PEMBasedSslContextFactory will also support file based key material > (and the corresponding HOT Reloading based on file timestamp updates) for the > PEM format via existing 'keystore' and 'truststore' encryption options. > However in that case the 'truststore_password' configuration won't be used > since generally PEM formatted certificates for truststore don't get encrypted > with a password. > # The PEMBasedSslContextFactory will internally create PKCS12 keystore for > private key and the trusted certificates. However, this doesn't impact the > user of the implementation in anyway and it is mentioned for clarity only. > -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17031) Add support for PEM based key material for SSL
[ https://issues.apache.org/jira/browse/CASSANDRA-17031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17486767#comment-17486767 ] Maulin Vasavada commented on CASSANDRA-17031: - Thanks Stefan. Since I found a unit test failure on your CI which I had to make a fix for, I have cherry-picked your changes on my branch and once you see the recent change on the PR, I can squash the commits on my branch. I've started the Circle CI for validating unit tests on [Java 11 |https://app.circleci.com/pipelines/github/maulin-vasavada/cassandra/80/workflows/2e5de77e-b57a-4415-941e-31981df53048]and [Java 8|https://app.circleci.com/pipelines/github/maulin-vasavada/cassandra/80/workflows/2e3484c6-b418-499e-bf5f-c229786fc7df] to have good confidence before you run your build. > Add support for PEM based key material for SSL > -- > > Key: CASSANDRA-17031 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17031 > Project: Cassandra > Issue Type: Improvement > Components: Messaging/Internode >Reporter: Maulin Vasavada >Assignee: Maulin Vasavada >Priority: Normal > Fix For: 4.1 > > Time Spent: 7h 50m > Remaining Estimate: 0h > > h1. Scope > Currently Cassandra supports standard keystore types for SSL > keys/certificates. The scope of this enhancement is to add support for PEM > based key material (keys/certificate) given that PEM is widely used common > format for the same. We intend to add support for Unencrypted and Password > Based Encrypted (PBE) PKCS#8 formatted Private Keys in PEM format with > standard algorithms (RSA, DSA and EC) along with the certificate chain for > the private key and PEM based X509 certificates. The work here is going to be > built on top of [CEP-9: Make SSLContext creation > pluggable|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable] > for which the code is merged for Apache Cassandra 4.1 release. > We intend to support the key material be configured as direct PEM values > input OR via the file (configured with keystore and truststore configurations > today). We are not going to model PEM as a valid 'store_type' given that > 'store_type' has a [specific > definition|https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html#GUID-AB51DEFD-5238-4F96-967F-082F6D34FBEA]. > > h1. Approach > Create an implementation for > [ISslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/ISslContextFactory.java] > extending > [FileBasedSslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java] > implementation to add PEM formatted key/certificates. > h1. Motivation > PEM is a widely used format for encoding Private Keys and X.509 Certificates > and Apache Cassandra's current implementation lacks the support for > specifying the PEM formatted key material for SSL configurations. This means > operators have to re-create the key material to comply to the supported > formats (using key/trust store types - jks, pkcs12 etc) and deal with an > operational task for managing it. This is an operational overhead we can > avoid by supporting the PEM format making Apache Cassandra even more customer > friendly and drive more adoption. > h1. Proposed Changes > # A new implementation for ISslContextFactory - PEMBasedSslContextFactory > with the following supported configuration > {panel:title=New configurations} > {panel} > |{{encryption_options: }} > {{}}{{ssl_context_factory:}} > {{}}{{class_name: > org.apache.cassandra.security.PEMBasedSslContextFactory}} > {{}}{{parameters:}} > {{ }}{{private_key: certificate chain>}} > {{ }}{{private_key_password: }}{{private}} {{key }}{{if}} {{it is encrypted>}} > {{ }}{{trusted_certificates: }}| > *NOTE:* We could reuse 'keystore_password' instead of the > 'private_key_password'. However PEM encoded private key is not a 'keystore' > in itself hence it would be inappropriate to piggyback on that other than > avoid duplicating similar fields. > # The PEMBasedSslContextFactory will also support file based key material > (and the corresponding HOT Reloading based on file timestamp updates) for the > PEM format via existing 'keystore' and 'truststore' encryption options. > However in that case the 'truststore_password' configuration won't be used > since generally PEM formatted certificates for truststore don't get encrypted > with a password. > # The PEMBasedSslContextFactory will internally create PKCS12 keystore for > private key and the trusted certificates. However, this doesn't impact the > user of the implementation in
[jira] [Commented] (CASSANDRA-17031) Add support for PEM based key material for SSL
[ https://issues.apache.org/jira/browse/CASSANDRA-17031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17486508#comment-17486508 ] Stefan Miklosovic commented on CASSANDRA-17031: --- https://ci-cassandra.apache.org/job/Cassandra-devbranch/1393/ > Add support for PEM based key material for SSL > -- > > Key: CASSANDRA-17031 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17031 > Project: Cassandra > Issue Type: Improvement > Components: Messaging/Internode >Reporter: Maulin Vasavada >Assignee: Maulin Vasavada >Priority: Normal > Fix For: 4.1 > > Time Spent: 7h 10m > Remaining Estimate: 0h > > h1. Scope > Currently Cassandra supports standard keystore types for SSL > keys/certificates. The scope of this enhancement is to add support for PEM > based key material (keys/certificate) given that PEM is widely used common > format for the same. We intend to add support for Unencrypted and Password > Based Encrypted (PBE) PKCS#8 formatted Private Keys in PEM format with > standard algorithms (RSA, DSA and EC) along with the certificate chain for > the private key and PEM based X509 certificates. The work here is going to be > built on top of [CEP-9: Make SSLContext creation > pluggable|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable] > for which the code is merged for Apache Cassandra 4.1 release. > We intend to support the key material be configured as direct PEM values > input OR via the file (configured with keystore and truststore configurations > today). We are not going to model PEM as a valid 'store_type' given that > 'store_type' has a [specific > definition|https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html#GUID-AB51DEFD-5238-4F96-967F-082F6D34FBEA]. > > h1. Approach > Create an implementation for > [ISslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/ISslContextFactory.java] > extending > [FileBasedSslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java] > implementation to add PEM formatted key/certificates. > h1. Motivation > PEM is a widely used format for encoding Private Keys and X.509 Certificates > and Apache Cassandra's current implementation lacks the support for > specifying the PEM formatted key material for SSL configurations. This means > operators have to re-create the key material to comply to the supported > formats (using key/trust store types - jks, pkcs12 etc) and deal with an > operational task for managing it. This is an operational overhead we can > avoid by supporting the PEM format making Apache Cassandra even more customer > friendly and drive more adoption. > h1. Proposed Changes > # A new implementation for ISslContextFactory - PEMBasedSslContextFactory > with the following supported configuration > {panel:title=New configurations} > {panel} > |{{encryption_options: }} > {{}}{{ssl_context_factory:}} > {{}}{{class_name: > org.apache.cassandra.security.PEMBasedSslContextFactory}} > {{}}{{parameters:}} > {{ }}{{private_key: certificate chain>}} > {{ }}{{private_key_password: }}{{private}} {{key }}{{if}} {{it is encrypted>}} > {{ }}{{trusted_certificates: }}| > *NOTE:* We could reuse 'keystore_password' instead of the > 'private_key_password'. However PEM encoded private key is not a 'keystore' > in itself hence it would be inappropriate to piggyback on that other than > avoid duplicating similar fields. > # The PEMBasedSslContextFactory will also support file based key material > (and the corresponding HOT Reloading based on file timestamp updates) for the > PEM format via existing 'keystore' and 'truststore' encryption options. > However in that case the 'truststore_password' configuration won't be used > since generally PEM formatted certificates for truststore don't get encrypted > with a password. > # The PEMBasedSslContextFactory will internally create PKCS12 keystore for > private key and the trusted certificates. However, this doesn't impact the > user of the implementation in anyway and it is mentioned for clarity only. > -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17031) Add support for PEM based key material for SSL
[ https://issues.apache.org/jira/browse/CASSANDRA-17031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17486252#comment-17486252 ] Stefan Miklosovic commented on CASSANDRA-17031: --- Yeah that is fine for me. > Add support for PEM based key material for SSL > -- > > Key: CASSANDRA-17031 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17031 > Project: Cassandra > Issue Type: Improvement > Components: Messaging/Internode >Reporter: Maulin Vasavada >Assignee: Maulin Vasavada >Priority: Normal > Fix For: 4.1 > > Time Spent: 7h 10m > Remaining Estimate: 0h > > h1. Scope > Currently Cassandra supports standard keystore types for SSL > keys/certificates. The scope of this enhancement is to add support for PEM > based key material (keys/certificate) given that PEM is widely used common > format for the same. We intend to add support for Unencrypted and Password > Based Encrypted (PBE) PKCS#8 formatted Private Keys in PEM format with > standard algorithms (RSA, DSA and EC) along with the certificate chain for > the private key and PEM based X509 certificates. The work here is going to be > built on top of [CEP-9: Make SSLContext creation > pluggable|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable] > for which the code is merged for Apache Cassandra 4.1 release. > We intend to support the key material be configured as direct PEM values > input OR via the file (configured with keystore and truststore configurations > today). We are not going to model PEM as a valid 'store_type' given that > 'store_type' has a [specific > definition|https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html#GUID-AB51DEFD-5238-4F96-967F-082F6D34FBEA]. > > h1. Approach > Create an implementation for > [ISslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/ISslContextFactory.java] > extending > [FileBasedSslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java] > implementation to add PEM formatted key/certificates. > h1. Motivation > PEM is a widely used format for encoding Private Keys and X.509 Certificates > and Apache Cassandra's current implementation lacks the support for > specifying the PEM formatted key material for SSL configurations. This means > operators have to re-create the key material to comply to the supported > formats (using key/trust store types - jks, pkcs12 etc) and deal with an > operational task for managing it. This is an operational overhead we can > avoid by supporting the PEM format making Apache Cassandra even more customer > friendly and drive more adoption. > h1. Proposed Changes > # A new implementation for ISslContextFactory - PEMBasedSslContextFactory > with the following supported configuration > {panel:title=New configurations} > {panel} > |{{encryption_options: }} > {{}}{{ssl_context_factory:}} > {{}}{{class_name: > org.apache.cassandra.security.PEMBasedSslContextFactory}} > {{}}{{parameters:}} > {{ }}{{private_key: certificate chain>}} > {{ }}{{private_key_password: }}{{private}} {{key }}{{if}} {{it is encrypted>}} > {{ }}{{trusted_certificates: }}| > *NOTE:* We could reuse 'keystore_password' instead of the > 'private_key_password'. However PEM encoded private key is not a 'keystore' > in itself hence it would be inappropriate to piggyback on that other than > avoid duplicating similar fields. > # The PEMBasedSslContextFactory will also support file based key material > (and the corresponding HOT Reloading based on file timestamp updates) for the > PEM format via existing 'keystore' and 'truststore' encryption options. > However in that case the 'truststore_password' configuration won't be used > since generally PEM formatted certificates for truststore don't get encrypted > with a password. > # The PEMBasedSslContextFactory will internally create PKCS12 keystore for > private key and the trusted certificates. However, this doesn't impact the > user of the implementation in anyway and it is mentioned for clarity only. > -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17031) Add support for PEM based key material for SSL
[ https://issues.apache.org/jira/browse/CASSANDRA-17031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17486171#comment-17486171 ] Maulin Vasavada commented on CASSANDRA-17031: - Hi [~stefan.miklosovic] [~jonmeredith] I am planning to combine the ascii doc for this work with [CASSANDRA-16950|https://issues.apache.org/jira/browse/CASSANDRA-16950] ticket since both will require updating the same documentation file. Please let me know if that sounds good and I'll wait for this to get merged to trunk before raising the documentation PR (However I've the changes ready locally). > Add support for PEM based key material for SSL > -- > > Key: CASSANDRA-17031 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17031 > Project: Cassandra > Issue Type: Improvement > Components: Messaging/Internode >Reporter: Maulin Vasavada >Assignee: Maulin Vasavada >Priority: Normal > Fix For: 4.1 > > Time Spent: 7h 10m > Remaining Estimate: 0h > > h1. Scope > Currently Cassandra supports standard keystore types for SSL > keys/certificates. The scope of this enhancement is to add support for PEM > based key material (keys/certificate) given that PEM is widely used common > format for the same. We intend to add support for Unencrypted and Password > Based Encrypted (PBE) PKCS#8 formatted Private Keys in PEM format with > standard algorithms (RSA, DSA and EC) along with the certificate chain for > the private key and PEM based X509 certificates. The work here is going to be > built on top of [CEP-9: Make SSLContext creation > pluggable|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable] > for which the code is merged for Apache Cassandra 4.1 release. > We intend to support the key material be configured as direct PEM values > input OR via the file (configured with keystore and truststore configurations > today). We are not going to model PEM as a valid 'store_type' given that > 'store_type' has a [specific > definition|https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html#GUID-AB51DEFD-5238-4F96-967F-082F6D34FBEA]. > > h1. Approach > Create an implementation for > [ISslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/ISslContextFactory.java] > extending > [FileBasedSslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java] > implementation to add PEM formatted key/certificates. > h1. Motivation > PEM is a widely used format for encoding Private Keys and X.509 Certificates > and Apache Cassandra's current implementation lacks the support for > specifying the PEM formatted key material for SSL configurations. This means > operators have to re-create the key material to comply to the supported > formats (using key/trust store types - jks, pkcs12 etc) and deal with an > operational task for managing it. This is an operational overhead we can > avoid by supporting the PEM format making Apache Cassandra even more customer > friendly and drive more adoption. > h1. Proposed Changes > # A new implementation for ISslContextFactory - PEMBasedSslContextFactory > with the following supported configuration > {panel:title=New configurations} > {panel} > |{{encryption_options: }} > {{}}{{ssl_context_factory:}} > {{}}{{class_name: > org.apache.cassandra.security.PEMBasedSslContextFactory}} > {{}}{{parameters:}} > {{ }}{{private_key: certificate chain>}} > {{ }}{{private_key_password: }}{{private}} {{key }}{{if}} {{it is encrypted>}} > {{ }}{{trusted_certificates: }}| > *NOTE:* We could reuse 'keystore_password' instead of the > 'private_key_password'. However PEM encoded private key is not a 'keystore' > in itself hence it would be inappropriate to piggyback on that other than > avoid duplicating similar fields. > # The PEMBasedSslContextFactory will also support file based key material > (and the corresponding HOT Reloading based on file timestamp updates) for the > PEM format via existing 'keystore' and 'truststore' encryption options. > However in that case the 'truststore_password' configuration won't be used > since generally PEM formatted certificates for truststore don't get encrypted > with a password. > # The PEMBasedSslContextFactory will internally create PKCS12 keystore for > private key and the trusted certificates. However, this doesn't impact the > user of the implementation in anyway and it is mentioned for clarity only. > -- This message was sent by Atlassian Jira (v8.20.1#820001) - To
[jira] [Commented] (CASSANDRA-17031) Add support for PEM based key material for SSL
[ https://issues.apache.org/jira/browse/CASSANDRA-17031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17483373#comment-17483373 ] Maulin Vasavada commented on CASSANDRA-17031: - Thanks Jon. > Add support for PEM based key material for SSL > -- > > Key: CASSANDRA-17031 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17031 > Project: Cassandra > Issue Type: Improvement > Components: Messaging/Internode >Reporter: Maulin Vasavada >Assignee: Maulin Vasavada >Priority: Normal > Fix For: 4.1 > > Time Spent: 6h 20m > Remaining Estimate: 0h > > h1. Scope > Currently Cassandra supports standard keystore types for SSL > keys/certificates. The scope of this enhancement is to add support for PEM > based key material (keys/certificate) given that PEM is widely used common > format for the same. We intend to add support for Unencrypted and Password > Based Encrypted (PBE) PKCS#8 formatted Private Keys in PEM format with > standard algorithms (RSA, DSA and EC) along with the certificate chain for > the private key and PEM based X509 certificates. The work here is going to be > built on top of [CEP-9: Make SSLContext creation > pluggable|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable] > for which the code is merged for Apache Cassandra 4.1 release. > We intend to support the key material be configured as direct PEM values > input OR via the file (configured with keystore and truststore configurations > today). We are not going to model PEM as a valid 'store_type' given that > 'store_type' has a [specific > definition|https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html#GUID-AB51DEFD-5238-4F96-967F-082F6D34FBEA]. > > h1. Approach > Create an implementation for > [ISslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/ISslContextFactory.java] > extending > [FileBasedSslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java] > implementation to add PEM formatted key/certificates. > h1. Motivation > PEM is a widely used format for encoding Private Keys and X.509 Certificates > and Apache Cassandra's current implementation lacks the support for > specifying the PEM formatted key material for SSL configurations. This means > operators have to re-create the key material to comply to the supported > formats (using key/trust store types - jks, pkcs12 etc) and deal with an > operational task for managing it. This is an operational overhead we can > avoid by supporting the PEM format making Apache Cassandra even more customer > friendly and drive more adoption. > h1. Proposed Changes > # A new implementation for ISslContextFactory - PEMBasedSslContextFactory > with the following supported configuration > {panel:title=New configurations} > {panel} > |{{encryption_options: }} > {{}}{{ssl_context_factory:}} > {{}}{{class_name: > org.apache.cassandra.security.PEMBasedSslContextFactory}} > {{}}{{parameters:}} > {{ }}{{private_key: certificate chain>}} > {{ }}{{private_key_password: }}{{private}} {{key }}{{if}} {{it is encrypted>}} > {{ }}{{trusted_certificates: }}| > *NOTE:* We could reuse 'keystore_password' instead of the > 'private_key_password'. However PEM encoded private key is not a 'keystore' > in itself hence it would be inappropriate to piggyback on that other than > avoid duplicating similar fields. > # The PEMBasedSslContextFactory will also support file based key material > (and the corresponding HOT Reloading based on file timestamp updates) for the > PEM format via existing 'keystore' and 'truststore' encryption options. > However in that case the 'truststore_password' configuration won't be used > since generally PEM formatted certificates for truststore don't get encrypted > with a password. > # The PEMBasedSslContextFactory will internally create PKCS12 keystore for > private key and the trusted certificates. However, this doesn't impact the > user of the implementation in anyway and it is mentioned for clarity only. > -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17031) Add support for PEM based key material for SSL
[ https://issues.apache.org/jira/browse/CASSANDRA-17031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17483219#comment-17483219 ] Jon Meredith commented on CASSANDRA-17031: -- Added this to the PR yesterday, but should add here too. +1 from me. > Add support for PEM based key material for SSL > -- > > Key: CASSANDRA-17031 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17031 > Project: Cassandra > Issue Type: Improvement > Components: Messaging/Internode >Reporter: Maulin Vasavada >Assignee: Maulin Vasavada >Priority: Normal > Fix For: 4.1 > > Time Spent: 6h 20m > Remaining Estimate: 0h > > h1. Scope > Currently Cassandra supports standard keystore types for SSL > keys/certificates. The scope of this enhancement is to add support for PEM > based key material (keys/certificate) given that PEM is widely used common > format for the same. We intend to add support for Unencrypted and Password > Based Encrypted (PBE) PKCS#8 formatted Private Keys in PEM format with > standard algorithms (RSA, DSA and EC) along with the certificate chain for > the private key and PEM based X509 certificates. The work here is going to be > built on top of [CEP-9: Make SSLContext creation > pluggable|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable] > for which the code is merged for Apache Cassandra 4.1 release. > We intend to support the key material be configured as direct PEM values > input OR via the file (configured with keystore and truststore configurations > today). We are not going to model PEM as a valid 'store_type' given that > 'store_type' has a [specific > definition|https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html#GUID-AB51DEFD-5238-4F96-967F-082F6D34FBEA]. > > h1. Approach > Create an implementation for > [ISslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/ISslContextFactory.java] > extending > [FileBasedSslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java] > implementation to add PEM formatted key/certificates. > h1. Motivation > PEM is a widely used format for encoding Private Keys and X.509 Certificates > and Apache Cassandra's current implementation lacks the support for > specifying the PEM formatted key material for SSL configurations. This means > operators have to re-create the key material to comply to the supported > formats (using key/trust store types - jks, pkcs12 etc) and deal with an > operational task for managing it. This is an operational overhead we can > avoid by supporting the PEM format making Apache Cassandra even more customer > friendly and drive more adoption. > h1. Proposed Changes > # A new implementation for ISslContextFactory - PEMBasedSslContextFactory > with the following supported configuration > {panel:title=New configurations} > {panel} > |{{encryption_options: }} > {{}}{{ssl_context_factory:}} > {{}}{{class_name: > org.apache.cassandra.security.PEMBasedSslContextFactory}} > {{}}{{parameters:}} > {{ }}{{private_key: certificate chain>}} > {{ }}{{private_key_password: }}{{private}} {{key }}{{if}} {{it is encrypted>}} > {{ }}{{trusted_certificates: }}| > *NOTE:* We could reuse 'keystore_password' instead of the > 'private_key_password'. However PEM encoded private key is not a 'keystore' > in itself hence it would be inappropriate to piggyback on that other than > avoid duplicating similar fields. > # The PEMBasedSslContextFactory will also support file based key material > (and the corresponding HOT Reloading based on file timestamp updates) for the > PEM format via existing 'keystore' and 'truststore' encryption options. > However in that case the 'truststore_password' configuration won't be used > since generally PEM formatted certificates for truststore don't get encrypted > with a password. > # The PEMBasedSslContextFactory will internally create PKCS12 keystore for > private key and the trusted certificates. However, this doesn't impact the > user of the implementation in anyway and it is mentioned for clarity only. > -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17031) Add support for PEM based key material for SSL
[ https://issues.apache.org/jira/browse/CASSANDRA-17031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17457346#comment-17457346 ] Maulin Vasavada commented on CASSANDRA-17031: - FYI I changed the log level from DEBUG to INFO for the certificate details printing. > Add support for PEM based key material for SSL > -- > > Key: CASSANDRA-17031 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17031 > Project: Cassandra > Issue Type: Improvement > Components: Messaging/Internode >Reporter: Maulin Vasavada >Assignee: Maulin Vasavada >Priority: Normal > Fix For: 4.1 > > Time Spent: 4h 10m > Remaining Estimate: 0h > > h1. Scope > Currently Cassandra supports standard keystore types for SSL > keys/certificates. The scope of this enhancement is to add support for PEM > based key material (keys/certificate) given that PEM is widely used common > format for the same. We intend to add support for Unencrypted and Password > Based Encrypted (PBE) PKCS#8 formatted Private Keys in PEM format with > standard algorithms (RSA, DSA and EC) along with the certificate chain for > the private key and PEM based X509 certificates. The work here is going to be > built on top of [CEP-9: Make SSLContext creation > pluggable|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable] > for which the code is merged for Apache Cassandra 4.1 release. > We intend to support the key material be configured as direct PEM values > input OR via the file (configured with keystore and truststore configurations > today). We are not going to model PEM as a valid 'store_type' given that > 'store_type' has a [specific > definition|https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html#GUID-AB51DEFD-5238-4F96-967F-082F6D34FBEA]. > > h1. Approach > Create an implementation for > [ISslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/ISslContextFactory.java] > extending > [FileBasedSslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java] > implementation to add PEM formatted key/certificates. > h1. Motivation > PEM is a widely used format for encoding Private Keys and X.509 Certificates > and Apache Cassandra's current implementation lacks the support for > specifying the PEM formatted key material for SSL configurations. This means > operators have to re-create the key material to comply to the supported > formats (using key/trust store types - jks, pkcs12 etc) and deal with an > operational task for managing it. This is an operational overhead we can > avoid by supporting the PEM format making Apache Cassandra even more customer > friendly and drive more adoption. > h1. Proposed Changes > # A new implementation for ISslContextFactory - PEMBasedSslContextFactory > with the following supported configuration > {panel:title=New configurations} > {panel} > |{{encryption_options: }} > {{}}{{ssl_context_factory:}} > {{}}{{class_name: > org.apache.cassandra.security.PEMBasedSslContextFactory}} > {{}}{{parameters:}} > {{ }}{{private_key: certificate chain>}} > {{ }}{{private_key_password: }}{{private}} {{key }}{{if}} {{it is encrypted>}} > {{ }}{{trusted_certificates: }}| > *NOTE:* We could reuse 'keystore_password' instead of the > 'private_key_password'. However PEM encoded private key is not a 'keystore' > in itself hence it would be inappropriate to piggyback on that other than > avoid duplicating similar fields. > # The PEMBasedSslContextFactory will also support file based key material > (and the corresponding HOT Reloading based on file timestamp updates) for the > PEM format via existing 'keystore' and 'truststore' encryption options. > However in that case the 'truststore_password' configuration won't be used > since generally PEM formatted certificates for truststore don't get encrypted > with a password. > # The PEMBasedSslContextFactory will internally create PKCS12 keystore for > private key and the trusted certificates. However, this doesn't impact the > user of the implementation in anyway and it is mentioned for clarity only. > -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17031) Add support for PEM based key material for SSL
[ https://issues.apache.org/jira/browse/CASSANDRA-17031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17452094#comment-17452094 ] Maulin Vasavada commented on CASSANDRA-17031: - [~smiklosovic] Your idea of dumping details of the certificate in plain text makes sense. Currently we have [this|https://github.com/apache/cassandra/pull/1316/files#diff-6e9b4d54347a547d5bb5b002cad6afccd25826beb221bb79ebf57c65bc891e11R199] logging that prints certificates Issuer, Subject, Serial number and Expiry -fields in my experience most useful in order to debug any TLS cert issues. I can change the above log to be of 'info' type to make it easily accessible than debug. [~jonmeredith] Do you think it would be helpful going beyond this and dump full certificate details? > Add support for PEM based key material for SSL > -- > > Key: CASSANDRA-17031 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17031 > Project: Cassandra > Issue Type: Improvement > Components: Messaging/Internode >Reporter: Maulin Vasavada >Assignee: Maulin Vasavada >Priority: Normal > Fix For: 4.1 > > Time Spent: 4h > Remaining Estimate: 0h > > h1. Scope > Currently Cassandra supports standard keystore types for SSL > keys/certificates. The scope of this enhancement is to add support for PEM > based key material (keys/certificate) given that PEM is widely used common > format for the same. We intend to add support for Unencrypted and Password > Based Encrypted (PBE) PKCS#8 formatted Private Keys in PEM format with > standard algorithms (RSA, DSA and EC) along with the certificate chain for > the private key and PEM based X509 certificates. The work here is going to be > built on top of [CEP-9: Make SSLContext creation > pluggable|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable] > for which the code is merged for Apache Cassandra 4.1 release. > We intend to support the key material be configured as direct PEM values > input OR via the file (configured with keystore and truststore configurations > today). We are not going to model PEM as a valid 'store_type' given that > 'store_type' has a [specific > definition|https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html#GUID-AB51DEFD-5238-4F96-967F-082F6D34FBEA]. > > h1. Approach > Create an implementation for > [ISslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/ISslContextFactory.java] > extending > [FileBasedSslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java] > implementation to add PEM formatted key/certificates. > h1. Motivation > PEM is a widely used format for encoding Private Keys and X.509 Certificates > and Apache Cassandra's current implementation lacks the support for > specifying the PEM formatted key material for SSL configurations. This means > operators have to re-create the key material to comply to the supported > formats (using key/trust store types - jks, pkcs12 etc) and deal with an > operational task for managing it. This is an operational overhead we can > avoid by supporting the PEM format making Apache Cassandra even more customer > friendly and drive more adoption. > h1. Proposed Changes > # A new implementation for ISslContextFactory - PEMBasedSslContextFactory > with the following supported configuration > {panel:title=New configurations} > {panel} > |{{encryption_options: }} > {{}}{{ssl_context_factory:}} > {{}}{{class_name: > org.apache.cassandra.security.PEMBasedSslContextFactory}} > {{}}{{parameters:}} > {{ }}{{private_key: certificate chain>}} > {{ }}{{private_key_password: }}{{private}} {{key }}{{if}} {{it is encrypted>}} > {{ }}{{trusted_certificates: }}| > *NOTE:* We could reuse 'keystore_password' instead of the > 'private_key_password'. However PEM encoded private key is not a 'keystore' > in itself hence it would be inappropriate to piggyback on that other than > avoid duplicating similar fields. > # The PEMBasedSslContextFactory will also support file based key material > (and the corresponding HOT Reloading based on file timestamp updates) for the > PEM format via existing 'keystore' and 'truststore' encryption options. > However in that case the 'truststore_password' configuration won't be used > since generally PEM formatted certificates for truststore don't get encrypted > with a password. > # The PEMBasedSslContextFactory will internally create PKCS12 keystore for > private key and the trusted certificates. However, this doesn't impact the > user of the implementation in anyway and
[jira] [Commented] (CASSANDRA-17031) Add support for PEM based key material for SSL
[ https://issues.apache.org/jira/browse/CASSANDRA-17031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17451675#comment-17451675 ] Stefan Miklosovic commented on CASSANDRA-17031: --- I do not have a strong opinion about your first point. [~jonmeredith] what do you think? I was thinking about having that in "plain text", what that cert in plain text looks like, I think right now it is pretty much just "a rubbish", would be nice to have a textual representation of that in form of some text dump but if you find my idea silly feel free to ignore it. Thanks for taking care of this ticket, believe or not I was thinking about pinging you these days whats up. I hope we will manage to deliver this in a forseeable future. > Add support for PEM based key material for SSL > -- > > Key: CASSANDRA-17031 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17031 > Project: Cassandra > Issue Type: Improvement > Components: Messaging/Internode >Reporter: Maulin Vasavada >Assignee: Maulin Vasavada >Priority: Normal > Fix For: 4.1 > > Time Spent: 4h > Remaining Estimate: 0h > > h1. Scope > Currently Cassandra supports standard keystore types for SSL > keys/certificates. The scope of this enhancement is to add support for PEM > based key material (keys/certificate) given that PEM is widely used common > format for the same. We intend to add support for Unencrypted and Password > Based Encrypted (PBE) PKCS#8 formatted Private Keys in PEM format with > standard algorithms (RSA, DSA and EC) along with the certificate chain for > the private key and PEM based X509 certificates. The work here is going to be > built on top of [CEP-9: Make SSLContext creation > pluggable|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable] > for which the code is merged for Apache Cassandra 4.1 release. > We intend to support the key material be configured as direct PEM values > input OR via the file (configured with keystore and truststore configurations > today). We are not going to model PEM as a valid 'store_type' given that > 'store_type' has a [specific > definition|https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html#GUID-AB51DEFD-5238-4F96-967F-082F6D34FBEA]. > > h1. Approach > Create an implementation for > [ISslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/ISslContextFactory.java] > extending > [FileBasedSslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java] > implementation to add PEM formatted key/certificates. > h1. Motivation > PEM is a widely used format for encoding Private Keys and X.509 Certificates > and Apache Cassandra's current implementation lacks the support for > specifying the PEM formatted key material for SSL configurations. This means > operators have to re-create the key material to comply to the supported > formats (using key/trust store types - jks, pkcs12 etc) and deal with an > operational task for managing it. This is an operational overhead we can > avoid by supporting the PEM format making Apache Cassandra even more customer > friendly and drive more adoption. > h1. Proposed Changes > # A new implementation for ISslContextFactory - PEMBasedSslContextFactory > with the following supported configuration > {panel:title=New configurations} > {panel} > |{{encryption_options: }} > {{}}{{ssl_context_factory:}} > {{}}{{class_name: > org.apache.cassandra.security.PEMBasedSslContextFactory}} > {{}}{{parameters:}} > {{ }}{{private_key: certificate chain>}} > {{ }}{{private_key_password: }}{{private}} {{key }}{{if}} {{it is encrypted>}} > {{ }}{{trusted_certificates: }}| > *NOTE:* We could reuse 'keystore_password' instead of the > 'private_key_password'. However PEM encoded private key is not a 'keystore' > in itself hence it would be inappropriate to piggyback on that other than > avoid duplicating similar fields. > # The PEMBasedSslContextFactory will also support file based key material > (and the corresponding HOT Reloading based on file timestamp updates) for the > PEM format via existing 'keystore' and 'truststore' encryption options. > However in that case the 'truststore_password' configuration won't be used > since generally PEM formatted certificates for truststore don't get encrypted > with a password. > # The PEMBasedSslContextFactory will internally create PKCS12 keystore for > private key and the trusted certificates. However, this doesn't impact the > user of the implementation in anyway and it is mentioned for clarity only. >
[jira] [Commented] (CASSANDRA-17031) Add support for PEM based key material for SSL
[ https://issues.apache.org/jira/browse/CASSANDRA-17031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17451453#comment-17451453 ] Maulin Vasavada commented on CASSANDRA-17031: - [~jonmeredith] and [~stefan.miklosovic] Can you please take a look at the PR with updated comments and my question in the prior post seeking your opinion? Thanks. > Add support for PEM based key material for SSL > -- > > Key: CASSANDRA-17031 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17031 > Project: Cassandra > Issue Type: Improvement > Components: Messaging/Internode >Reporter: Maulin Vasavada >Assignee: Maulin Vasavada >Priority: Normal > Fix For: 4.1 > > Time Spent: 4h > Remaining Estimate: 0h > > h1. Scope > Currently Cassandra supports standard keystore types for SSL > keys/certificates. The scope of this enhancement is to add support for PEM > based key material (keys/certificate) given that PEM is widely used common > format for the same. We intend to add support for Unencrypted and Password > Based Encrypted (PBE) PKCS#8 formatted Private Keys in PEM format with > standard algorithms (RSA, DSA and EC) along with the certificate chain for > the private key and PEM based X509 certificates. The work here is going to be > built on top of [CEP-9: Make SSLContext creation > pluggable|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable] > for which the code is merged for Apache Cassandra 4.1 release. > We intend to support the key material be configured as direct PEM values > input OR via the file (configured with keystore and truststore configurations > today). We are not going to model PEM as a valid 'store_type' given that > 'store_type' has a [specific > definition|https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html#GUID-AB51DEFD-5238-4F96-967F-082F6D34FBEA]. > > h1. Approach > Create an implementation for > [ISslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/ISslContextFactory.java] > extending > [FileBasedSslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java] > implementation to add PEM formatted key/certificates. > h1. Motivation > PEM is a widely used format for encoding Private Keys and X.509 Certificates > and Apache Cassandra's current implementation lacks the support for > specifying the PEM formatted key material for SSL configurations. This means > operators have to re-create the key material to comply to the supported > formats (using key/trust store types - jks, pkcs12 etc) and deal with an > operational task for managing it. This is an operational overhead we can > avoid by supporting the PEM format making Apache Cassandra even more customer > friendly and drive more adoption. > h1. Proposed Changes > # A new implementation for ISslContextFactory - PEMBasedSslContextFactory > with the following supported configuration > {panel:title=New configurations} > {panel} > |{{encryption_options: }} > {{}}{{ssl_context_factory:}} > {{}}{{class_name: > org.apache.cassandra.security.PEMBasedSslContextFactory}} > {{}}{{parameters:}} > {{ }}{{private_key: certificate chain>}} > {{ }}{{private_key_password: }}{{private}} {{key }}{{if}} {{it is encrypted>}} > {{ }}{{trusted_certificates: }}| > *NOTE:* We could reuse 'keystore_password' instead of the > 'private_key_password'. However PEM encoded private key is not a 'keystore' > in itself hence it would be inappropriate to piggyback on that other than > avoid duplicating similar fields. > # The PEMBasedSslContextFactory will also support file based key material > (and the corresponding HOT Reloading based on file timestamp updates) for the > PEM format via existing 'keystore' and 'truststore' encryption options. > However in that case the 'truststore_password' configuration won't be used > since generally PEM formatted certificates for truststore don't get encrypted > with a password. > # The PEMBasedSslContextFactory will internally create PKCS12 keystore for > private key and the trusted certificates. However, this doesn't impact the > user of the implementation in anyway and it is mentioned for clarity only. > -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17031) Add support for PEM based key material for SSL
[ https://issues.apache.org/jira/browse/CASSANDRA-17031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17445566#comment-17445566 ] Maulin Vasavada commented on CASSANDRA-17031: - I just addressed most of the comments and marked them resolved. Please check comments still unresolved. Also, I am looking for an input on - Currently we combine private key and the certificate chain for that private key in a single configuration `private_key` (as you might have noticed from the test PEM files/content). We have a separate configuration for `trusted_certificates` which makes sense but would it be better to separate the cert chain as a separate configuration (like `certificate_chain`)? Also, I remember [~stefan.miklosovic] provided a comment to have an example of a private PEM key with more than one certificates in the chain. I think we should have such an example. I'll work on it. > Add support for PEM based key material for SSL > -- > > Key: CASSANDRA-17031 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17031 > Project: Cassandra > Issue Type: Improvement > Components: Messaging/Internode >Reporter: Maulin Vasavada >Assignee: Maulin Vasavada >Priority: Normal > Fix For: 4.1 > > Time Spent: 3h > Remaining Estimate: 0h > > h1. Scope > Currently Cassandra supports standard keystore types for SSL > keys/certificates. The scope of this enhancement is to add support for PEM > based key material (keys/certificate) given that PEM is widely used common > format for the same. We intend to add support for Unencrypted and Password > Based Encrypted (PBE) PKCS#8 formatted Private Keys in PEM format with > standard algorithms (RSA, DSA and EC) along with the certificate chain for > the private key and PEM based X509 certificates. The work here is going to be > built on top of [CEP-9: Make SSLContext creation > pluggable|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable] > for which the code is merged for Apache Cassandra 4.1 release. > We intend to support the key material be configured as direct PEM values > input OR via the file (configured with keystore and truststore configurations > today). We are not going to model PEM as a valid 'store_type' given that > 'store_type' has a [specific > definition|https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html#GUID-AB51DEFD-5238-4F96-967F-082F6D34FBEA]. > > h1. Approach > Create an implementation for > [ISslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/ISslContextFactory.java] > extending > [FileBasedSslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java] > implementation to add PEM formatted key/certificates. > h1. Motivation > PEM is a widely used format for encoding Private Keys and X.509 Certificates > and Apache Cassandra's current implementation lacks the support for > specifying the PEM formatted key material for SSL configurations. This means > operators have to re-create the key material to comply to the supported > formats (using key/trust store types - jks, pkcs12 etc) and deal with an > operational task for managing it. This is an operational overhead we can > avoid by supporting the PEM format making Apache Cassandra even more customer > friendly and drive more adoption. > h1. Proposed Changes > # A new implementation for ISslContextFactory - PEMBasedSslContextFactory > with the following supported configuration > {panel:title=New configurations} > {panel} > |{{encryption_options: }} > {{}}{{ssl_context_factory:}} > {{}}{{class_name: > org.apache.cassandra.security.PEMBasedSslContextFactory}} > {{}}{{parameters:}} > {{ }}{{private_key: certificate chain>}} > {{ }}{{private_key_password: }}{{private}} {{key }}{{if}} {{it is encrypted>}} > {{ }}{{trusted_certificates: }}| > *NOTE:* We could reuse 'keystore_password' instead of the > 'private_key_password'. However PEM encoded private key is not a 'keystore' > in itself hence it would be inappropriate to piggyback on that other than > avoid duplicating similar fields. > # The PEMBasedSslContextFactory will also support file based key material > (and the corresponding HOT Reloading based on file timestamp updates) for the > PEM format via existing 'keystore' and 'truststore' encryption options. > However in that case the 'truststore_password' configuration won't be used > since generally PEM formatted certificates for truststore don't get encrypted > with a password. > # The PEMBasedSslContextFactory will internally create PKCS12
[jira] [Commented] (CASSANDRA-17031) Add support for PEM based key material for SSL
[ https://issues.apache.org/jira/browse/CASSANDRA-17031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17444746#comment-17444746 ] Maulin Vasavada commented on CASSANDRA-17031: - [~jonmeredith] Thanks for your comments on the PR, I'll try to get to it by end of this week. > Add support for PEM based key material for SSL > -- > > Key: CASSANDRA-17031 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17031 > Project: Cassandra > Issue Type: Improvement > Components: Messaging/Internode >Reporter: Maulin Vasavada >Assignee: Maulin Vasavada >Priority: Normal > Fix For: 4.1 > > Time Spent: 2h > Remaining Estimate: 0h > > h1. Scope > Currently Cassandra supports standard keystore types for SSL > keys/certificates. The scope of this enhancement is to add support for PEM > based key material (keys/certificate) given that PEM is widely used common > format for the same. We intend to add support for Unencrypted and Password > Based Encrypted (PBE) PKCS#8 formatted Private Keys in PEM format with > standard algorithms (RSA, DSA and EC) along with the certificate chain for > the private key and PEM based X509 certificates. The work here is going to be > built on top of [CEP-9: Make SSLContext creation > pluggable|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable] > for which the code is merged for Apache Cassandra 4.1 release. > We intend to support the key material be configured as direct PEM values > input OR via the file (configured with keystore and truststore configurations > today). We are not going to model PEM as a valid 'store_type' given that > 'store_type' has a [specific > definition|https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html#GUID-AB51DEFD-5238-4F96-967F-082F6D34FBEA]. > > h1. Approach > Create an implementation for > [ISslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/ISslContextFactory.java] > extending > [FileBasedSslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java] > implementation to add PEM formatted key/certificates. > h1. Motivation > PEM is a widely used format for encoding Private Keys and X.509 Certificates > and Apache Cassandra's current implementation lacks the support for > specifying the PEM formatted key material for SSL configurations. This means > operators have to re-create the key material to comply to the supported > formats (using key/trust store types - jks, pkcs12 etc) and deal with an > operational task for managing it. This is an operational overhead we can > avoid by supporting the PEM format making Apache Cassandra even more customer > friendly and drive more adoption. > h1. Proposed Changes > # A new implementation for ISslContextFactory - PEMBasedSslContextFactory > with the following supported configuration > {panel:title=New configurations} > {panel} > |{{encryption_options: }} > {{}}{{ssl_context_factory:}} > {{}}{{class_name: > org.apache.cassandra.security.PEMBasedSslContextFactory}} > {{}}{{parameters:}} > {{ }}{{private_key: certificate chain>}} > {{ }}{{private_key_password: }}{{private}} {{key }}{{if}} {{it is encrypted>}} > {{ }}{{trusted_certificates: }}| > *NOTE:* We could reuse 'keystore_password' instead of the > 'private_key_password'. However PEM encoded private key is not a 'keystore' > in itself hence it would be inappropriate to piggyback on that other than > avoid duplicating similar fields. > # The PEMBasedSslContextFactory will also support file based key material > (and the corresponding HOT Reloading based on file timestamp updates) for the > PEM format via existing 'keystore' and 'truststore' encryption options. > However in that case the 'truststore_password' configuration won't be used > since generally PEM formatted certificates for truststore don't get encrypted > with a password. > # The PEMBasedSslContextFactory will internally create PKCS12 keystore for > private key and the trusted certificates. However, this doesn't impact the > user of the implementation in anyway and it is mentioned for clarity only. > -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17031) Add support for PEM based key material for SSL
[ https://issues.apache.org/jira/browse/CASSANDRA-17031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17442018#comment-17442018 ] Maulin Vasavada commented on CASSANDRA-17031: - While fixing IntellIJ issues I ended up recreating local gitrepo from the 'trunk' and now my PR shows 205 files changed :( Will fix it. > Add support for PEM based key material for SSL > -- > > Key: CASSANDRA-17031 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17031 > Project: Cassandra > Issue Type: Improvement > Components: Messaging/Internode >Reporter: Maulin Vasavada >Assignee: Maulin Vasavada >Priority: Normal > Fix For: 4.1 > > Time Spent: 1.5h > Remaining Estimate: 0h > > h1. Scope > Currently Cassandra supports standard keystore types for SSL > keys/certificates. The scope of this enhancement is to add support for PEM > based key material (keys/certificate) given that PEM is widely used common > format for the same. We intend to add support for Unencrypted and Password > Based Encrypted (PBE) PKCS#8 formatted Private Keys in PEM format with > standard algorithms (RSA, DSA and EC) along with the certificate chain for > the private key and PEM based X509 certificates. The work here is going to be > built on top of [CEP-9: Make SSLContext creation > pluggable|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable] > for which the code is merged for Apache Cassandra 4.1 release. > We intend to support the key material be configured as direct PEM values > input OR via the file (configured with keystore and truststore configurations > today). We are not going to model PEM as a valid 'store_type' given that > 'store_type' has a [specific > definition|https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html#GUID-AB51DEFD-5238-4F96-967F-082F6D34FBEA]. > > h1. Approach > Create an implementation for > [ISslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/ISslContextFactory.java] > extending > [FileBasedSslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java] > implementation to add PEM formatted key/certificates. > h1. Motivation > PEM is a widely used format for encoding Private Keys and X.509 Certificates > and Apache Cassandra's current implementation lacks the support for > specifying the PEM formatted key material for SSL configurations. This means > operators have to re-create the key material to comply to the supported > formats (using key/trust store types - jks, pkcs12 etc) and deal with an > operational task for managing it. This is an operational overhead we can > avoid by supporting the PEM format making Apache Cassandra even more customer > friendly and drive more adoption. > h1. Proposed Changes > # A new implementation for ISslContextFactory - PEMBasedSslContextFactory > with the following supported configuration > {panel:title=New configurations} > {panel} > |{{encryption_options: }} > {{}}{{ssl_context_factory:}} > {{}}{{class_name: > org.apache.cassandra.security.PEMBasedSslContextFactory}} > {{}}{{parameters:}} > {{ }}{{private_key: certificate chain>}} > {{ }}{{private_key_password: }}{{private}} {{key }}{{if}} {{it is encrypted>}} > {{ }}{{trusted_certificates: }}| > *NOTE:* We could reuse 'keystore_password' instead of the > 'private_key_password'. However PEM encoded private key is not a 'keystore' > in itself hence it would be inappropriate to piggyback on that other than > avoid duplicating similar fields. > # The PEMBasedSslContextFactory will also support file based key material > (and the corresponding HOT Reloading based on file timestamp updates) for the > PEM format via existing 'keystore' and 'truststore' encryption options. > However in that case the 'truststore_password' configuration won't be used > since generally PEM formatted certificates for truststore don't get encrypted > with a password. > # The PEMBasedSslContextFactory will internally create PKCS12 keystore for > private key and the trusted certificates. However, this doesn't impact the > user of the implementation in anyway and it is mentioned for clarity only. > -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17031) Add support for PEM based key material for SSL
[ https://issues.apache.org/jira/browse/CASSANDRA-17031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17441375#comment-17441375 ] Maulin Vasavada commented on CASSANDRA-17031: - Thanks [~stefan.miklosovic] and [~jonmeredith]. I think I have fixed the formatting issue for 'good' now. I had trouble with IntelliJ with examples/ssl-factory module building (command line was fine) which also I fixed. I pushed the formatting changes already. Now we can focus on more comments for the changes. I'll start adding my responses. > Add support for PEM based key material for SSL > -- > > Key: CASSANDRA-17031 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17031 > Project: Cassandra > Issue Type: Improvement > Components: Messaging/Internode >Reporter: Maulin Vasavada >Assignee: Maulin Vasavada >Priority: Normal > Fix For: 4.1 > > Time Spent: 0.5h > Remaining Estimate: 0h > > h1. Scope > Currently Cassandra supports standard keystore types for SSL > keys/certificates. The scope of this enhancement is to add support for PEM > based key material (keys/certificate) given that PEM is widely used common > format for the same. We intend to add support for Unencrypted and Password > Based Encrypted (PBE) PKCS#8 formatted Private Keys in PEM format with > standard algorithms (RSA, DSA and EC) along with the certificate chain for > the private key and PEM based X509 certificates. The work here is going to be > built on top of [CEP-9: Make SSLContext creation > pluggable|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable] > for which the code is merged for Apache Cassandra 4.1 release. > We intend to support the key material be configured as direct PEM values > input OR via the file (configured with keystore and truststore configurations > today). We are not going to model PEM as a valid 'store_type' given that > 'store_type' has a [specific > definition|https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html#GUID-AB51DEFD-5238-4F96-967F-082F6D34FBEA]. > > h1. Approach > Create an implementation for > [ISslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/ISslContextFactory.java] > extending > [FileBasedSslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java] > implementation to add PEM formatted key/certificates. > h1. Motivation > PEM is a widely used format for encoding Private Keys and X.509 Certificates > and Apache Cassandra's current implementation lacks the support for > specifying the PEM formatted key material for SSL configurations. This means > operators have to re-create the key material to comply to the supported > formats (using key/trust store types - jks, pkcs12 etc) and deal with an > operational task for managing it. This is an operational overhead we can > avoid by supporting the PEM format making Apache Cassandra even more customer > friendly and drive more adoption. > h1. Proposed Changes > # A new implementation for ISslContextFactory - PEMBasedSslContextFactory > with the following supported configuration > {panel:title=New configurations} > {panel} > |{{encryption_options: }} > {{}}{{ssl_context_factory:}} > {{}}{{class_name: > org.apache.cassandra.security.PEMBasedSslContextFactory}} > {{}}{{parameters:}} > {{ }}{{private_key: certificate chain>}} > {{ }}{{private_key_password: }}{{private}} {{key }}{{if}} {{it is encrypted>}} > {{ }}{{trusted_certificates: }}| > *NOTE:* We could reuse 'keystore_password' instead of the > 'private_key_password'. However PEM encoded private key is not a 'keystore' > in itself hence it would be inappropriate to piggyback on that other than > avoid duplicating similar fields. > # The PEMBasedSslContextFactory will also support file based key material > (and the corresponding HOT Reloading based on file timestamp updates) for the > PEM format via existing 'keystore' and 'truststore' encryption options. > However in that case the 'truststore_password' configuration won't be used > since generally PEM formatted certificates for truststore don't get encrypted > with a password. > # The PEMBasedSslContextFactory will internally create PKCS12 keystore for > private key and the trusted certificates. However, this doesn't impact the > user of the implementation in anyway and it is mentioned for clarity only. > -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For
[jira] [Commented] (CASSANDRA-17031) Add support for PEM based key material for SSL
[ https://issues.apache.org/jira/browse/CASSANDRA-17031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17441220#comment-17441220 ] Jon Meredith commented on CASSANDRA-17031: -- Will do - I've had it on my todo list for a while but this is the nudge I needed. > Add support for PEM based key material for SSL > -- > > Key: CASSANDRA-17031 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17031 > Project: Cassandra > Issue Type: Improvement > Components: Messaging/Internode >Reporter: Maulin Vasavada >Assignee: Maulin Vasavada >Priority: Normal > Fix For: 4.1 > > Time Spent: 10m > Remaining Estimate: 0h > > h1. Scope > Currently Cassandra supports standard keystore types for SSL > keys/certificates. The scope of this enhancement is to add support for PEM > based key material (keys/certificate) given that PEM is widely used common > format for the same. We intend to add support for Unencrypted and Password > Based Encrypted (PBE) PKCS#8 formatted Private Keys in PEM format with > standard algorithms (RSA, DSA and EC) along with the certificate chain for > the private key and PEM based X509 certificates. The work here is going to be > built on top of [CEP-9: Make SSLContext creation > pluggable|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable] > for which the code is merged for Apache Cassandra 4.1 release. > We intend to support the key material be configured as direct PEM values > input OR via the file (configured with keystore and truststore configurations > today). We are not going to model PEM as a valid 'store_type' given that > 'store_type' has a [specific > definition|https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html#GUID-AB51DEFD-5238-4F96-967F-082F6D34FBEA]. > > h1. Approach > Create an implementation for > [ISslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/ISslContextFactory.java] > extending > [FileBasedSslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java] > implementation to add PEM formatted key/certificates. > h1. Motivation > PEM is a widely used format for encoding Private Keys and X.509 Certificates > and Apache Cassandra's current implementation lacks the support for > specifying the PEM formatted key material for SSL configurations. This means > operators have to re-create the key material to comply to the supported > formats (using key/trust store types - jks, pkcs12 etc) and deal with an > operational task for managing it. This is an operational overhead we can > avoid by supporting the PEM format making Apache Cassandra even more customer > friendly and drive more adoption. > h1. Proposed Changes > # A new implementation for ISslContextFactory - PEMBasedSslContextFactory > with the following supported configuration > {panel:title=New configurations} > {panel} > |{{encryption_options: }} > {{}}{{ssl_context_factory:}} > {{}}{{class_name: > org.apache.cassandra.security.PEMBasedSslContextFactory}} > {{}}{{parameters:}} > {{ }}{{private_key: certificate chain>}} > {{ }}{{private_key_password: }}{{private}} {{key }}{{if}} {{it is encrypted>}} > {{ }}{{trusted_certificates: }}| > *NOTE:* We could reuse 'keystore_password' instead of the > 'private_key_password'. However PEM encoded private key is not a 'keystore' > in itself hence it would be inappropriate to piggyback on that other than > avoid duplicating similar fields. > # The PEMBasedSslContextFactory will also support file based key material > (and the corresponding HOT Reloading based on file timestamp updates) for the > PEM format via existing 'keystore' and 'truststore' encryption options. > However in that case the 'truststore_password' configuration won't be used > since generally PEM formatted certificates for truststore don't get encrypted > with a password. > # The PEMBasedSslContextFactory will internally create PKCS12 keystore for > private key and the trusted certificates. However, this doesn't impact the > user of the implementation in anyway and it is mentioned for clarity only. > -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17031) Add support for PEM based key material for SSL
[ https://issues.apache.org/jira/browse/CASSANDRA-17031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17441046#comment-17441046 ] Stefan Miklosovic commented on CASSANDRA-17031: --- [~jonmeredith] would you take a look too? I am looking for the second committer. > Add support for PEM based key material for SSL > -- > > Key: CASSANDRA-17031 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17031 > Project: Cassandra > Issue Type: Improvement > Components: Messaging/Internode >Reporter: Maulin Vasavada >Assignee: Maulin Vasavada >Priority: Normal > Time Spent: 10m > Remaining Estimate: 0h > > h1. Scope > Currently Cassandra supports standard keystore types for SSL > keys/certificates. The scope of this enhancement is to add support for PEM > based key material (keys/certificate) given that PEM is widely used common > format for the same. We intend to add support for Unencrypted and Password > Based Encrypted (PBE) PKCS#8 formatted Private Keys in PEM format with > standard algorithms (RSA, DSA and EC) along with the certificate chain for > the private key and PEM based X509 certificates. The work here is going to be > built on top of [CEP-9: Make SSLContext creation > pluggable|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable] > for which the code is merged for Apache Cassandra 4.1 release. > We intend to support the key material be configured as direct PEM values > input OR via the file (configured with keystore and truststore configurations > today). We are not going to model PEM as a valid 'store_type' given that > 'store_type' has a [specific > definition|https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html#GUID-AB51DEFD-5238-4F96-967F-082F6D34FBEA]. > > h1. Approach > Create an implementation for > [ISslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/ISslContextFactory.java] > extending > [FileBasedSslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java] > implementation to add PEM formatted key/certificates. > h1. Motivation > PEM is a widely used format for encoding Private Keys and X.509 Certificates > and Apache Cassandra's current implementation lacks the support for > specifying the PEM formatted key material for SSL configurations. This means > operators have to re-create the key material to comply to the supported > formats (using key/trust store types - jks, pkcs12 etc) and deal with an > operational task for managing it. This is an operational overhead we can > avoid by supporting the PEM format making Apache Cassandra even more customer > friendly and drive more adoption. > h1. Proposed Changes > # A new implementation for ISslContextFactory - PEMBasedSslContextFactory > with the following supported configuration > {panel:title=New configurations} > {panel} > |{{encryption_options: }} > {{}}{{ssl_context_factory:}} > {{}}{{class_name: > org.apache.cassandra.security.PEMBasedSslContextFactory}} > {{}}{{parameters:}} > {{ }}{{private_key: certificate chain>}} > {{ }}{{private_key_password: }}{{private}} {{key }}{{if}} {{it is encrypted>}} > {{ }}{{trusted_certificates: }}| > *NOTE:* We could reuse 'keystore_password' instead of the > 'private_key_password'. However PEM encoded private key is not a 'keystore' > in itself hence it would be inappropriate to piggyback on that other than > avoid duplicating similar fields. > # The PEMBasedSslContextFactory will also support file based key material > (and the corresponding HOT Reloading based on file timestamp updates) for the > PEM format via existing 'keystore' and 'truststore' encryption options. > However in that case the 'truststore_password' configuration won't be used > since generally PEM formatted certificates for truststore don't get encrypted > with a password. > # The PEMBasedSslContextFactory will internally create PKCS12 keystore for > private key and the trusted certificates. However, this doesn't impact the > user of the implementation in anyway and it is mentioned for clarity only. > -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17031) Add support for PEM based key material for SSL
[ https://issues.apache.org/jira/browse/CASSANDRA-17031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17439519#comment-17439519 ] Stefan Miklosovic commented on CASSANDRA-17031: --- [~maulin.vasavada] haha right ... now, I tend to forget to submit that review in GH. > Add support for PEM based key material for SSL > -- > > Key: CASSANDRA-17031 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17031 > Project: Cassandra > Issue Type: Improvement > Components: Messaging/Internode >Reporter: Maulin Vasavada >Assignee: Maulin Vasavada >Priority: Normal > Time Spent: 10m > Remaining Estimate: 0h > > h1. Scope > Currently Cassandra supports standard keystore types for SSL > keys/certificates. The scope of this enhancement is to add support for PEM > based key material (keys/certificate) given that PEM is widely used common > format for the same. We intend to add support for Unencrypted and Password > Based Encrypted (PBE) PKCS#8 formatted Private Keys in PEM format with > standard algorithms (RSA, DSA and EC) along with the certificate chain for > the private key and PEM based X509 certificates. The work here is going to be > built on top of [CEP-9: Make SSLContext creation > pluggable|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable] > for which the code is merged for Apache Cassandra 4.1 release. > We intend to support the key material be configured as direct PEM values > input OR via the file (configured with keystore and truststore configurations > today). We are not going to model PEM as a valid 'store_type' given that > 'store_type' has a [specific > definition|https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html#GUID-AB51DEFD-5238-4F96-967F-082F6D34FBEA]. > > h1. Approach > Create an implementation for > [ISslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/ISslContextFactory.java] > extending > [FileBasedSslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java] > implementation to add PEM formatted key/certificates. > h1. Motivation > PEM is a widely used format for encoding Private Keys and X.509 Certificates > and Apache Cassandra's current implementation lacks the support for > specifying the PEM formatted key material for SSL configurations. This means > operators have to re-create the key material to comply to the supported > formats (using key/trust store types - jks, pkcs12 etc) and deal with an > operational task for managing it. This is an operational overhead we can > avoid by supporting the PEM format making Apache Cassandra even more customer > friendly and drive more adoption. > h1. Proposed Changes > # A new implementation for ISslContextFactory - PEMBasedSslContextFactory > with the following supported configuration > {panel:title=New configurations} > {panel} > |{{encryption_options: }} > {{}}{{ssl_context_factory:}} > {{}}{{class_name: > org.apache.cassandra.security.PEMBasedSslContextFactory}} > {{}}{{parameters:}} > {{ }}{{private_key: certificate chain>}} > {{ }}{{private_key_password: }}{{private}} {{key }}{{if}} {{it is encrypted>}} > {{ }}{{trusted_certificates: }}| > *NOTE:* We could reuse 'keystore_password' instead of the > 'private_key_password'. However PEM encoded private key is not a 'keystore' > in itself hence it would be inappropriate to piggyback on that other than > avoid duplicating similar fields. > # The PEMBasedSslContextFactory will also support file based key material > (and the corresponding HOT Reloading based on file timestamp updates) for the > PEM format via existing 'keystore' and 'truststore' encryption options. > However in that case the 'truststore_password' configuration won't be used > since generally PEM formatted certificates for truststore don't get encrypted > with a password. > # The PEMBasedSslContextFactory will internally create PKCS12 keystore for > private key and the trusted certificates. However, this doesn't impact the > user of the implementation in anyway and it is mentioned for clarity only. > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17031) Add support for PEM based key material for SSL
[ https://issues.apache.org/jira/browse/CASSANDRA-17031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17439474#comment-17439474 ] Maulin Vasavada commented on CASSANDRA-17031: - [~stefan.miklosovic] I am not able to see any comments on the PR. Am I missing anything? > Add support for PEM based key material for SSL > -- > > Key: CASSANDRA-17031 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17031 > Project: Cassandra > Issue Type: Improvement > Components: Messaging/Internode >Reporter: Maulin Vasavada >Assignee: Maulin Vasavada >Priority: Normal > > h1. Scope > Currently Cassandra supports standard keystore types for SSL > keys/certificates. The scope of this enhancement is to add support for PEM > based key material (keys/certificate) given that PEM is widely used common > format for the same. We intend to add support for Unencrypted and Password > Based Encrypted (PBE) PKCS#8 formatted Private Keys in PEM format with > standard algorithms (RSA, DSA and EC) along with the certificate chain for > the private key and PEM based X509 certificates. The work here is going to be > built on top of [CEP-9: Make SSLContext creation > pluggable|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable] > for which the code is merged for Apache Cassandra 4.1 release. > We intend to support the key material be configured as direct PEM values > input OR via the file (configured with keystore and truststore configurations > today). We are not going to model PEM as a valid 'store_type' given that > 'store_type' has a [specific > definition|https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html#GUID-AB51DEFD-5238-4F96-967F-082F6D34FBEA]. > > h1. Approach > Create an implementation for > [ISslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/ISslContextFactory.java] > extending > [FileBasedSslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java] > implementation to add PEM formatted key/certificates. > h1. Motivation > PEM is a widely used format for encoding Private Keys and X.509 Certificates > and Apache Cassandra's current implementation lacks the support for > specifying the PEM formatted key material for SSL configurations. This means > operators have to re-create the key material to comply to the supported > formats (using key/trust store types - jks, pkcs12 etc) and deal with an > operational task for managing it. This is an operational overhead we can > avoid by supporting the PEM format making Apache Cassandra even more customer > friendly and drive more adoption. > h1. Proposed Changes > # A new implementation for ISslContextFactory - PEMBasedSslContextFactory > with the following supported configuration > {panel:title=New configurations} > {panel} > |{{encryption_options: }} > {{}}{{ssl_context_factory:}} > {{}}{{class_name: > org.apache.cassandra.security.PEMBasedSslContextFactory}} > {{}}{{parameters:}} > {{ }}{{private_key: certificate chain>}} > {{ }}{{private_key_password: }}{{private}} {{key }}{{if}} {{it is encrypted>}} > {{ }}{{trusted_certificates: }}| > *NOTE:* We could reuse 'keystore_password' instead of the > 'private_key_password'. However PEM encoded private key is not a 'keystore' > in itself hence it would be inappropriate to piggyback on that other than > avoid duplicating similar fields. > # The PEMBasedSslContextFactory will also support file based key material > (and the corresponding HOT Reloading based on file timestamp updates) for the > PEM format via existing 'keystore' and 'truststore' encryption options. > However in that case the 'truststore_password' configuration won't be used > since generally PEM formatted certificates for truststore don't get encrypted > with a password. > # The PEMBasedSslContextFactory will internally create PKCS12 keystore for > private key and the trusted certificates. However, this doesn't impact the > user of the implementation in anyway and it is mentioned for clarity only. > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17031) Add support for PEM based key material for SSL
[ https://issues.apache.org/jira/browse/CASSANDRA-17031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17439468#comment-17439468 ] Maulin Vasavada commented on CASSANDRA-17031: - Thanks Stefan. Will look into the PR comments. Wasn't using the ant generate-idea-files before :( Let me check that. On Fri, Nov 5, 2021 at 2:31 AM Stefan Miklosovic (Jira) > Add support for PEM based key material for SSL > -- > > Key: CASSANDRA-17031 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17031 > Project: Cassandra > Issue Type: Improvement > Components: Messaging/Internode >Reporter: Maulin Vasavada >Assignee: Maulin Vasavada >Priority: Normal > > h1. Scope > Currently Cassandra supports standard keystore types for SSL > keys/certificates. The scope of this enhancement is to add support for PEM > based key material (keys/certificate) given that PEM is widely used common > format for the same. We intend to add support for Unencrypted and Password > Based Encrypted (PBE) PKCS#8 formatted Private Keys in PEM format with > standard algorithms (RSA, DSA and EC) along with the certificate chain for > the private key and PEM based X509 certificates. The work here is going to be > built on top of [CEP-9: Make SSLContext creation > pluggable|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable] > for which the code is merged for Apache Cassandra 4.1 release. > We intend to support the key material be configured as direct PEM values > input OR via the file (configured with keystore and truststore configurations > today). We are not going to model PEM as a valid 'store_type' given that > 'store_type' has a [specific > definition|https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html#GUID-AB51DEFD-5238-4F96-967F-082F6D34FBEA]. > > h1. Approach > Create an implementation for > [ISslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/ISslContextFactory.java] > extending > [FileBasedSslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java] > implementation to add PEM formatted key/certificates. > h1. Motivation > PEM is a widely used format for encoding Private Keys and X.509 Certificates > and Apache Cassandra's current implementation lacks the support for > specifying the PEM formatted key material for SSL configurations. This means > operators have to re-create the key material to comply to the supported > formats (using key/trust store types - jks, pkcs12 etc) and deal with an > operational task for managing it. This is an operational overhead we can > avoid by supporting the PEM format making Apache Cassandra even more customer > friendly and drive more adoption. > h1. Proposed Changes > # A new implementation for ISslContextFactory - PEMBasedSslContextFactory > with the following supported configuration > {panel:title=New configurations} > {panel} > |{{encryption_options: }} > {{}}{{ssl_context_factory:}} > {{}}{{class_name: > org.apache.cassandra.security.PEMBasedSslContextFactory}} > {{}}{{parameters:}} > {{ }}{{private_key: certificate chain>}} > {{ }}{{private_key_password: }}{{private}} {{key }}{{if}} {{it is encrypted>}} > {{ }}{{trusted_certificates: }}| > *NOTE:* We could reuse 'keystore_password' instead of the > 'private_key_password'. However PEM encoded private key is not a 'keystore' > in itself hence it would be inappropriate to piggyback on that other than > avoid duplicating similar fields. > # The PEMBasedSslContextFactory will also support file based key material > (and the corresponding HOT Reloading based on file timestamp updates) for the > PEM format via existing 'keystore' and 'truststore' encryption options. > However in that case the 'truststore_password' configuration won't be used > since generally PEM formatted certificates for truststore don't get encrypted > with a password. > # The PEMBasedSslContextFactory will internally create PKCS12 keystore for > private key and the trusted certificates. However, this doesn't impact the > user of the implementation in anyway and it is mentioned for clarity only. > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17031) Add support for PEM based key material for SSL
[ https://issues.apache.org/jira/browse/CASSANDRA-17031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17439125#comment-17439125 ] Stefan Miklosovic commented on CASSANDRA-17031: --- Thanks [~maulin.vasavada] for your work, I put some commentary in PR. I think that a lot of formatting issues might be resolved if you run "ant generate-idea-files" (if you use IDEA), then you should get formatting just right after you import that project. > Add support for PEM based key material for SSL > -- > > Key: CASSANDRA-17031 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17031 > Project: Cassandra > Issue Type: Improvement > Components: Messaging/Internode >Reporter: Maulin Vasavada >Assignee: Maulin Vasavada >Priority: Normal > > h1. Scope > Currently Cassandra supports standard keystore types for SSL > keys/certificates. The scope of this enhancement is to add support for PEM > based key material (keys/certificate) given that PEM is widely used common > format for the same. We intend to add support for Unencrypted and Password > Based Encrypted (PBE) PKCS#8 formatted Private Keys in PEM format with > standard algorithms (RSA, DSA and EC) along with the certificate chain for > the private key and PEM based X509 certificates. The work here is going to be > built on top of [CEP-9: Make SSLContext creation > pluggable|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable] > for which the code is merged for Apache Cassandra 4.1 release. > We intend to support the key material be configured as direct PEM values > input OR via the file (configured with keystore and truststore configurations > today). We are not going to model PEM as a valid 'store_type' given that > 'store_type' has a [specific > definition|https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html#GUID-AB51DEFD-5238-4F96-967F-082F6D34FBEA]. > > h1. Approach > Create an implementation for > [ISslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/ISslContextFactory.java] > extending > [FileBasedSslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java] > implementation to add PEM formatted key/certificates. > h1. Motivation > PEM is a widely used format for encoding Private Keys and X.509 Certificates > and Apache Cassandra's current implementation lacks the support for > specifying the PEM formatted key material for SSL configurations. This means > operators have to re-create the key material to comply to the supported > formats (using key/trust store types - jks, pkcs12 etc) and deal with an > operational task for managing it. This is an operational overhead we can > avoid by supporting the PEM format making Apache Cassandra even more customer > friendly and drive more adoption. > h1. Proposed Changes > # A new implementation for ISslContextFactory - PEMBasedSslContextFactory > with the following supported configuration > {panel:title=New configurations} > {panel} > |{{encryption_options: }} > {{}}{{ssl_context_factory:}} > {{}}{{class_name: > org.apache.cassandra.security.PEMBasedSslContextFactory}} > {{}}{{parameters:}} > {{ }}{{private_key: certificate chain>}} > {{ }}{{private_key_password: }}{{private}} {{key }}{{if}} {{it is encrypted>}} > {{ }}{{trusted_certificates: }}| > *NOTE:* We could reuse 'keystore_password' instead of the > 'private_key_password'. However PEM encoded private key is not a 'keystore' > in itself hence it would be inappropriate to piggyback on that other than > avoid duplicating similar fields. > # The PEMBasedSslContextFactory will also support file based key material > (and the corresponding HOT Reloading based on file timestamp updates) for the > PEM format via existing 'keystore' and 'truststore' encryption options. > However in that case the 'truststore_password' configuration won't be used > since generally PEM formatted certificates for truststore don't get encrypted > with a password. > # The PEMBasedSslContextFactory will internally create PKCS12 keystore for > private key and the trusted certificates. However, this doesn't impact the > user of the implementation in anyway and it is mentioned for clarity only. > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17031) Add support for PEM based key material for SSL
[ https://issues.apache.org/jira/browse/CASSANDRA-17031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17438249#comment-17438249 ] Stefan Miklosovic commented on CASSANDRA-17031: --- I will do it on this Friday. > Add support for PEM based key material for SSL > -- > > Key: CASSANDRA-17031 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17031 > Project: Cassandra > Issue Type: Improvement > Components: Messaging/Internode >Reporter: Maulin Vasavada >Assignee: Maulin Vasavada >Priority: Normal > > h1. Scope > Currently Cassandra supports standard keystore types for SSL > keys/certificates. The scope of this enhancement is to add support for PEM > based key material (keys/certificate) given that PEM is widely used common > format for the same. We intend to add support for Unencrypted and Password > Based Encrypted (PBE) PKCS#8 formatted Private Keys in PEM format with > standard algorithms (RSA, DSA and EC) along with the certificate chain for > the private key and PEM based X509 certificates. The work here is going to be > built on top of [CEP-9: Make SSLContext creation > pluggable|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable] > for which the code is merged for Apache Cassandra 4.1 release. > We intend to support the key material be configured as direct PEM values > input OR via the file (configured with keystore and truststore configurations > today). We are not going to model PEM as a valid 'store_type' given that > 'store_type' has a [specific > definition|https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html#GUID-AB51DEFD-5238-4F96-967F-082F6D34FBEA]. > > h1. Approach > Create an implementation for > [ISslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/ISslContextFactory.java] > extending > [FileBasedSslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java] > implementation to add PEM formatted key/certificates. > h1. Motivation > PEM is a widely used format for encoding Private Keys and X.509 Certificates > and Apache Cassandra's current implementation lacks the support for > specifying the PEM formatted key material for SSL configurations. This means > operators have to re-create the key material to comply to the supported > formats (using key/trust store types - jks, pkcs12 etc) and deal with an > operational task for managing it. This is an operational overhead we can > avoid by supporting the PEM format making Apache Cassandra even more customer > friendly and drive more adoption. > h1. Proposed Changes > # A new implementation for ISslContextFactory - PEMBasedSslContextFactory > with the following supported configuration > {panel:title=New configurations} > {panel} > |{{encryption_options: }} > {{}}{{ssl_context_factory:}} > {{}}{{class_name: > org.apache.cassandra.security.PEMBasedSslContextFactory}} > {{}}{{parameters:}} > {{ }}{{private_key: certificate chain>}} > {{ }}{{private_key_password: }}{{private}} {{key }}{{if}} {{it is encrypted>}} > {{ }}{{trusted_certificates: }}| > *NOTE:* We could reuse 'keystore_password' instead of the > 'private_key_password'. However PEM encoded private key is not a 'keystore' > in itself hence it would be inappropriate to piggyback on that other than > avoid duplicating similar fields. > # The PEMBasedSslContextFactory will also support file based key material > (and the corresponding HOT Reloading based on file timestamp updates) for the > PEM format via existing 'keystore' and 'truststore' encryption options. > However in that case the 'truststore_password' configuration won't be used > since generally PEM formatted certificates for truststore don't get encrypted > with a password. > # The PEMBasedSslContextFactory will internally create PKCS12 keystore for > private key and the trusted certificates. However, this doesn't impact the > user of the implementation in anyway and it is mentioned for clarity only. > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17031) Add support for PEM based key material for SSL
[ https://issues.apache.org/jira/browse/CASSANDRA-17031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17435648#comment-17435648 ] Maulin Vasavada commented on CASSANDRA-17031: - Nope. Not urgent. Hope you get some relaxing time over the weekend before starting another week :) On Thu, Oct 28, 2021 at 12:06 AM Stefan Miklosovic (Jira) > Add support for PEM based key material for SSL > -- > > Key: CASSANDRA-17031 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17031 > Project: Cassandra > Issue Type: Improvement > Components: Messaging/Internode >Reporter: Maulin Vasavada >Assignee: Maulin Vasavada >Priority: Normal > > h1. Scope > Currently Cassandra supports standard keystore types for SSL > keys/certificates. The scope of this enhancement is to add support for PEM > based key material (keys/certificate) given that PEM is widely used common > format for the same. We intend to add support for Unencrypted and Password > Based Encrypted (PBE) PKCS#8 formatted Private Keys in PEM format with > standard algorithms (RSA, DSA and EC) along with the certificate chain for > the private key and PEM based X509 certificates. The work here is going to be > built on top of [CEP-9: Make SSLContext creation > pluggable|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable] > for which the code is merged for Apache Cassandra 4.1 release. > We intend to support the key material be configured as direct PEM values > input OR via the file (configured with keystore and truststore configurations > today). We are not going to model PEM as a valid 'store_type' given that > 'store_type' has a [specific > definition|https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html#GUID-AB51DEFD-5238-4F96-967F-082F6D34FBEA]. > > h1. Approach > Create an implementation for > [ISslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/ISslContextFactory.java] > extending > [FileBasedSslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java] > implementation to add PEM formatted key/certificates. > h1. Motivation > PEM is a widely used format for encoding Private Keys and X.509 Certificates > and Apache Cassandra's current implementation lacks the support for > specifying the PEM formatted key material for SSL configurations. This means > operators have to re-create the key material to comply to the supported > formats (using key/trust store types - jks, pkcs12 etc) and deal with an > operational task for managing it. This is an operational overhead we can > avoid by supporting the PEM format making Apache Cassandra even more customer > friendly and drive more adoption. > h1. Proposed Changes > # A new implementation for ISslContextFactory - PEMBasedSslContextFactory > with the following supported configuration > {panel:title=New configurations} > {panel} > |{{encryption_options: }} > {{}}{{ssl_context_factory:}} > {{}}{{class_name: > org.apache.cassandra.security.PEMBasedSslContextFactory}} > {{}}{{parameters:}} > {{ }}{{private_key: certificate chain>}} > {{ }}{{private_key_password: }}{{private}} {{key }}{{if}} {{it is encrypted>}} > {{ }}{{trusted_certificates: }}| > *NOTE:* We could reuse 'keystore_password' instead of the > 'private_key_password'. However PEM encoded private key is not a 'keystore' > in itself hence it would be inappropriate to piggyback on that other than > avoid duplicating similar fields. > # The PEMBasedSslContextFactory will also support file based key material > (and the corresponding HOT Reloading based on file timestamp updates) for the > PEM format via existing 'keystore' and 'truststore' encryption options. > However in that case the 'truststore_password' configuration won't be used > since generally PEM formatted certificates for truststore don't get encrypted > with a password. > # The PEMBasedSslContextFactory will internally create PKCS12 keystore for > private key and the trusted certificates. However, this doesn't impact the > user of the implementation in anyway and it is mentioned for clarity only. > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17031) Add support for PEM based key material for SSL
[ https://issues.apache.org/jira/browse/CASSANDRA-17031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17435201#comment-17435201 ] Stefan Miklosovic commented on CASSANDRA-17031: --- Sure, I am just busy. Maybe next week. Sorry, try to ping somebody else if it is urgent. > Add support for PEM based key material for SSL > -- > > Key: CASSANDRA-17031 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17031 > Project: Cassandra > Issue Type: Improvement > Components: Messaging/Internode >Reporter: Maulin Vasavada >Assignee: Maulin Vasavada >Priority: Normal > > h1. Scope > Currently Cassandra supports standard keystore types for SSL > keys/certificates. The scope of this enhancement is to add support for PEM > based key material (keys/certificate) given that PEM is widely used common > format for the same. We intend to add support for Unencrypted and Password > Based Encrypted (PBE) PKCS#8 formatted Private Keys in PEM format with > standard algorithms (RSA, DSA and EC) along with the certificate chain for > the private key and PEM based X509 certificates. The work here is going to be > built on top of [CEP-9: Make SSLContext creation > pluggable|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable] > for which the code is merged for Apache Cassandra 4.1 release. > We intend to support the key material be configured as direct PEM values > input OR via the file (configured with keystore and truststore configurations > today). We are not going to model PEM as a valid 'store_type' given that > 'store_type' has a [specific > definition|https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html#GUID-AB51DEFD-5238-4F96-967F-082F6D34FBEA]. > > h1. Approach > Create an implementation for > [ISslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/ISslContextFactory.java] > extending > [FileBasedSslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java] > implementation to add PEM formatted key/certificates. > h1. Motivation > PEM is a widely used format for encoding Private Keys and X.509 Certificates > and Apache Cassandra's current implementation lacks the support for > specifying the PEM formatted key material for SSL configurations. This means > operators have to re-create the key material to comply to the supported > formats (using key/trust store types - jks, pkcs12 etc) and deal with an > operational task for managing it. This is an operational overhead we can > avoid by supporting the PEM format making Apache Cassandra even more customer > friendly and drive more adoption. > h1. Proposed Changes > # A new implementation for ISslContextFactory - PEMBasedSslContextFactory > with the following supported configuration > {panel:title=New configurations} > {panel} > |{{encryption_options: }} > {{}}{{ssl_context_factory:}} > {{}}{{class_name: > org.apache.cassandra.security.PEMBasedSslContextFactory}} > {{}}{{parameters:}} > {{ }}{{private_key: certificate chain>}} > {{ }}{{private_key_password: }}{{private}} {{key }}{{if}} {{it is encrypted>}} > {{ }}{{trusted_certificates: }}| > *NOTE:* We could reuse 'keystore_password' instead of the > 'private_key_password'. However PEM encoded private key is not a 'keystore' > in itself hence it would be inappropriate to piggyback on that other than > avoid duplicating similar fields. > # The PEMBasedSslContextFactory will also support file based key material > (and the corresponding HOT Reloading based on file timestamp updates) for the > PEM format via existing 'keystore' and 'truststore' encryption options. > However in that case the 'truststore_password' configuration won't be used > since generally PEM formatted certificates for truststore don't get encrypted > with a password. > # The PEMBasedSslContextFactory will internally create PKCS12 keystore for > private key and the trusted certificates. However, this doesn't impact the > user of the implementation in anyway and it is mentioned for clarity only. > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17031) Add support for PEM based key material for SSL
[ https://issues.apache.org/jira/browse/CASSANDRA-17031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17435058#comment-17435058 ] Maulin Vasavada commented on CASSANDRA-17031: - [~stefan.miklosovic] please let me know your thoughts on this change and the PR when you get a chance. > Add support for PEM based key material for SSL > -- > > Key: CASSANDRA-17031 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17031 > Project: Cassandra > Issue Type: Improvement > Components: Messaging/Internode >Reporter: Maulin Vasavada >Assignee: Maulin Vasavada >Priority: Normal > > h1. Scope > Currently Cassandra supports standard keystore types for SSL > keys/certificates. The scope of this enhancement is to add support for PEM > based key material (keys/certificate) given that PEM is widely used common > format for the same. We intend to add support for Unencrypted and Password > Based Encrypted (PBE) PKCS#8 formatted Private Keys in PEM format with > standard algorithms (RSA, DSA and EC) along with the certificate chain for > the private key and PEM based X509 certificates. The work here is going to be > built on top of [CEP-9: Make SSLContext creation > pluggable|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable] > for which the code is merged for Apache Cassandra 4.1 release. > We intend to support the key material be configured as direct PEM values > input OR via the file (configured with keystore and truststore configurations > today). We are not going to model PEM as a valid 'store_type' given that > 'store_type' has a [specific > definition|https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html#GUID-AB51DEFD-5238-4F96-967F-082F6D34FBEA]. > > h1. Approach > Create an implementation for > [ISslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/ISslContextFactory.java] > extending > [FileBasedSslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java] > implementation to add PEM formatted key/certificates. > h1. Motivation > PEM is a widely used format for encoding Private Keys and X.509 Certificates > and Apache Cassandra's current implementation lacks the support for > specifying the PEM formatted key material for SSL configurations. This means > operators have to re-create the key material to comply to the supported > formats (using key/trust store types - jks, pkcs12 etc) and deal with an > operational task for managing it. This is an operational overhead we can > avoid by supporting the PEM format making Apache Cassandra even more customer > friendly and drive more adoption. > h1. Proposed Changes > # A new implementation for ISslContextFactory - PEMBasedSslContextFactory > with the following supported configuration > {panel:title=New configurations} > {panel} > |{{encryption_options: }} > {{}}{{ssl_context_factory:}} > {{}}{{class_name: > org.apache.cassandra.security.PEMBasedSslContextFactory}} > {{}}{{parameters:}} > {{ }}{{private_key: certificate chain>}} > {{ }}{{private_key_password: }}{{private}} {{key }}{{if}} {{it is encrypted>}} > {{ }}{{trusted_certificates: }}| > *NOTE:* We could reuse 'keystore_password' instead of the > 'private_key_password'. However PEM encoded private key is not a 'keystore' > in itself hence it would be inappropriate to piggyback on that other than > avoid duplicating similar fields. > # The PEMBasedSslContextFactory will also support file based key material > (and the corresponding HOT Reloading based on file timestamp updates) for the > PEM format via existing 'keystore' and 'truststore' encryption options. > However in that case the 'truststore_password' configuration won't be used > since generally PEM formatted certificates for truststore don't get encrypted > with a password. > # The PEMBasedSslContextFactory will internally create PKCS12 keystore for > private key and the trusted certificates. However, this doesn't impact the > user of the implementation in anyway and it is mentioned for clarity only. > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17031) Add support for PEM based key material for SSL
[ https://issues.apache.org/jira/browse/CASSANDRA-17031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17433084#comment-17433084 ] Maulin Vasavada commented on CASSANDRA-17031: - Thanks [~stefan.miklosovic] > Add support for PEM based key material for SSL > -- > > Key: CASSANDRA-17031 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17031 > Project: Cassandra > Issue Type: Improvement > Components: Messaging/Internode >Reporter: Maulin Vasavada >Assignee: Maulin Vasavada >Priority: Normal > > h1. Scope > Currently Cassandra supports standard keystore types for SSL > keys/certificates. The scope of this enhancement is to add support for PEM > based key material (keys/certificate) given that PEM is widely used common > format for the same. We intend to add support for Unencrypted and Password > Based Encrypted (PBE) PKCS#8 formatted Private Keys in PEM format with > standard algorithms (RSA, DSA and EC) along with the certificate chain for > the private key and PEM based X509 certificates. The work here is going to be > built on top of [CEP-9: Make SSLContext creation > pluggable|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable] > for which the code is merged for Apache Cassandra 4.1 release. > We intend to support the key material be configured as direct PEM values > input OR via the file (configured with keystore and truststore configurations > today). We are not going to model PEM as a valid 'store_type' given that > 'store_type' has a [specific > definition|https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html#GUID-AB51DEFD-5238-4F96-967F-082F6D34FBEA]. > > h1. Approach > Create an implementation for > [ISslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/ISslContextFactory.java] > extending > [FileBasedSslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java] > implementation to add PEM formatted key/certificates. > h1. Motivation > PEM is a widely used format for encoding Private Keys and X.509 Certificates > and Apache Cassandra's current implementation lacks the support for > specifying the PEM formatted key material for SSL configurations. This means > operators have to re-create the key material to comply to the supported > formats (using key/trust store types - jks, pkcs12 etc) and deal with an > operational task for managing it. This is an operational overhead we can > avoid by supporting the PEM format making Apache Cassandra even more customer > friendly and drive more adoption. > h1. Proposed Changes > # A new implementation for ISslContextFactory - PEMBasedSslContextFactory > with the following supported configuration > {panel:title=New configurations} > {panel} > |{{encryption_options: }} > {{}}{{ssl_context_factory:}} > {{}}{{class_name: > org.apache.cassandra.security.PEMBasedSslContextFactory}} > {{}}{{parameters:}} > {{ }}{{private_key: certificate chain>}} > {{ }}{{private_key_password: }}{{private}} {{key }}{{if}} {{it is encrypted>}} > {{ }}{{trusted_certificates: }}| > *NOTE:* We could reuse 'keystore_password' instead of the > 'private_key_password'. However PEM encoded private key is not a 'keystore' > in itself hence it would be inappropriate to piggyback on that other than > avoid duplicating similar fields. > # The PEMBasedSslContextFactory will also support file based key material > (and the corresponding HOT Reloading based on file timestamp updates) for the > PEM format via existing 'keystore' and 'truststore' encryption options. > However in that case the 'truststore_password' configuration won't be used > since generally PEM formatted certificates for truststore don't get encrypted > with a password. > # The PEMBasedSslContextFactory will internally create PKCS12 keystore for > private key and the trusted certificates. However, this doesn't impact the > user of the implementation in anyway and it is mentioned for clarity only. > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17031) Add support for PEM based key material for SSL
[ https://issues.apache.org/jira/browse/CASSANDRA-17031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17433075#comment-17433075 ] Stefan Miklosovic commented on CASSANDRA-17031: --- Hi [~maulin.vasavada] yes I can take a look sometimes next week. Thanks for doing this! > Add support for PEM based key material for SSL > -- > > Key: CASSANDRA-17031 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17031 > Project: Cassandra > Issue Type: Improvement > Components: Messaging/Internode >Reporter: Maulin Vasavada >Assignee: Maulin Vasavada >Priority: Normal > > h1. Scope > Currently Cassandra supports standard keystore types for SSL > keys/certificates. The scope of this enhancement is to add support for PEM > based key material (keys/certificate) given that PEM is widely used common > format for the same. We intend to add support for Unencrypted and Password > Based Encrypted (PBE) PKCS#8 formatted Private Keys in PEM format with > standard algorithms (RSA, DSA and EC) along with the certificate chain for > the private key and PEM based X509 certificates. The work here is going to be > built on top of [CEP-9: Make SSLContext creation > pluggable|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable] > for which the code is merged for Apache Cassandra 4.1 release. > We intend to support the key material be configured as direct PEM values > input OR via the file (configured with keystore and truststore configurations > today). We are not going to model PEM as a valid 'store_type' given that > 'store_type' has a [specific > definition|https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html#GUID-AB51DEFD-5238-4F96-967F-082F6D34FBEA]. > > h1. Approach > Create an implementation for > [ISslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/ISslContextFactory.java] > extending > [FileBasedSslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java] > implementation to add PEM formatted key/certificates. > h1. Motivation > PEM is a widely used format for encoding Private Keys and X.509 Certificates > and Apache Cassandra's current implementation lacks the support for > specifying the PEM formatted key material for SSL configurations. This means > operators have to re-create the key material to comply to the supported > formats (using key/trust store types - jks, pkcs12 etc) and deal with an > operational task for managing it. This is an operational overhead we can > avoid by supporting the PEM format making Apache Cassandra even more customer > friendly and drive more adoption. > h1. Proposed Changes > # A new implementation for ISslContextFactory - PEMBasedSslContextFactory > with the following supported configuration > {panel:title=New configurations} > {panel} > |{{encryption_options: }} > {{}}{{ssl_context_factory:}} > {{}}{{class_name: > org.apache.cassandra.security.PEMBasedSslContextFactory}} > {{}}{{parameters:}} > {{ }}{{private_key: certificate chain>}} > {{ }}{{private_key_password: }}{{private}} {{key }}{{if}} {{it is encrypted>}} > {{ }}{{trusted_certificates: }}| > *NOTE:* We could reuse 'keystore_password' instead of the > 'private_key_password'. However PEM encoded private key is not a 'keystore' > in itself hence it would be inappropriate to piggyback on that other than > avoid duplicating similar fields. > # The PEMBasedSslContextFactory will also support file based key material > (and the corresponding HOT Reloading based on file timestamp updates) for the > PEM format via existing 'keystore' and 'truststore' encryption options. > However in that case the 'truststore_password' configuration won't be used > since generally PEM formatted certificates for truststore don't get encrypted > with a password. > # The PEMBasedSslContextFactory will internally create PKCS12 keystore for > private key and the trusted certificates. However, this doesn't impact the > user of the implementation in anyway and it is mentioned for clarity only. > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17031) Add support for PEM based key material for SSL
[ https://issues.apache.org/jira/browse/CASSANDRA-17031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17432741#comment-17432741 ] Maulin Vasavada commented on CASSANDRA-17031: - Hi [~jonmeredith] [~Bereng] [~smiklosovic] , can you guys please take a look at this ticket when you get a chance? > Add support for PEM based key material for SSL > -- > > Key: CASSANDRA-17031 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17031 > Project: Cassandra > Issue Type: Improvement > Components: Messaging/Internode >Reporter: Maulin Vasavada >Assignee: Maulin Vasavada >Priority: Normal > > h1. Scope > Currently Cassandra supports standard keystore types for SSL > keys/certificates. The scope of this enhancement is to add support for PEM > based key material (keys/certificate) given that PEM is widely used common > format for the same. We intend to add support for Password Based Encrypted > (PBE) PKCS#8 formatted Private Keys in PEM format with standard algorithms > (RSA, DSA and EC) along with the certificate chain for the private key and > PEM based X509 certificates. The work here is going to be built on top of > [CEP-9: Make SSLContext creation > pluggable|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable] > for which the code is merged for Apache Cassandra 4.1 release. > We intend to support the key material be configured as direct PEM values > input OR via the file (configured with keystore and truststore configurations > today). We are not going to model PEM as a valid 'store_type' given that > 'store_type' has a [specific > definition|https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html#GUID-AB51DEFD-5238-4F96-967F-082F6D34FBEA]. > > h1. Approach > Create an implementation for > [ISslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/ISslContextFactory.java] > extending > [FileBasedSslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java] > implementation to add PEM formatted key/certificates. > h1. Motivation > PEM is a widely used format for encoding Private Keys and X.509 Certificates > and Apache Cassandra's current implementation lacks the support for > specifying the PEM formatted key material for SSL configurations. This means > operators have to re-create the key material to comply to the supported > formats (using key/trust store types - jks, pkcs12 etc) and deal with an > operational task for managing it. This is an operational overhead we can > avoid by supporting the PEM format making Apache Cassandra even more customer > friendly and drive more adoption. > h1. Proposed Changes > # A new implementation for ISslContextFactory - PEMBasedSslContextFactory > with the following supported configuration > {panel:title=New configurations} > {panel} > |{{encryption_options: }} > {{}}{{ssl_context_factory:}} > {{}}{{class_name: > org.apache.cassandra.security.PEMBasedSslContextFactory}} > {{}}{{parameters:}} > {{ }}{{private_key: certificate chain>}} > {{ }}{{private_key_password: }}{{private}} {{key }}{{if}} {{it is encrypted>}} > {{ }}{{trusted_certificates: }}| > *NOTE:* We could reuse 'keystore_password' instead of the > 'private_key_password'. However PEM encoded private key is not a 'keystore' > in itself hence it would be inappropriate to piggyback on that other than > avoid duplicating similar fields. > # The PEMBasedSslContextFactory will also support file based key material > (and the corresponding HOT Reloading based on file timestamp updates) for the > PEM format via existing 'keystore' and 'truststore' encryption options. > However in that case the 'truststore_password' configuration won't be used > since generally PEM formatted certificates for truststore don't get encrypted > with a password. > # The PEMBasedSslContextFactory will internally create PKCS12 keystore for > private key and the trusted certificates. However, this doesn't impact the > user of the implementation in anyway and it is mentioned for clarity only. > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17031) Add support for PEM based key material for SSL
[ https://issues.apache.org/jira/browse/CASSANDRA-17031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17430268#comment-17430268 ] Maulin Vasavada commented on CASSANDRA-17031: - Hi all I've added support for DSA and EC based private keys also along with the most common type RSA. Thanks Maulin > Add support for PEM based key material for SSL > -- > > Key: CASSANDRA-17031 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17031 > Project: Cassandra > Issue Type: Improvement > Components: Messaging/Internode >Reporter: Maulin Vasavada >Assignee: Maulin Vasavada >Priority: Normal > > h1. Scope > Currently Cassandra supports standard keystore types for SSL > keys/certificates. The scope of this enhancement is to add support for PEM > based key material (keys/certificate) given that PEM is widely used common > format for the same. We intend to add support for Password Based Encrypted > (PBE) PKCS#8 formatted Private Keys in PEM format with standard algorithms > (RSA, DSA and EC) along with the certificate chain for the private key and > PEM based X509 certificates. The work here is going to be built on top of > [CEP-9: Make SSLContext creation > pluggable|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable] > for which the code is merged for Apache Cassandra 4.1 release. > We intend to support the key material be configured as direct PEM values > input OR via the file (configured with keystore and truststore configurations > today). We are not going to model PEM as a valid 'store_type' given that > 'store_type' has a [specific > definition|https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html#GUID-AB51DEFD-5238-4F96-967F-082F6D34FBEA]. > > h1. Approach > Create an implementation for > [ISslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/ISslContextFactory.java] > extending > [FileBasedSslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java] > implementation to add PEM formatted key/certificates. > h1. Motivation > PEM is a widely used format for encoding Private Keys and X.509 Certificates > and Apache Cassandra's current implementation lacks the support for > specifying the PEM formatted key material for SSL configurations. This means > operators have to re-create the key material to comply to the supported > formats (using key/trust store types - jks, pkcs12 etc) and deal with an > operational task for managing it. This is an operational overhead we can > avoid by supporting the PEM format making Apache Cassandra even more customer > friendly and drive more adoption. > h1. Proposed Changes > # A new implementation for ISslContextFactory - PEMBasedSslContextFactory > with the following supported configuration > {panel:title=New configurations} > {panel} > |{{encryption_options: }} > {{}}{{ssl_context_factory:}} > {{}}{{class_name: > org.apache.cassandra.security.PEMBasedSslContextFactory}} > {{}}{{parameters:}} > {{ }}{{private_key: certificate chain>}} > {{ }}{{private_key_password: }}{{private}} {{key }}{{if}} {{it is encrypted>}} > {{ }}{{trusted_certificates: }}| > *NOTE:* We could reuse 'keystore_password' instead of the > 'private_key_password'. However PEM encoded private key is not a 'keystore' > in itself hence it would be inappropriate to piggyback on that other than > avoid duplicating similar fields. > # The PEMBasedSslContextFactory will also support file based key material > (and the corresponding HOT Reloading based on file timestamp updates) for the > PEM format via existing 'keystore' and 'truststore' encryption options. > However in that case the 'truststore_password' configuration won't be used > since generally PEM formatted certificates for truststore don't get encrypted > with a password. > # The PEMBasedSslContextFactory will internally create PKCS12 keystore for > private key and the trusted certificates. However, this doesn't impact the > user of the implementation in anyway and it is mentioned for clarity only. > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17031) Add support for PEM based key material for SSL
[ https://issues.apache.org/jira/browse/CASSANDRA-17031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17429505#comment-17429505 ] Maulin Vasavada commented on CASSANDRA-17031: - Hi all I added an example of K8s PEM based SslContextFactory also in the [PR# 1267|https://github.com/apache/cassandra/pull/1267/files]. After giving some more thoughts to the Password changes suggestions by Derek, I think it should be a separate ticket. I've some ideas that I want to discuss and it would be ideal to have a separate ticket for it. Thanks Maulin > Add support for PEM based key material for SSL > -- > > Key: CASSANDRA-17031 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17031 > Project: Cassandra > Issue Type: Improvement > Components: Messaging/Internode >Reporter: Maulin Vasavada >Assignee: Maulin Vasavada >Priority: Normal > > h1. Scope > Currently Cassandra supports standard keystore types for SSL > keys/certificates. The scope of this enhancement is to add support for PEM > based key material (keys/certificate) given that PEM is widely used common > format for the same. We intend to add support for Password Based Encrypted > (PBE) PEM Private Keys with standard algorithms along with the certificate > chain for the private key and PEM based certificates. The work here is going > to be built on top of [CEP-9: Make SSLContext creation > pluggable|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable] > for which the code is merged for Apache Cassandra 4.1 release. > We intend to support the key material be configured as direct PEM values > input OR via the file (configured with keystore and truststore configurations > today). We are not going to model PEM as a valid 'store_type' given that > 'store_type' has a [specific > definition|https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html#GUID-AB51DEFD-5238-4F96-967F-082F6D34FBEA]. > > h1. Approach > Create an implementation for > [ISslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/ISslContextFactory.java] > extending > [FileBasedSslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java] > implementation to add PEM formatted key/certificates. > h1. Motivation > PEM is a widely used format for encoding Private Keys and X.509 Certificates > and Apache Cassandra's current implementation lacks the support for > specifying the PEM formatted key material for SSL configurations. This means > operators have to re-create the key material to comply to the supported > formats (using key/trust store types - jks, pkcs12 etc) and deal with an > operational task for managing it. This is an operational overhead we can > avoid by supporting the PEM format making Apache Cassandra even more customer > friendly and drive more adoption. > h1. Proposed Changes > # A new implementation for ISslContextFactory - PEMBasedSslContextFactory > with the following supported configuration > {panel:title=New configurations} > {panel} > |{{encryption_options: }} > {{}}{{ssl_context_factory:}} > {{}}{{class_name: > org.apache.cassandra.security.PEMBasedSslContextFactory}} > {{}}{{parameters:}} > {{ }}{{private_key: certificate chain>}} > {{ }}{{private_key_password: {{key }}{{if}} {{it is encrypted>}} > {{ }}{{trusted_certificates: }}| > *NOTE:* We could reuse 'keystore_password' instead of the > 'private_key_password'. However PEM encoded private key is not a 'keystore' > in itself hence it would be inappropriate to piggyback on that other than > avoid duplicating similar fields. > # The PEMBasedSslContextFactory will also support file based key material > (and the corresponding HOT Reloading based on file timestamp updates) for the > PEM format via existing 'keystore' and 'truststore' encryption options. > However in that case the 'truststore_password' configuration won't be used > since generally PEM formatted certificates for truststore don't get encrypted > with a password. > # The PEMBasedSslContextFactory will internally create PKCS12 keystore for > private key and the trusted certificates. However, this doesn't impact the > user of the implementation in anyway and it is mentioned for clarity only. > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17031) Add support for PEM based key material for SSL
[ https://issues.apache.org/jira/browse/CASSANDRA-17031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17428584#comment-17428584 ] Maulin Vasavada commented on CASSANDRA-17031: - [~dchenbecker] I looked at the ticket you provided. Thanks for the contribution and improving the security posture of Apache Cassandra. I am okay to do something similar for the SSL encryption options but have a feeling that it could be a follow-up ticket to keep the scope clearer. We will have to make change for the DefaultSslContextFactory also along with the PEM based ssl factory for reading the password from a file. Based on other's feedback I am open to take up that work as part of this ticket OR another ticket. [~jonmeredith] and others, please provide your thoughts on the same. > Add support for PEM based key material for SSL > -- > > Key: CASSANDRA-17031 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17031 > Project: Cassandra > Issue Type: Improvement > Components: Messaging/Internode >Reporter: Maulin Vasavada >Assignee: Maulin Vasavada >Priority: Normal > > h1. Scope > Currently Cassandra supports standard keystore types for SSL > keys/certificates. The scope of this enhancement is to add support for PEM > based key material (keys/certificate) given that PEM is widely used common > format for the same. We intend to add support for Password Based Encrypted > (PBE) PEM Private Keys with standard algorithms along with the certificate > chain for the private key and PEM based certificates. The work here is going > to be built on top of [CEP-9: Make SSLContext creation > pluggable|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable] > for which the code is merged for Apache Cassandra 4.1 release. > We intend to support the key material be configured as direct PEM values > input OR via the file (configured with keystore and truststore configurations > today). We are not going to model PEM as a valid 'store_type' given that > 'store_type' has a [specific > definition|https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html#GUID-AB51DEFD-5238-4F96-967F-082F6D34FBEA]. > > h1. Approach > Create an implementation for > [ISslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/ISslContextFactory.java] > extending > [FileBasedSslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java] > implementation to add PEM formatted key/certificates. > h1. Motivation > PEM is a widely used format for encoding Private Keys and X.509 Certificates > and Apache Cassandra's current implementation lacks the support for > specifying the PEM formatted key material for SSL configurations. This means > operators have to re-create the key material to comply to the supported > formats (using key/trust store types - jks, pkcs12 etc) and deal with an > operational task for managing it. This is an operational overhead we can > avoid by supporting the PEM format making Apache Cassandra even more customer > friendly and drive more adoption. > h1. Proposed Changes > # A new implementation for ISslContextFactory - PEMBasedSslContextFactory > with the following supported configuration > {panel:title=New configurations} > {panel} > |{{encryption_options: }} > {{}}{{ssl_context_factory:}} > {{}}{{class_name: > org.apache.cassandra.security.PEMBasedSslContextFactory}} > {{}}{{parameters:}} > {{ }}{{private_key: certificate chain>}} > {{ }}{{private_key_password: {{key }}{{if}} {{it is encrypted>}} > {{ }}{{trusted_certificates: }}| > *NOTE:* We could reuse 'keystore_password' instead of the > 'private_key_password'. However PEM encoded private key is not a 'keystore' > in itself hence it would be inappropriate to piggyback on that other than > avoid duplicating similar fields. > # The PEMBasedSslContextFactory will also support file based key material > (and the corresponding HOT Reloading based on file timestamp updates) for the > PEM format via existing 'keystore' and 'truststore' encryption options. > However in that case the 'truststore_password' configuration won't be used > since generally PEM formatted certificates for truststore don't get encrypted > with a password. > # The PEMBasedSslContextFactory will internally create PKCS12 keystore for > private key and the trusted certificates. However, this doesn't impact the > user of the implementation in anyway and it is mentioned for clarity only. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (CASSANDRA-17031) Add support for PEM based key material for SSL
[ https://issues.apache.org/jira/browse/CASSANDRA-17031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17428583#comment-17428583 ] Maulin Vasavada commented on CASSANDRA-17031: - [PR# 1267|https://github.com/apache/cassandra/pull/1267] Raised. [~dchenbecker] let me look at the ticket you provided and will update here with my thoughts. > Add support for PEM based key material for SSL > -- > > Key: CASSANDRA-17031 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17031 > Project: Cassandra > Issue Type: Improvement > Components: Messaging/Internode >Reporter: Maulin Vasavada >Assignee: Maulin Vasavada >Priority: Normal > > h1. Scope > Currently Cassandra supports standard keystore types for SSL > keys/certificates. The scope of this enhancement is to add support for PEM > based key material (keys/certificate) given that PEM is widely used common > format for the same. We intend to add support for Password Based Encrypted > (PBE) PEM Private Keys with standard algorithms along with the certificate > chain for the private key and PEM based certificates. The work here is going > to be built on top of [CEP-9: Make SSLContext creation > pluggable|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable] > for which the code is merged for Apache Cassandra 4.1 release. > We intend to support the key material be configured as direct PEM values > input OR via the file (configured with keystore and truststore configurations > today). We are not going to model PEM as a valid 'store_type' given that > 'store_type' has a [specific > definition|https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html#GUID-AB51DEFD-5238-4F96-967F-082F6D34FBEA]. > > h1. Approach > Create an implementation for > [ISslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/ISslContextFactory.java] > extending > [FileBasedSslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java] > implementation to add PEM formatted key/certificates. > h1. Motivation > PEM is a widely used format for encoding Private Keys and X.509 Certificates > and Apache Cassandra's current implementation lacks the support for > specifying the PEM formatted key material for SSL configurations. This means > operators have to re-create the key material to comply to the supported > formats (using key/trust store types - jks, pkcs12 etc) and deal with an > operational task for managing it. This is an operational overhead we can > avoid by supporting the PEM format making Apache Cassandra even more customer > friendly and drive more adoption. > h1. Proposed Changes > # A new implementation for ISslContextFactory - PEMBasedSslContextFactory > with the following supported configuration > {panel:title=New configurations} > {panel} > |{{encryption_options: }} > {{}}{{ssl_context_factory:}} > {{}}{{class_name: > org.apache.cassandra.security.PEMBasedSslContextFactory}} > {{}}{{parameters:}} > {{ }}{{private_key: certificate chain>}} > {{ }}{{private_key_password: {{key }}{{if}} {{it is encrypted>}} > {{ }}{{trusted_certificates: }}| > *NOTE:* We could reuse 'keystore_password' instead of the > 'private_key_password'. However PEM encoded private key is not a 'keystore' > in itself hence it would be inappropriate to piggyback on that other than > avoid duplicating similar fields. > # The PEMBasedSslContextFactory will also support file based key material > (and the corresponding HOT Reloading based on file timestamp updates) for the > PEM format via existing 'keystore' and 'truststore' encryption options. > However in that case the 'truststore_password' configuration won't be used > since generally PEM formatted certificates for truststore don't get encrypted > with a password. > # The PEMBasedSslContextFactory will internally create PKCS12 keystore for > private key and the trusted certificates. However, this doesn't impact the > user of the implementation in anyway and it is mentioned for clarity only. > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17031) Add support for PEM based key material for SSL
[ https://issues.apache.org/jira/browse/CASSANDRA-17031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17427989#comment-17427989 ] Derek Chen-Becker commented on CASSANDRA-17031: --- Generally this looks good, but I would call out that I think it would be better if we followed the example in https://issues.apache.org/jira/browse/CASSANDRA-16983 and don't put sensitive material (the private key password) in the config file, but rather in a separate secured file. > Add support for PEM based key material for SSL > -- > > Key: CASSANDRA-17031 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17031 > Project: Cassandra > Issue Type: Improvement > Components: Messaging/Internode >Reporter: Maulin Vasavada >Assignee: Maulin Vasavada >Priority: Normal > > h1. Scope > Currently Cassandra supports standard keystore types for SSL > keys/certificates. The scope of this enhancement is to add support for PEM > based key material (keys/certificate) given that PEM is widely used common > format for the same. We intend to add support for Password Based Encrypted > (PBE) PEM Private Keys with standard algorithms along with the certificate > chain for the private key and PEM based certificates. The work here is going > to be built on top of [CEP-9: Make SSLContext creation > pluggable|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable] > for which the code is merged for Apache Cassandra 4.1 release. > We intend to support the key material be configured as direct PEM values > input OR via the file (configured with keystore and truststore configurations > today). We are not going to model PEM as a valid 'store_type' given that > 'store_type' has a [specific > definition|https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html#GUID-AB51DEFD-5238-4F96-967F-082F6D34FBEA]. > > h1. Approach > Create an implementation for > [ISslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/ISslContextFactory.java] > extending > [FileBasedSslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java] > implementation to add PEM formatted key/certificates. > h1. Motivation > PEM is a widely used format for encoding Private Keys and X.509 Certificates > and Apache Cassandra's current implementation lacks the support for > specifying the PEM formatted key material for SSL configurations. This means > operators have to re-create the key material to comply to the supported > formats (using key/trust store types - jks, pkcs12 etc) and deal with an > operational task for managing it. This is an operational overhead we can > avoid by supporting the PEM format making Apache Cassandra even more customer > friendly and drive more adoption. > h1. Proposed Changes > # A new implementation for ISslContextFactory - PEMBasedSslContextFactory > with the following supported configuration > {panel:title=New configurations} > {panel} > |{{encryption_options: }} > {{}}{{ssl_context_factory:}} > {{}}{{class_name: > org.apache.cassandra.security.PEMBasedSslContextFactory}} > {{}}{{parameters:}} > {{ }}{{private_key: certificate chain>}} > {{ }}{{private_key_password: {{key }}{{if}} {{it is encrypted>}} > {{ }}{{trusted_certificates: }}| > *NOTE:* We could reuse 'keystore_password' instead of the > 'private_key_password'. However PEM encoded private key is not a 'keystore' > in itself hence it would be inappropriate to piggyback on that other than > avoid duplicating similar fields. > # The PEMBasedSslContextFactory will also support file based key material > (and the corresponding HOT Reloading based on file timestamp updates) for the > PEM format via existing 'keystore' and 'truststore' encryption options. > However in that case the 'truststore_password' configuration won't be used > since generally PEM formatted certificates for truststore don't get encrypted > with a password. > # The PEMBasedSslContextFactory will internally create PKCS12 keystore for > private key and the trusted certificates. However, this doesn't impact the > user of the implementation in anyway and it is mentioned for clarity only. > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org