[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=203714&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-203714
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 25/Feb/19 15:29
Start Date: 25/Feb/19 15:29
Worklog Time Spent: 10m
Work Description: risdenk commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 203714)
Time Spent: 12h 10m (was: 12h)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 12h 10m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory - GatewayConfig.getGatewayHomeDir()
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory - GatewayConfig.getGatewayDataDir()
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory - GatewayConfig.getGatewaySecurityDir()
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path - GatewayConfig.getIdentityKeystorePath()
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store) - GatewayConfig.getIdentityKeystorePasswordAlias()
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type - GatewayConfig.getIdentityKeystoreType()
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias - GatewayConfig.getIdentityKeyAlias()
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias - GatewayConfig.getIdentityKeyPassphraseAlias()
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
> Additional methods for GatewayConfig should be added to improve consistency
> and prepare for potential changes to signing key related configurations
> * Keystore Directory - GatewayConfig.getKeystoreDir()
> ** Calculated: [Security Directory] + [Path Separator] + “keystores”
> * Signing Keystore File Path - GatewayConfig.getSigningKeystorePath()
> ** Calculated: If gateway.signing.keystore.name is set, [Keystore Directory]
> + [Path Separator] + [Signing Keystore Name]; else [TLS Keystore File Path]
> * Signing Keystore File Type - GatewayConfig.getSigningKeystoreType()
> ** Calculated: If gateway.signing.keyst
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=203701&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-203701
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 25/Feb/19 14:40
Start Date: 25/Feb/19 14:40
Worklog Time Spent: 10m
Work Description: risdenk commented on issue #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#issuecomment-467035200
Manual tests all look good as well. Ran the following tests:
* Checked that with no configuration Knox still works
* Checked that TLS and signed certificate configurations work independently
* Misconfiguring on purpose TLS/signed configuration properties
* Checked that error messages are reasonable
* Checked both self signed and CA signed certificates work correctly
* Ensure that JKS and PKCS12 certificates work
* Checked that `./bin/knoxcli.sh create-cert` doesn't overwrite configured
certificate
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 203701)
Time Spent: 12h (was: 11h 50m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 12h
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory - GatewayConfig.getGatewayHomeDir()
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory - GatewayConfig.getGatewayDataDir()
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory - GatewayConfig.getGatewaySecurityDir()
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path - GatewayConfig.getIdentityKeystorePath()
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store) - GatewayConfig.getIdentityKeystorePasswordAlias()
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type - GatewayConfig.getIdentityKeystoreType()
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias - GatewayConfig.getIdentityKeyAlias()
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias - GatewayConfig.getIdentityKeyPassphraseAlias()
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
> Additional methods for GatewayConfig should be added to improve consistency
> and prep
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=203700&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-203700
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 25/Feb/19 14:39
Start Date: 25/Feb/19 14:39
Worklog Time Spent: 10m
Work Description: risdenk commented on issue #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#issuecomment-467035200
Manual tests all look good as well. Ran the following tests:
* Checked that with no configuration Knox still works
* Checked that TLS and signed certificate configurations work independently
* Misconfiguring on purpose TLS/signed configuration properties
* Checked that error messages are reasonable
* Checked both self signed and CA signed certificates work correctly
* Ensure that JKS and PKCS12 certificates work
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 203700)
Time Spent: 11h 50m (was: 11h 40m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 11h 50m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory - GatewayConfig.getGatewayHomeDir()
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory - GatewayConfig.getGatewayDataDir()
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory - GatewayConfig.getGatewaySecurityDir()
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path - GatewayConfig.getIdentityKeystorePath()
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store) - GatewayConfig.getIdentityKeystorePasswordAlias()
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type - GatewayConfig.getIdentityKeystoreType()
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias - GatewayConfig.getIdentityKeyAlias()
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias - GatewayConfig.getIdentityKeyPassphraseAlias()
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
> Additional methods for GatewayConfig should be added to improve consistency
> and prepare for potential changes to signing key related configurations
> * Keystore Direc
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202942&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202942
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 23/Feb/19 00:09
Start Date: 23/Feb/19 00:09
Worklog Time Spent: 10m
Work Description: rlevas commented on issue #56: KNOX-1756 - Knox Gateway
TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#issuecomment-466591197
@risdenk tasks completed with latest push...
- [x] Fix the logging messages to be consistent - remove remaining
references to "provided (or persisted) master secret"
- [x] Address the ./bin/knoxcli.sh create-cert check for selfsigned to check
if it is the default path
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202942)
Time Spent: 11h 40m (was: 11.5h)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 11h 40m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory - GatewayConfig.getGatewayHomeDir()
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory - GatewayConfig.getGatewayDataDir()
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory - GatewayConfig.getGatewaySecurityDir()
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path - GatewayConfig.getIdentityKeystorePath()
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store) - GatewayConfig.getIdentityKeystorePasswordAlias()
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type - GatewayConfig.getIdentityKeystoreType()
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias - GatewayConfig.getIdentityKeyAlias()
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias - GatewayConfig.getIdentityKeyPassphraseAlias()
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
> Additional methods for GatewayConfig should be added to improve consistency
> and prepare for potential changes to signing key related configurations
> * Keystore Directory - GatewayConfig.getKeystoreDir()
> ** Calculated: [Security Directory] + [Path Separator] + “keystores”
> * Signing Keystore File Path - GatewayConfig.getSig
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202865&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202865
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 22/Feb/19 20:59
Start Date: 22/Feb/19 20:59
Worklog Time Spent: 10m
Work Description: rlevas commented on issue #56: KNOX-1756 - Knox Gateway
TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#issuecomment-466545693
> * Create a JIRA to address the `DefaultKeystoreService` check issue
Created https://issues.apache.org/jira/browse/KNOX-1793.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202865)
Time Spent: 11.5h (was: 11h 20m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 11.5h
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory - GatewayConfig.getGatewayHomeDir()
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory - GatewayConfig.getGatewayDataDir()
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory - GatewayConfig.getGatewaySecurityDir()
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path - GatewayConfig.getIdentityKeystorePath()
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store) - GatewayConfig.getIdentityKeystorePasswordAlias()
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type - GatewayConfig.getIdentityKeystoreType()
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias - GatewayConfig.getIdentityKeyAlias()
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias - GatewayConfig.getIdentityKeyPassphraseAlias()
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
> Additional methods for GatewayConfig should be added to improve consistency
> and prepare for potential changes to signing key related configurations
> * Keystore Directory - GatewayConfig.getKeystoreDir()
> ** Calculated: [Security Directory] + [Path Separator] + “keystores”
> * Signing Keystore File Path - GatewayConfig.getSigningKeystorePath()
> ** Calculated: If gateway.signing.keystore.name is set, [Keystore Directory]
> + [Path Separator] + [Signing Keystore Name
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202832&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202832
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 22/Feb/19 19:50
Start Date: 22/Feb/19 19:50
Worklog Time Spent: 10m
Work Description: rlevas commented on issue #56: KNOX-1756 - Knox Gateway
TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#issuecomment-466524574
> For the `./bin/knoxcli.sh create-cert`, I was using a self signed
certificate for testing and create-cert overwrites the existing certificate if
it is self signed. Based on rereading the PR this is expected behavior.
>
> I guess I was expecting to have to force to overwrite the existing
certificate since it was a certificate that I had created.
Would you like this behavior changed to require `--force` if the entry
exists in the keystore? However I think overwriting was the behavior before
the changes in this patch.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202832)
Time Spent: 10h 20m (was: 10h 10m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 10h 20m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory - GatewayConfig.getGatewayHomeDir()
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory - GatewayConfig.getGatewayDataDir()
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory - GatewayConfig.getGatewaySecurityDir()
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path - GatewayConfig.getIdentityKeystorePath()
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store) - GatewayConfig.getIdentityKeystorePasswordAlias()
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type - GatewayConfig.getIdentityKeystoreType()
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias - GatewayConfig.getIdentityKeyAlias()
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias - GatewayConfig.getIdentityKeyPassphraseAlias()
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
> Additional methods for GatewayConfig should be added to improve c
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202849&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202849
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 22/Feb/19 20:10
Start Date: 22/Feb/19 20:10
Worklog Time Spent: 10m
Work Description: risdenk commented on issue #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#issuecomment-466530869
> I guess we can see if the path is the expected default and maybe also see
if the cert is self-signed and has the DN of the Gateway-created one. If so, we
blindly overwrite, else we require a `--force`. This seems like it may fall
under a different issue, but I can fix it in this patch if desired.
I think it should be fixed here since the check for self-signed was
introduced in this patch. I worry that someone will have their own self signed
certificate overridden by mistake if we introduce this patch.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202849)
Time Spent: 11h 20m (was: 11h 10m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 11h 20m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory - GatewayConfig.getGatewayHomeDir()
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory - GatewayConfig.getGatewayDataDir()
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory - GatewayConfig.getGatewaySecurityDir()
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path - GatewayConfig.getIdentityKeystorePath()
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store) - GatewayConfig.getIdentityKeystorePasswordAlias()
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type - GatewayConfig.getIdentityKeystoreType()
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias - GatewayConfig.getIdentityKeyAlias()
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias - GatewayConfig.getIdentityKeyPassphraseAlias()
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
> Additional methods for GatewayConfig should be added to improve consistency
> and prep
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202841&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202841
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 22/Feb/19 19:58
Start Date: 22/Feb/19 19:58
Worklog Time Spent: 10m
Work Description: risdenk commented on issue #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#issuecomment-466527221
> Would you like this changed in this patch. It seems like maybe it would
fall under a different issue, but I will fix it here is desired.
@rlevas can you file a separate JIRA to fix this? They are definitely
related but can be fixed independent of this PR.
There is an easy work around, define the aliases upfront before configuring
`gateway-site.xml`. This wouldn't work in a Docker scenario potentially but
something that would be possible in a lot of cases.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202841)
Time Spent: 11h 10m (was: 11h)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 11h 10m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory - GatewayConfig.getGatewayHomeDir()
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory - GatewayConfig.getGatewayDataDir()
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory - GatewayConfig.getGatewaySecurityDir()
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path - GatewayConfig.getIdentityKeystorePath()
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store) - GatewayConfig.getIdentityKeystorePasswordAlias()
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type - GatewayConfig.getIdentityKeystoreType()
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias - GatewayConfig.getIdentityKeyAlias()
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias - GatewayConfig.getIdentityKeyPassphraseAlias()
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
> Additional methods for GatewayConfig should be added to improve consistency
> and prepare for potential changes to signing key rela
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202840&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202840
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 22/Feb/19 19:57
Start Date: 22/Feb/19 19:57
Worklog Time Spent: 10m
Work Description: rlevas commented on issue #56: KNOX-1756 - Knox Gateway
TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#issuecomment-466526846
> I think the existing behavior made sense when it was in
`data/security/keystores/gateway.jks`. This was a path that was fully owned by
Knox. Since we are now following the path to the custom keystore, we should be
more careful about what we overwrite. Not sure how easy it would be to check if
the identity path is the default vs a configured one?
I guess we can see if the path is the expected default and maybe also see if
the cert is self-signed and has the DN of the Gateway-created one. If so, we
blindly overwrite, else we require a `--force`. This seems like it may fall
under a different issue, but I can fix it in this patch if desired.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202840)
Time Spent: 11h (was: 10h 50m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 11h
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory - GatewayConfig.getGatewayHomeDir()
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory - GatewayConfig.getGatewayDataDir()
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory - GatewayConfig.getGatewaySecurityDir()
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path - GatewayConfig.getIdentityKeystorePath()
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store) - GatewayConfig.getIdentityKeystorePasswordAlias()
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type - GatewayConfig.getIdentityKeystoreType()
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias - GatewayConfig.getIdentityKeyAlias()
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias - GatewayConfig.getIdentityKeyPassphraseAlias()
> ** Gateway-site property: gateway.tls.key.passphrase.al
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202837&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202837
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 22/Feb/19 19:55
Start Date: 22/Feb/19 19:55
Worklog Time Spent: 10m
Work Description: rlevas commented on issue #56: KNOX-1756 - Knox Gateway
TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#issuecomment-466526178
> The check in `DefaultKeystoreService` should be removed because it doesn't
belong in the `KeystoreService`. The `KeystoreService` impl should be generic
to what is stored in the keystore. Currently the signing certificate check
breaks that design.
Would you like this changed in this patch. It seems like maybe it would
fall under a different issue, but I will fix it here is desired.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202837)
Time Spent: 10h 50m (was: 10h 40m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 10h 50m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory - GatewayConfig.getGatewayHomeDir()
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory - GatewayConfig.getGatewayDataDir()
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory - GatewayConfig.getGatewaySecurityDir()
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path - GatewayConfig.getIdentityKeystorePath()
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store) - GatewayConfig.getIdentityKeystorePasswordAlias()
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type - GatewayConfig.getIdentityKeystoreType()
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias - GatewayConfig.getIdentityKeyAlias()
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias - GatewayConfig.getIdentityKeyPassphraseAlias()
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
> Additional methods for GatewayConfig should be added to improve consistency
> and prepare for potential changes to signing key related configurations
> * Keystore Directory - GatewayConfig.getKeystoreDir
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202835&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202835
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 22/Feb/19 19:52
Start Date: 22/Feb/19 19:52
Worklog Time Spent: 10m
Work Description: risdenk commented on issue #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#issuecomment-466525115
> Would you like this behavior changed to require `--force` if the entry
exists in the keystore? However I think overwriting was the behavior before the
changes in this patch.
I think the existing behavior made sense when it was in
`data/security/keystores/gateway.jks`. This was a path that was fully owned by
Knox. Since we are now following the path to the custom keystore, we should be
more careful about what we overwrite. Not sure how easy it would be to check if
the identity path is the default vs a configured one?
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202835)
Time Spent: 10h 40m (was: 10.5h)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 10h 40m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory - GatewayConfig.getGatewayHomeDir()
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory - GatewayConfig.getGatewayDataDir()
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory - GatewayConfig.getGatewaySecurityDir()
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path - GatewayConfig.getIdentityKeystorePath()
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store) - GatewayConfig.getIdentityKeystorePasswordAlias()
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type - GatewayConfig.getIdentityKeystoreType()
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias - GatewayConfig.getIdentityKeyAlias()
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias - GatewayConfig.getIdentityKeyPassphraseAlias()
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
> Additional methods for GatewayConfig should be added to improve consisten
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202834&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202834
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 22/Feb/19 19:51
Start Date: 22/Feb/19 19:51
Worklog Time Spent: 10m
Work Description: risdenk commented on issue #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#issuecomment-466525115
`Would you like this behavior changed to require `--force` if the entry
exists in the keystore? However I think overwriting was the behavior before the
changes in this patch.`
I think the existing behavior made sense when it was in
`data/security/keystores/gateway.jks`. This was a path that was fully owned by
Knox. Since we are now following the path to the custom keystore, we should be
more careful about what we overwrite. Not sure how easy it would be to check if
the identity path is the default vs a configured one?
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202834)
Time Spent: 10.5h (was: 10h 20m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 10.5h
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory - GatewayConfig.getGatewayHomeDir()
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory - GatewayConfig.getGatewayDataDir()
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory - GatewayConfig.getGatewaySecurityDir()
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path - GatewayConfig.getIdentityKeystorePath()
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store) - GatewayConfig.getIdentityKeystorePasswordAlias()
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type - GatewayConfig.getIdentityKeystoreType()
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias - GatewayConfig.getIdentityKeyAlias()
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias - GatewayConfig.getIdentityKeyPassphraseAlias()
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
> Additional methods for GatewayConfig should be added to improve consistency
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202828&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202828
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 22/Feb/19 19:46
Start Date: 22/Feb/19 19:46
Worklog Time Spent: 10m
Work Description: risdenk commented on issue #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#issuecomment-466523443
Found an interesting edge case when configuring Knox.
If you configured a custom signing certificate in `gateway-site.xml` and
then go to create the aliases with `./bin/knoxcli.sh create-alias ...` you will
run into the following error:
```
2019-02-22 14:25:36,775 ERROR knox.gateway
(BaseKeystoreService.java:getKeystore(113)) - Failed to load keystore
[filename=keystore-signing.jks, type=JKS]: java.io.IOException: Keystore was
tampered with, or password was incorrect
```
`DefaultKeystoreService.init(...)` is doing checks to see if the signing
certificate is setup correctly. This was not added in this PR but breaks the
ability to add aliases if there is a custom signing certificate not fully
setup. The check in `DefaultKeystoreService` should be removed because it
doesn't belong in the `KeystoreService`. The `KeystoreService` impl should be
generic to what is stored in the keystore. Currently the signing certificate
check breaks that design.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202828)
Time Spent: 10h 10m (was: 10h)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 10h 10m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory - GatewayConfig.getGatewayHomeDir()
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory - GatewayConfig.getGatewayDataDir()
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory - GatewayConfig.getGatewaySecurityDir()
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path - GatewayConfig.getIdentityKeystorePath()
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store) - GatewayConfig.getIdentityKeystorePasswordAlias()
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type - GatewayConfig.getIdentityKeystoreType()
> ** Gateway-site property: gatew
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202795&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202795
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 22/Feb/19 18:59
Start Date: 22/Feb/19 18:59
Worklog Time Spent: 10m
Work Description: risdenk commented on issue #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#issuecomment-466508060
For the `./bin/knoxcli.sh create-cert`, I was using a self signed
certificate for testing and create-cert overwrites the existing certificate if
it is self signed. Based on rereading the PR this is expected behavior.
I guess I was expecting to have to force to overwrite the existing
certificate since it was a certificate that I had created.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202795)
Time Spent: 10h (was: 9h 50m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 10h
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory - GatewayConfig.getGatewayHomeDir()
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory - GatewayConfig.getGatewayDataDir()
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory - GatewayConfig.getGatewaySecurityDir()
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path - GatewayConfig.getIdentityKeystorePath()
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store) - GatewayConfig.getIdentityKeystorePasswordAlias()
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type - GatewayConfig.getIdentityKeystoreType()
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias - GatewayConfig.getIdentityKeyAlias()
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias - GatewayConfig.getIdentityKeyPassphraseAlias()
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
> Additional methods for GatewayConfig should be added to improve consistency
> and prepare for potential changes to signing key related configurations
> * Keystore Directory - GatewayConfig.getKeystoreDir()
> ** Calculated: [Security Directory] + [Path Separato
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202793&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202793
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 22/Feb/19 18:56
Start Date: 22/Feb/19 18:56
Worklog Time Spent: 10m
Work Description: risdenk commented on issue #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#issuecomment-466506934
@rlevas while testing I noticed the following:
- There are strings like the following still present when there are errors
loading the certificate "provided (or persisted) master secret"
- There is at least one change in the PR about changing this to not
reference the master secret.
- `./bin/knoxcli.sh create-cert` seemed to overwrite my existing
certificate. Checking into this more to see what happened here.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202793)
Time Spent: 9h 50m (was: 9h 40m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 9h 50m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory - GatewayConfig.getGatewayHomeDir()
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory - GatewayConfig.getGatewayDataDir()
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory - GatewayConfig.getGatewaySecurityDir()
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path - GatewayConfig.getIdentityKeystorePath()
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store) - GatewayConfig.getIdentityKeystorePasswordAlias()
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type - GatewayConfig.getIdentityKeystoreType()
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias - GatewayConfig.getIdentityKeyAlias()
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias - GatewayConfig.getIdentityKeyPassphraseAlias()
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
> Additional methods for GatewayConfig should be added to improve consistency
> and prepare for potential changes to signing key related configurations
> * Keystore Directory - Ga
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202792&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202792
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 22/Feb/19 18:56
Start Date: 22/Feb/19 18:56
Worklog Time Spent: 10m
Work Description: risdenk commented on issue #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#issuecomment-466506934
@rlevas while testing I noticed the following:
- There are strings like the following still present when there are errors
loading the certificate "provided (or persisted) master secret"
- `./bin/knoxcli.sh create-cert` seemed to overwrite my existing
certificate. Checking into this more to see what happened here.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202792)
Time Spent: 9h 40m (was: 9.5h)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 9h 40m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory - GatewayConfig.getGatewayHomeDir()
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory - GatewayConfig.getGatewayDataDir()
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory - GatewayConfig.getGatewaySecurityDir()
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path - GatewayConfig.getIdentityKeystorePath()
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store) - GatewayConfig.getIdentityKeystorePasswordAlias()
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type - GatewayConfig.getIdentityKeystoreType()
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias - GatewayConfig.getIdentityKeyAlias()
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias - GatewayConfig.getIdentityKeyPassphraseAlias()
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
> Additional methods for GatewayConfig should be added to improve consistency
> and prepare for potential changes to signing key related configurations
> * Keystore Directory - GatewayConfig.getKeystoreDir()
> ** Calculated: [Security Directory] + [Path Separator] + “keystores”
> * S
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202760&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202760
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 22/Feb/19 17:41
Start Date: 22/Feb/19 17:41
Worklog Time Spent: 10m
Work Description: risdenk commented on issue #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#issuecomment-466482147
All tests passed locally now. Performing some sanity checks to make sure
this works as designed.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202760)
Time Spent: 9.5h (was: 9h 20m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 9.5h
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202255&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202255
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 21:55
Start Date: 21/Feb/19 21:55
Worklog Time Spent: 10m
Work Description: risdenk commented on issue #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#issuecomment-466182690
Changes look reasonable but getting test failures with `mvn -T.5C verify
-Prelease,package`
```
[ERROR] Errors:
[ERROR]
org.apache.knox.gateway.GatewayDeployFuncTest.testDeployRedeployUndeploy(org.apache.knox.gateway.GatewayDeployFuncTest)
[ERROR] Run 1: GatewayDeployFuncTest.setupGateway:110 » NullPointer
[ERROR] Run 2: GatewayDeployFuncTest.cleanupGateway:121 NullPointer
[INFO]
[ERROR]
org.apache.knox.gateway.GatewayMultiFuncTest.org.apache.knox.gateway.GatewayMultiFuncTest
[ERROR] Run 1:
GatewayMultiFuncTest.setUpBeforeClass:87->setupGateway:124->startGatewayServer:139
» NullPointer
[ERROR] Run 2: GatewayMultiFuncTest.tearDownAfterClass:94 NullPointer
[INFO]
[ERROR]
org.apache.knox.gateway.GatewaySslFuncTest.org.apache.knox.gateway.GatewaySslFuncTest
[ERROR] Run 1:
GatewaySslFuncTest.setUpBeforeClass:100->setupGateway:141->startGatewayServer:170
» NullPointer
[ERROR] Run 2: GatewaySslFuncTest.tearDownAfterClass:107 NullPointer
[INFO]
[INFO]
[ERROR] Tests run: 62, Failures: 0, Errors: 3, Skipped: 3
```
The three tests above I checked in an IDE and they all broke at
`DefaultKeystoreService` line 172 checking if the configured keystore exists or
not.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202255)
Time Spent: 9h 20m (was: 9h 10m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 9h 20m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site p
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202186&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202186
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 19:33
Start Date: 21/Feb/19 19:33
Worklog Time Spent: 10m
Work Description: rlevas commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r259082496
##
File path:
gateway-server/src/main/java/org/apache/knox/gateway/util/KnoxCLI.java
##
@@ -652,34 +653,49 @@ public void execute() throws Exception {
if
(!ks.isCredentialStoreForClusterAvailable(GATEWAY_CREDENTIAL_STORE_NAME)) {
// log.creatingCredentialStoreForGateway();
ks.createCredentialStoreForCluster(GATEWAY_CREDENTIAL_STORE_NAME);
- }
- else {
+ } else {
// log.credentialStoreForGatewayFoundNotCreating();
}
// LET'S NOT GENERATE A DIFFERENT KEY PASSPHRASE BY DEFAULT ANYMORE
// IF A DEPLOYMENT WANTS TO CHANGE THE KEY PASSPHRASE TO MAKE IT MORE
SECURE THEN
// THEY CAN ADD THE ALIAS EXPLICITLY WITH THE CLI
//as.generateAliasForCluster(GATEWAY_CREDENTIAL_STORE_NAME,
GATEWAY_IDENTITY_PASSPHRASE);
} catch (KeystoreServiceException e) {
- throw new ServiceLifecycleException("Keystore was not loaded properly
- the provided (or persisted) master secret may not match the password for the
keystore.", e);
+ throw new ServiceLifecycleException("Keystore was not loaded properly
- the stored password may not match the password for the keystore.", e);
}
try {
if (!ks.isKeystoreForGatewayAvailable()) {
// log.creatingKeyStoreForGateway();
ks.createKeystoreForGateway();
- }
- else {
+ } else {
// log.keyStoreForGatewayFoundNotCreating();
}
- char[] passphrase =
as.getPasswordFromAliasForCluster(GATEWAY_CREDENTIAL_STORE_NAME,
GATEWAY_IDENTITY_PASSPHRASE);
- if (passphrase == null) {
- MasterService ms = services.getService("MasterService");
- passphrase = ms.getMasterSecret();
+ boolean isSelfSigned;
Review comment:
fixing
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202186)
Time Spent: 9h 10m (was: 9h)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 9h 10m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certif
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202184&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202184
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 19:32
Start Date: 21/Feb/19 19:32
Worklog Time Spent: 10m
Work Description: rlevas commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r259082160
##
File path:
gateway-provider-security-pac4j/src/main/java/org/apache/knox/gateway/pac4j/Pac4jMessages.java
##
@@ -47,4 +47,8 @@
@Message( level = MessageLevel.INFO, text =
"No private key passphrase alias found. Defaulting to master. Exception
encountered: {0}")
void noPrivateKeyPasshraseProvisioned(Exception e);
+
+ @Message( level = MessageLevel.ERROR, text =
+ "No keystore password alias found. Defaulting to master. Exception
encountered: {0}")
Review comment:
fixing
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202184)
Time Spent: 8h 50m (was: 8h 40m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 8h 50m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202182&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202182
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 19:31
Start Date: 21/Feb/19 19:31
Worklog Time Spent: 10m
Work Description: rlevas commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r259081899
##
File path:
gateway-server/src/test/java/org/apache/knox/gateway/websockets/BadUrlTest.java
##
@@ -290,4 +369,28 @@ public void handleTopologyEvent(List
events) {
}
}
}
+
+ private static void createTestKeystore()
Review comment:
fixing
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202182)
Time Spent: 8.5h (was: 8h 20m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 8.5h
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202185&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202185
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 19:32
Start Date: 21/Feb/19 19:32
Worklog Time Spent: 10m
Work Description: rlevas commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r259082194
##
File path:
gateway-server/src/test/java/org/apache/knox/gateway/websockets/WebsocketMultipleConnectionTest.java
##
@@ -352,4 +430,28 @@ public void onOpen(Session session, EndpointConfig
config) {
session.addMessageHandler(this);
}
}
+
+ private static void createTestKeystore()
+ throws NoSuchAlgorithmException, CertificateException,
KeyStoreException, IOException {
Review comment:
fixing
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202185)
Time Spent: 9h (was: 8h 50m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 9h
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202177&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202177
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 19:30
Start Date: 21/Feb/19 19:30
Worklog Time Spent: 10m
Work Description: rlevas commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r259081684
##
File path:
gateway-test/src/test/java/org/apache/knox/gateway/AmbariServiceDefinitionTest.java
##
@@ -352,4 +366,28 @@ public void contextPathInViewsResponse() throws Exception
{
LOG_EXIT();
}
+ private static void createTestKeystore()
Review comment:
I will copy the `X509CertificateUtil` into the project to make things
simple.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202177)
Time Spent: 7h 40m (was: 7.5h)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 7h 40m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202183&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202183
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 19:31
Start Date: 21/Feb/19 19:31
Worklog Time Spent: 10m
Work Description: rlevas commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r259082098
##
File path:
gateway-server/src/test/java/org/apache/knox/gateway/config/impl/GatewayConfigImplTest.java
##
@@ -292,5 +295,55 @@ public void testGetReadOnlyOverrideTopologyNames() {
assertTrue(names.contains("default"));
}
+ // KNOX-1756
+ @Test
+ public void testCustomIdentityKeystoreOptions() {
+GatewayConfigImpl config = new GatewayConfigImpl();
+
+// Validate default options (backwards compatibility)
+assertEquals("gateway-identity", config.getIdentityKeyAlias());
+assertEquals("gateway-identity-passphrase",
config.getIdentityKeyPassphraseAlias());
+assertEquals("gateway-identity", config.getSigningKeyAlias());
+assertEquals("gateway-identity-passphrase",
config.getSigningKeyPassphraseAlias());
+assertNull(config.getSigningKeystoreName());
+
+// Validate default options (new)
+assertEquals(GatewayConfig.DEFAULT_IDENTITY_KEYSTORE_PASSWORD_ALIAS,
config.getIdentityKeystorePasswordAlias());
+assertEquals(GatewayConfig.DEFAULT_IDENTITY_KEYSTORE_TYPE,
config.getIdentityKeystoreType());
+assertEquals(Paths.get(config.getGatewayKeystoreDir(),
"gateway.jks").toAbsolutePath().toString(),
+config.getIdentityKeystorePath());
+
+// By default the signing keystore name will not be set, so the values
will be taken from the identity's configs
+assertEquals(config.getIdentityKeystorePath(),
config.getSigningKeystorePath());
+assertEquals(config.getIdentityKeystorePasswordAlias(),
config.getSigningKeystorePasswordAlias());
+assertEquals(config.getIdentityKeystoreType(),
config.getSigningKeystoreType());
+assertEquals(config.getIdentityKeyAlias(), config.getSigningKeyAlias());
+assertEquals(config.getIdentityKeyPassphraseAlias(),
config.getSigningKeyPassphraseAlias());
+
+// Validate changed options
+config.set("gateway.tls.key.alias", "custom_key_alias");
+config.set("gateway.tls.key.passphrase.alias",
"custom_key_passphrase_alias");
+config.set("gateway.tls.keystore.path",
"/custom/keystore/path/keystore.p12");
+config.set("gateway.tls.keystore.type", "PKCS12");
+config.set("gateway.tls.keystore.password.alias",
"custom_keystore_password_alias");
+
+config.set("gateway.signing.key.alias", "custom_key_alias");
+config.set("gateway.signing.key.passphrase.alias",
"custom_key_passphrase_alias");
+config.set("gateway.signing.keystore.name", "custom_keystore_name");
+config.set("gateway.signing.keystore.type", "PKCS12");
+config.set("gateway.signing.keystore.password.alias",
"custom_keystore_password_alias");
+
+assertEquals("custom_key_alias", config.getIdentityKeyAlias());
+assertEquals("custom_key_passphrase_alias",
config.getIdentityKeyPassphraseAlias());
+assertEquals("/custom/keystore/path/keystore.p12",
config.getIdentityKeystorePath());
Review comment:
fixing
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202183)
Time Spent: 8h 40m (was: 8.5h)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 8h 40m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gatew
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202180&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202180
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 19:31
Start Date: 21/Feb/19 19:31
Worklog Time Spent: 10m
Work Description: rlevas commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r259081835
##
File path:
gateway-test-release-utils/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java
##
@@ -376,9 +406,29 @@ public String getSigningKeystoreName() {
return null;
}
+ @Override
+ public String getSigningKeystorePath() {
+return getGatewayKeystoreDir() + "/" + DEFAULT_GATEWAY_KEYSTORE_NAME;
Review comment:
fixing
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202180)
Time Spent: 8h 10m (was: 8h)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 8h 10m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202179&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202179
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 19:31
Start Date: 21/Feb/19 19:31
Worklog Time Spent: 10m
Work Description: rlevas commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r259081810
##
File path:
gateway-test-release-utils/src/main/java/org/apache/knox/gateway/GatewayTestDriver.java
##
@@ -261,6 +273,39 @@ public String getLdapUrl() {
return "ldap://localhost:"; +
ldapTransport.getAcceptor().getLocalAddress().getPort();
}
+ public void setupTestKeystore(GatewayConfig config, char[] password)
+ throws NoSuchAlgorithmException, CertificateException,
KeyStoreException, IOException {
+
+String alias = config.getIdentityKeyAlias();
+
+// Ensure parent directory exists...
+Path keystoreFile = Paths.get(config.getIdentityKeystorePath());
+Files.createDirectories(keystoreFile.getParent());
+
+KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
+kpg.initialize(2048);
+KeyPair keyPair = kpg.generateKeyPair();
+
+Certificate cert =
X509CertificateUtil.generateCertificate("CN=localhost,OU=Test,O=Hadoop,L=Test,ST=Test,C=US",
keyPair, 365, "SHA1withRSA");
+
+KeyStore keyStore = KeyStore.getInstance(config.getIdentityKeystoreType());
+keyStore.load(null, password);
+keyStore.setCertificateEntry(alias, cert);
+keyStore.setKeyEntry(alias, keyPair.getPrivate(), password, new
java.security.cert.Certificate[]{cert});
+try (OutputStream out = Files.newOutputStream(keystoreFile)) {
+ keyStore.store(out, password);
+}
+ }
+
+ public void cleanupTestKeystore(GatewayConfig config) {
+try {
+
Files.delete(Paths.get(config.getIdentityKeystorePath()).toAbsolutePath());
Review comment:
Fixing
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202179)
Time Spent: 8h (was: 7h 50m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 8h
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Sepa
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202181&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202181
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 19:31
Start Date: 21/Feb/19 19:31
Worklog Time Spent: 10m
Work Description: rlevas commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r259081861
##
File path:
gateway-server/src/test/java/org/apache/knox/gateway/websockets/WebsocketEchoTest.java
##
@@ -369,4 +447,28 @@ public void handleTopologyEvent(List
events) {
}
}
}
+
+ private static void createTestKeystore()
Review comment:
fixing
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202181)
Time Spent: 8h 20m (was: 8h 10m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 8h 20m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202178&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202178
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 19:31
Start Date: 21/Feb/19 19:31
Worklog Time Spent: 10m
Work Description: rlevas commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r259081759
##
File path:
gateway-test-release-utils/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java
##
@@ -135,6 +140,31 @@ public long getGatewayIdleTimeout() {
return 0L;
}
+ @Override
+ public String getIdentityKeystorePath() {
+return getGatewayKeystoreDir() + "/" + DEFAULT_GATEWAY_KEYSTORE_NAME;
Review comment:
fixing.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202178)
Time Spent: 7h 50m (was: 7h 40m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 7h 50m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202142&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202142
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 18:28
Start Date: 21/Feb/19 18:28
Worklog Time Spent: 10m
Work Description: rlevas commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r259057287
##
File path:
gateway-test/src/test/java/org/apache/knox/gateway/AmbariServiceDefinitionTest.java
##
@@ -352,4 +366,28 @@ public void contextPathInViewsResponse() throws Exception
{
LOG_EXIT();
}
+ private static void createTestKeystore()
Review comment:
Adding gateway-spi as a dependency of gateway-test-utils creates a cycle...
```
[ERROR] The projects in the reactor contain a cyclic reference: Edge between
'Vertex{label='org.apache.knox:gateway-spi:1.3.0-SNAPSHOT'}' and
'Vertex{label='org.apache.knox:gateway-i18n:1.3.0-SNAPSHOT'}' introduces to
cycle in the graph org.apache.knox:gateway-i18n:1.3.0-SNAPSHOT -->
org.apache.knox:gateway-test-utils:1.3.0-SNAPSHOT -->
org.apache.knox:gateway-spi:1.3.0-SNAPSHOT -->
org.apache.knox:gateway-i18n:1.3.0-SNAPSHOT -> [Help 1]
```
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202142)
Time Spent: 7.5h (was: 7h 20m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 7.5h
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202053&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202053
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 16:32
Start Date: 21/Feb/19 16:32
Worklog Time Spent: 10m
Work Description: risdenk commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r259009955
##
File path:
gateway-test/src/test/java/org/apache/knox/gateway/AmbariServiceDefinitionTest.java
##
@@ -352,4 +366,28 @@ public void contextPathInViewsResponse() throws Exception
{
LOG_EXIT();
}
+ private static void createTestKeystore()
Review comment:
Actually - `X509CertificateUtil` is in `gateway-spi` so shouldn't be too bad
to move to `TestUtils`. This should avoid needing an additional dependency in
most cases. Much easier to add a test dependency on `gateway-test-utils` than
on `gateway-test-release-utils`.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202053)
Time Spent: 7h 20m (was: 7h 10m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 7h 20m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202047&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202047
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 16:29
Start Date: 21/Feb/19 16:29
Worklog Time Spent: 10m
Work Description: rlevas commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r259008362
##
File path:
gateway-test-release-utils/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java
##
@@ -91,6 +91,11 @@ public String getGatewaySecurityDir() {
return gatewayHomeDir + "/security";
}
+ @Override
+ public String getGatewayKeystoreDir() {
+return getGatewaySecurityDir() + "/keystores";
Review comment:
I am happy to fix them all now.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202047)
Time Spent: 7h 10m (was: 7h)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 7h 10m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202035&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202035
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 16:18
Start Date: 21/Feb/19 16:18
Worklog Time Spent: 10m
Work Description: risdenk commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r259002788
##
File path:
gateway-test-release-utils/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java
##
@@ -91,6 +91,11 @@ public String getGatewaySecurityDir() {
return gatewayHomeDir + "/security";
}
+ @Override
+ public String getGatewayKeystoreDir() {
+return getGatewaySecurityDir() + "/keystores";
Review comment:
Ew - didn't realize that there were other examples that are hardcoded with
`/`. I think either we fix them all in this file or don't fix it with this PR
and do it in a followup.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202035)
Time Spent: 6h 20m (was: 6h 10m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 6h 20m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202046&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202046
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 16:26
Start Date: 21/Feb/19 16:26
Worklog Time Spent: 10m
Work Description: risdenk commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r258870233
##
File path:
gateway-server/src/test/java/org/apache/knox/gateway/config/impl/GatewayConfigImplTest.java
##
@@ -292,5 +295,55 @@ public void testGetReadOnlyOverrideTopologyNames() {
assertTrue(names.contains("default"));
}
+ // KNOX-1756
+ @Test
+ public void testCustomIdentityKeystoreOptions() {
+GatewayConfigImpl config = new GatewayConfigImpl();
+
+// Validate default options (backwards compatibility)
+assertEquals("gateway-identity", config.getIdentityKeyAlias());
+assertEquals("gateway-identity-passphrase",
config.getIdentityKeyPassphraseAlias());
+assertEquals("gateway-identity", config.getSigningKeyAlias());
+assertEquals("gateway-identity-passphrase",
config.getSigningKeyPassphraseAlias());
+assertNull(config.getSigningKeystoreName());
+
+// Validate default options (new)
+assertEquals(GatewayConfig.DEFAULT_IDENTITY_KEYSTORE_PASSWORD_ALIAS,
config.getIdentityKeystorePasswordAlias());
+assertEquals(GatewayConfig.DEFAULT_IDENTITY_KEYSTORE_TYPE,
config.getIdentityKeystoreType());
+assertEquals(Paths.get(config.getGatewayKeystoreDir(),
"gateway.jks").toAbsolutePath().toString(),
+config.getIdentityKeystorePath());
+
+// By default the signing keystore name will not be set, so the values
will be taken from the identity's configs
+assertEquals(config.getIdentityKeystorePath(),
config.getSigningKeystorePath());
+assertEquals(config.getIdentityKeystorePasswordAlias(),
config.getSigningKeystorePasswordAlias());
+assertEquals(config.getIdentityKeystoreType(),
config.getSigningKeystoreType());
+assertEquals(config.getIdentityKeyAlias(), config.getSigningKeyAlias());
+assertEquals(config.getIdentityKeyPassphraseAlias(),
config.getSigningKeyPassphraseAlias());
+
+// Validate changed options
+config.set("gateway.tls.key.alias", "custom_key_alias");
+config.set("gateway.tls.key.passphrase.alias",
"custom_key_passphrase_alias");
+config.set("gateway.tls.keystore.path",
"/custom/keystore/path/keystore.p12");
+config.set("gateway.tls.keystore.type", "PKCS12");
+config.set("gateway.tls.keystore.password.alias",
"custom_keystore_password_alias");
+
+config.set("gateway.signing.key.alias", "custom_key_alias");
+config.set("gateway.signing.key.passphrase.alias",
"custom_key_passphrase_alias");
+config.set("gateway.signing.keystore.name", "custom_keystore_name");
+config.set("gateway.signing.keystore.type", "PKCS12");
+config.set("gateway.signing.keystore.password.alias",
"custom_keystore_password_alias");
+
+assertEquals("custom_key_alias", config.getIdentityKeyAlias());
+assertEquals("custom_key_passphrase_alias",
config.getIdentityKeyPassphraseAlias());
+assertEquals("/custom/keystore/path/keystore.p12",
config.getIdentityKeystorePath());
Review comment:
Maybe change to be OS non specific separator?
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202046)
Time Spent: 7h (was: 6h 50m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 7h
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properti
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202044&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202044
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 16:25
Start Date: 21/Feb/19 16:25
Worklog Time Spent: 10m
Work Description: risdenk commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r259006709
##
File path:
gateway-provider-security-pac4j/src/main/java/org/apache/knox/gateway/pac4j/Pac4jMessages.java
##
@@ -47,4 +47,8 @@
@Message( level = MessageLevel.INFO, text =
"No private key passphrase alias found. Defaulting to master. Exception
encountered: {0}")
void noPrivateKeyPasshraseProvisioned(Exception e);
+
+ @Message( level = MessageLevel.ERROR, text =
+ "No keystore password alias found. Defaulting to master. Exception
encountered: {0}")
Review comment:
Yea probably.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202044)
Time Spent: 6h 50m (was: 6h 40m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 6h 50m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202041&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202041
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 16:23
Start Date: 21/Feb/19 16:23
Worklog Time Spent: 10m
Work Description: rlevas commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r259005493
##
File path:
gateway-provider-security-pac4j/src/main/java/org/apache/knox/gateway/pac4j/Pac4jMessages.java
##
@@ -47,4 +47,8 @@
@Message( level = MessageLevel.INFO, text =
"No private key passphrase alias found. Defaulting to master. Exception
encountered: {0}")
void noPrivateKeyPasshraseProvisioned(Exception e);
+
+ @Message( level = MessageLevel.ERROR, text =
+ "No keystore password alias found. Defaulting to master. Exception
encountered: {0}")
Review comment:
The message in the line above reads
```
No private key passphrase alias found. Defaulting to master. Exception
encountered: {0}
```
Should I change both?
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202041)
Time Spent: 6h 40m (was: 6.5h)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 6h 40m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202040&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202040
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 16:21
Start Date: 21/Feb/19 16:21
Worklog Time Spent: 10m
Work Description: risdenk commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r259004714
##
File path:
gateway-test/src/test/java/org/apache/knox/gateway/AmbariServiceDefinitionTest.java
##
@@ -352,4 +366,28 @@ public void contextPathInViewsResponse() throws Exception
{
LOG_EXIT();
}
+ private static void createTestKeystore()
Review comment:
H - Not sure if it is possible to move the create test keystore method
from `GatewayTestDriver` to `gateway-test-utils` module `TestUtils`? It looks
like it relies on stuff in `gateway-server` like `X509CertificateUtil`.
Just seems really ugly to have this block of code copied around.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202040)
Time Spent: 6.5h (was: 6h 20m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 6.5h
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202029&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202029
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 16:15
Start Date: 21/Feb/19 16:15
Worklog Time Spent: 10m
Work Description: rlevas commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r259001147
##
File path:
gateway-test/src/test/java/org/apache/knox/gateway/AmbariServiceDefinitionTest.java
##
@@ -352,4 +366,28 @@ public void contextPathInViewsResponse() throws Exception
{
LOG_EXIT();
}
+ private static void createTestKeystore()
Review comment:
It is.. I had issue with that too, but I was not sure if introducing the
GatewayTestDriver was appropriate. If we think it is ok, then I am all for the
code reuse.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202029)
Time Spent: 6h 10m (was: 6h)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 6h 10m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202028&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202028
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 16:14
Start Date: 21/Feb/19 16:14
Worklog Time Spent: 10m
Work Description: rlevas commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r259001147
##
File path:
gateway-test/src/test/java/org/apache/knox/gateway/AmbariServiceDefinitionTest.java
##
@@ -352,4 +366,28 @@ public void contextPathInViewsResponse() throws Exception
{
LOG_EXIT();
}
+ private static void createTestKeystore()
Review comment:
It is.. I had issue with that too, but I was not sure if introducing the
GatewayDriver was appropriate. If we think it is ok, then I am all for the
code reuse.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202028)
Time Spent: 6h (was: 5h 50m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 6h
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202026&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202026
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 16:13
Start Date: 21/Feb/19 16:13
Worklog Time Spent: 10m
Work Description: rlevas commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r259000579
##
File path:
gateway-test-release-utils/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java
##
@@ -91,6 +91,11 @@ public String getGatewaySecurityDir() {
return gatewayHomeDir + "/security";
}
+ @Override
+ public String getGatewayKeystoreDir() {
+return getGatewaySecurityDir() + "/keystores";
Review comment:
Should I convert all of the path concatenations in the file?
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202026)
Time Spent: 5h 50m (was: 5h 40m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 5h 50m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202023&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202023
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 16:12
Start Date: 21/Feb/19 16:12
Worklog Time Spent: 10m
Work Description: rlevas commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r25994
##
File path:
gateway-test-release-utils/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java
##
@@ -91,6 +91,11 @@ public String getGatewaySecurityDir() {
return gatewayHomeDir + "/security";
}
+ @Override
+ public String getGatewayKeystoreDir() {
+return getGatewaySecurityDir() + "/keystores";
Review comment:
I thought about that since I did it other places, but it goes against the
general style of the file... so I didn't do it that way. I will fix though.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202023)
Time Spent: 5h 40m (was: 5.5h)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 5h 40m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202015&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202015
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 15:57
Start Date: 21/Feb/19 15:57
Worklog Time Spent: 10m
Work Description: rlevas commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r258992614
##
File path:
gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/RemoteAliasService.java
##
@@ -379,8 +378,44 @@ public void generateAliasForCluster(final String
clusterName,
@Override
public char[] getGatewayIdentityPassphrase() throws AliasServiceException {
-char[] passphrase = getPasswordFromAliasForGateway(
-GATEWAY_IDENTITY_PASSPHRASE);
+char[] passphrase =
getPasswordFromAliasForGateway(config.getIdentityKeyPassphraseAlias());
+if (passphrase == null) {
+ // Fall back to the keystore password if a key-specific password was not
explicitly set.
+ passphrase = getGatewayIdentityKeystorePassword();
+}
+if (passphrase == null) {
+ // Use the master password if not password was found
+ passphrase = ms.getMasterSecret();
+}
+return passphrase;
+ }
+
+ @Override
+ public char[] getGatewayIdentityKeystorePassword() throws
AliasServiceException {
+char[] passphrase =
getPasswordFromAliasForGateway(config.getIdentityKeystorePasswordAlias());
+if (passphrase == null) {
+ passphrase = ms.getMasterSecret();
+}
+return passphrase;
+ }
+
+ @Override
+ public char[] getSigningKeyPassphrase() throws AliasServiceException {
Review comment:
I thought of this, but the fall back call `getSigningKeystorePassword` vs
`getSigningKeystorePassword` would cause the need to provide some implemented
interface. I think that may be more work than the duplicated code. However
`getSigningKeystorePassword` and `getGatewayIdentityKeystorePassword` may all
into this category for code reuse.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202015)
Time Spent: 5.5h (was: 5h 20m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 5.5h
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gatewa
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=202000&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-202000
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 15:50
Start Date: 21/Feb/19 15:50
Worklog Time Spent: 10m
Work Description: rlevas commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r258989316
##
File path:
gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreService.java
##
@@ -450,6 +481,22 @@ private void removeFromCache(String clusterName, String
alias) {
@Override
public String getKeystorePath() {
-return keyStoreDir + GATEWAY_KEYSTORE;
+return config.getIdentityKeystorePath();
+ }
+
+ private char[] getIdentityKeystorePassword() throws KeystoreServiceException
{
Review comment:
Agreed... will change.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 202000)
Time Spent: 5h 20m (was: 5h 10m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 5h 20m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=201998&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-201998
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 15:47
Start Date: 21/Feb/19 15:47
Worklog Time Spent: 10m
Work Description: rlevas commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r258987530
##
File path:
gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreService.java
##
@@ -300,6 +310,27 @@ public Key getKeyForGateway(String alias, char[]
passphrase) throws KeystoreServ
}
}
+ @Override
+ public Key getKeyForGateway(char[] passphrase) throws
KeystoreServiceException {
+return getKeyForGateway(config.getIdentityKeyAlias(), passphrase);
+ }
+
+ @Override
+ public Certificate getCertificateForGateway() throws
KeystoreServiceException, KeyStoreException {
+Certificate cert = null;
+readLock.lock();
Review comment:
Agree.. nice catch. Fixing.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 201998)
Time Spent: 5h 10m (was: 5h)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 5h 10m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=201992&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-201992
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 15:44
Start Date: 21/Feb/19 15:44
Worklog Time Spent: 10m
Work Description: rlevas commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r258986214
##
File path:
gateway-provider-security-pac4j/src/main/java/org/apache/knox/gateway/pac4j/filter/Pac4jDispatcherFilter.java
##
@@ -201,15 +211,11 @@ private void addDefaultConfig(String
clientNameParameter, Map pr
catch(AliasServiceException ase) {
log.noPrivateKeyPasshraseProvisioned(ase);
}
- if (gip != null) {
-properties.put(PropertiesConfigFactory.SAML_PRIVATE_KEY_PASSWORD,
-new String(gip));
- }
- else {
+ if (gip == null) {
Review comment:
That would be outside the scope of this patch. But I would have loved to do
it.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 201992)
Time Spent: 4h 50m (was: 4h 40m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 4h 50m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=201993&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-201993
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 15:44
Start Date: 21/Feb/19 15:44
Worklog Time Spent: 10m
Work Description: rlevas commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r258986451
##
File path:
gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/DefaultAliasService.java
##
@@ -39,14 +39,20 @@
public class DefaultAliasService implements AliasService {
private static final GatewayMessages LOG = MessagesFactory.get(
GatewayMessages.class );
- private static final String GATEWAY_IDENTITY_PASSPHRASE =
"gateway-identity-passphrase";
+ protected static char[] chars = { 'a', 'b', 'c', 'd', 'e', 'f', 'g',
Review comment:
I will look into that. Must be a merging issue. Thanks.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 201993)
Time Spent: 5h (was: 4h 50m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 5h
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=201991&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-201991
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 15:43
Start Date: 21/Feb/19 15:43
Worklog Time Spent: 10m
Work Description: rlevas commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r258985959
##
File path:
gateway-provider-security-pac4j/src/main/java/org/apache/knox/gateway/pac4j/filter/Pac4jDispatcherFilter.java
##
@@ -190,8 +190,18 @@ private void addDefaultConfig(String clientNameParameter,
Map pr
properties.put(PropertiesConfigFactory.SAML_KEYSTORE_PATH,
keystoreService.getKeystorePath());
- properties.put(PropertiesConfigFactory.SAML_KEYSTORE_PASSWORD,
- new String(masterService.getMasterSecret()));
+ // check for provisioned alias for keystore password
+ char[] giksp = null;
Review comment:
It is possible, but I was trying to keep with the style of the file (and
method impl) where `gip` (Gateway Identity Password) was already used. In an
effort to not add more lines to the patch, I left `giksp` and `gip` rather than
changing both to `gatewayIdentityKeystorePassword` and
`gatewayIdentityPassword` or `identityKeystorePassword` and `identityPassword`,
or whatnot.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 201991)
Time Spent: 4h 40m (was: 4.5h)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 4h 40m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site prop
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=201869&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-201869
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 10:46
Start Date: 21/Feb/19 10:46
Worklog Time Spent: 10m
Work Description: risdenk commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r258870233
##
File path:
gateway-server/src/test/java/org/apache/knox/gateway/config/impl/GatewayConfigImplTest.java
##
@@ -292,5 +295,55 @@ public void testGetReadOnlyOverrideTopologyNames() {
assertTrue(names.contains("default"));
}
+ // KNOX-1756
+ @Test
+ public void testCustomIdentityKeystoreOptions() {
+GatewayConfigImpl config = new GatewayConfigImpl();
+
+// Validate default options (backwards compatibility)
+assertEquals("gateway-identity", config.getIdentityKeyAlias());
+assertEquals("gateway-identity-passphrase",
config.getIdentityKeyPassphraseAlias());
+assertEquals("gateway-identity", config.getSigningKeyAlias());
+assertEquals("gateway-identity-passphrase",
config.getSigningKeyPassphraseAlias());
+assertNull(config.getSigningKeystoreName());
+
+// Validate default options (new)
+assertEquals(GatewayConfig.DEFAULT_IDENTITY_KEYSTORE_PASSWORD_ALIAS,
config.getIdentityKeystorePasswordAlias());
+assertEquals(GatewayConfig.DEFAULT_IDENTITY_KEYSTORE_TYPE,
config.getIdentityKeystoreType());
+assertEquals(Paths.get(config.getGatewayKeystoreDir(),
"gateway.jks").toAbsolutePath().toString(),
+config.getIdentityKeystorePath());
+
+// By default the signing keystore name will not be set, so the values
will be taken from the identity's configs
+assertEquals(config.getIdentityKeystorePath(),
config.getSigningKeystorePath());
+assertEquals(config.getIdentityKeystorePasswordAlias(),
config.getSigningKeystorePasswordAlias());
+assertEquals(config.getIdentityKeystoreType(),
config.getSigningKeystoreType());
+assertEquals(config.getIdentityKeyAlias(), config.getSigningKeyAlias());
+assertEquals(config.getIdentityKeyPassphraseAlias(),
config.getSigningKeyPassphraseAlias());
+
+// Validate changed options
+config.set("gateway.tls.key.alias", "custom_key_alias");
+config.set("gateway.tls.key.passphrase.alias",
"custom_key_passphrase_alias");
+config.set("gateway.tls.keystore.path",
"/custom/keystore/path/keystore.p12");
+config.set("gateway.tls.keystore.type", "PKCS12");
+config.set("gateway.tls.keystore.password.alias",
"custom_keystore_password_alias");
+
+config.set("gateway.signing.key.alias", "custom_key_alias");
+config.set("gateway.signing.key.passphrase.alias",
"custom_key_passphrase_alias");
+config.set("gateway.signing.keystore.name", "custom_keystore_name");
+config.set("gateway.signing.keystore.type", "PKCS12");
+config.set("gateway.signing.keystore.password.alias",
"custom_keystore_password_alias");
+
+assertEquals("custom_key_alias", config.getIdentityKeyAlias());
+assertEquals("custom_key_passphrase_alias",
config.getIdentityKeyPassphraseAlias());
+assertEquals("/custom/keystore/path/keystore.p12",
config.getIdentityKeystorePath());
Review comment:
Might to be OS non specific separator?
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 201869)
Time Spent: 4h 10m (was: 4h)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 4h 10m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=201865&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-201865
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 10:46
Start Date: 21/Feb/19 10:46
Worklog Time Spent: 10m
Work Description: risdenk commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r258869166
##
File path:
gateway-server/src/test/java/org/apache/knox/gateway/websockets/WebsocketEchoTest.java
##
@@ -369,4 +447,28 @@ public void handleTopologyEvent(List
events) {
}
}
}
+
+ private static void createTestKeystore()
Review comment:
Duplicated in gatewaytestdriver?
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 201865)
Time Spent: 3h 40m (was: 3.5h)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 3h 40m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=201868&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-201868
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 10:46
Start Date: 21/Feb/19 10:46
Worklog Time Spent: 10m
Work Description: risdenk commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r258870537
##
File path:
gateway-provider-security-pac4j/src/main/java/org/apache/knox/gateway/pac4j/Pac4jMessages.java
##
@@ -47,4 +47,8 @@
@Message( level = MessageLevel.INFO, text =
"No private key passphrase alias found. Defaulting to master. Exception
encountered: {0}")
void noPrivateKeyPasshraseProvisioned(Exception e);
+
+ @Message( level = MessageLevel.ERROR, text =
+ "No keystore password alias found. Defaulting to master. Exception
encountered: {0}")
Review comment:
Defaulting to master secret
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 201868)
Time Spent: 4h (was: 3h 50m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 4h
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=201864&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-201864
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 10:46
Start Date: 21/Feb/19 10:46
Worklog Time Spent: 10m
Work Description: risdenk commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r258867473
##
File path:
gateway-test-release-utils/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java
##
@@ -135,6 +140,31 @@ public long getGatewayIdleTimeout() {
return 0L;
}
+ @Override
+ public String getIdentityKeystorePath() {
+return getGatewayKeystoreDir() + "/" + DEFAULT_GATEWAY_KEYSTORE_NAME;
Review comment:
Use Paths.get or non os specific separator
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 201864)
Time Spent: 3.5h (was: 3h 20m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 3.5h
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=201870&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-201870
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 10:46
Start Date: 21/Feb/19 10:46
Worklog Time Spent: 10m
Work Description: risdenk commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r258869558
##
File path:
gateway-server/src/test/java/org/apache/knox/gateway/websockets/BadUrlTest.java
##
@@ -290,4 +369,28 @@ public void handleTopologyEvent(List
events) {
}
}
}
+
+ private static void createTestKeystore()
Review comment:
Duplicated in gatewaytestdriver?
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 201870)
Time Spent: 4h 20m (was: 4h 10m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 4h 20m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=201871&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-201871
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 10:46
Start Date: 21/Feb/19 10:46
Worklog Time Spent: 10m
Work Description: risdenk commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r258867842
##
File path:
gateway-test-release-utils/src/main/java/org/apache/knox/gateway/GatewayTestDriver.java
##
@@ -261,6 +273,39 @@ public String getLdapUrl() {
return "ldap://localhost:"; +
ldapTransport.getAcceptor().getLocalAddress().getPort();
}
+ public void setupTestKeystore(GatewayConfig config, char[] password)
+ throws NoSuchAlgorithmException, CertificateException,
KeyStoreException, IOException {
+
+String alias = config.getIdentityKeyAlias();
+
+// Ensure parent directory exists...
+Path keystoreFile = Paths.get(config.getIdentityKeystorePath());
+Files.createDirectories(keystoreFile.getParent());
+
+KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
+kpg.initialize(2048);
+KeyPair keyPair = kpg.generateKeyPair();
+
+Certificate cert =
X509CertificateUtil.generateCertificate("CN=localhost,OU=Test,O=Hadoop,L=Test,ST=Test,C=US",
keyPair, 365, "SHA1withRSA");
+
+KeyStore keyStore = KeyStore.getInstance(config.getIdentityKeystoreType());
+keyStore.load(null, password);
+keyStore.setCertificateEntry(alias, cert);
+keyStore.setKeyEntry(alias, keyPair.getPrivate(), password, new
java.security.cert.Certificate[]{cert});
+try (OutputStream out = Files.newOutputStream(keystoreFile)) {
+ keyStore.store(out, password);
+}
+ }
+
+ public void cleanupTestKeystore(GatewayConfig config) {
+try {
+
Files.delete(Paths.get(config.getIdentityKeystorePath()).toAbsolutePath());
Review comment:
Fileutils delete quietly maybe?
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 201871)
Time Spent: 4.5h (was: 4h 20m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 4.5h
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator]
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=201866&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-201866
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 10:46
Start Date: 21/Feb/19 10:46
Worklog Time Spent: 10m
Work Description: risdenk commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r258868119
##
File path:
gateway-test-release-utils/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java
##
@@ -376,9 +406,29 @@ public String getSigningKeystoreName() {
return null;
}
+ @Override
+ public String getSigningKeystorePath() {
+return getGatewayKeystoreDir() + "/" + DEFAULT_GATEWAY_KEYSTORE_NAME;
Review comment:
Use Paths.get or non os specific separator
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 201866)
Time Spent: 3h 50m (was: 3h 40m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 3h 50m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=201863&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-201863
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 10:46
Start Date: 21/Feb/19 10:46
Worklog Time Spent: 10m
Work Description: risdenk commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r258866920
##
File path:
gateway-test/src/test/java/org/apache/knox/gateway/AmbariServiceDefinitionTest.java
##
@@ -352,4 +366,28 @@ public void contextPathInViewsResponse() throws Exception
{
LOG_EXIT();
}
+ private static void createTestKeystore()
Review comment:
Duplicated in gatewaytestdriver?
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 201863)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 3h 20m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=201862&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-201862
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 10:46
Start Date: 21/Feb/19 10:46
Worklog Time Spent: 10m
Work Description: risdenk commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r258866040
##
File path:
gateway-test-release-utils/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java
##
@@ -91,6 +91,11 @@ public String getGatewaySecurityDir() {
return gatewayHomeDir + "/security";
}
+ @Override
+ public String getGatewayKeystoreDir() {
+return getGatewaySecurityDir() + "/keystores";
Review comment:
Use Paths.get or non os specific separator
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 201862)
Time Spent: 3h 20m (was: 3h 10m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 3h 20m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=201867&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-201867
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 10:46
Start Date: 21/Feb/19 10:46
Worklog Time Spent: 10m
Work Description: risdenk commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r258872388
##
File path:
gateway-server/src/test/java/org/apache/knox/gateway/websockets/WebsocketMultipleConnectionTest.java
##
@@ -352,4 +430,28 @@ public void onOpen(Session session, EndpointConfig
config) {
session.addMessageHandler(this);
}
}
+
+ private static void createTestKeystore()
+ throws NoSuchAlgorithmException, CertificateException,
KeyStoreException, IOException {
Review comment:
Duplicated in gatewaytestdriver?
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 201867)
Time Spent: 4h (was: 3h 50m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 4h
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=201803&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-201803
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 08:29
Start Date: 21/Feb/19 08:29
Worklog Time Spent: 10m
Work Description: smolnar82 commented on pull request #56: KNOX-1756 -
Knox Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r258820461
##
File path:
gateway-server/src/main/java/org/apache/knox/gateway/util/KnoxCLI.java
##
@@ -652,34 +653,49 @@ public void execute() throws Exception {
if
(!ks.isCredentialStoreForClusterAvailable(GATEWAY_CREDENTIAL_STORE_NAME)) {
// log.creatingCredentialStoreForGateway();
ks.createCredentialStoreForCluster(GATEWAY_CREDENTIAL_STORE_NAME);
- }
- else {
+ } else {
// log.credentialStoreForGatewayFoundNotCreating();
}
// LET'S NOT GENERATE A DIFFERENT KEY PASSPHRASE BY DEFAULT ANYMORE
// IF A DEPLOYMENT WANTS TO CHANGE THE KEY PASSPHRASE TO MAKE IT MORE
SECURE THEN
// THEY CAN ADD THE ALIAS EXPLICITLY WITH THE CLI
//as.generateAliasForCluster(GATEWAY_CREDENTIAL_STORE_NAME,
GATEWAY_IDENTITY_PASSPHRASE);
} catch (KeystoreServiceException e) {
- throw new ServiceLifecycleException("Keystore was not loaded properly
- the provided (or persisted) master secret may not match the password for the
keystore.", e);
+ throw new ServiceLifecycleException("Keystore was not loaded properly
- the stored password may not match the password for the keystore.", e);
}
try {
if (!ks.isKeystoreForGatewayAvailable()) {
// log.creatingKeyStoreForGateway();
ks.createKeystoreForGateway();
- }
- else {
+ } else {
// log.keyStoreForGatewayFoundNotCreating();
}
- char[] passphrase =
as.getPasswordFromAliasForCluster(GATEWAY_CREDENTIAL_STORE_NAME,
GATEWAY_IDENTITY_PASSPHRASE);
- if (passphrase == null) {
- MasterService ms = services.getService("MasterService");
- passphrase = ms.getMasterSecret();
+ boolean isSelfSigned;
Review comment:
Moving this declaration where you initiate the variable?
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 201803)
Time Spent: 3h (was: 2h 50m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 3h
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=201800&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-201800
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 08:29
Start Date: 21/Feb/19 08:29
Worklog Time Spent: 10m
Work Description: smolnar82 commented on pull request #56: KNOX-1756 -
Knox Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r258807746
##
File path:
gateway-provider-security-pac4j/src/main/java/org/apache/knox/gateway/pac4j/filter/Pac4jDispatcherFilter.java
##
@@ -190,8 +190,18 @@ private void addDefaultConfig(String clientNameParameter,
Map pr
properties.put(PropertiesConfigFactory.SAML_KEYSTORE_PATH,
keystoreService.getKeystorePath());
- properties.put(PropertiesConfigFactory.SAML_KEYSTORE_PASSWORD,
- new String(masterService.getMasterSecret()));
+ // check for provisioned alias for keystore password
+ char[] giksp = null;
Review comment:
Is it possible that we use an easier to understand variable name here (i.e
`gatewayIdentityKeystorePassword`)?
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 201800)
Time Spent: 2h 40m (was: 2.5h)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 2h 40m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=201799&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-201799
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 08:29
Start Date: 21/Feb/19 08:29
Worklog Time Spent: 10m
Work Description: smolnar82 commented on pull request #56: KNOX-1756 -
Knox Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r258811357
##
File path:
gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/DefaultAliasService.java
##
@@ -39,14 +39,20 @@
public class DefaultAliasService implements AliasService {
private static final GatewayMessages LOG = MessagesFactory.get(
GatewayMessages.class );
- private static final String GATEWAY_IDENTITY_PASSPHRASE =
"gateway-identity-passphrase";
+ protected static char[] chars = { 'a', 'b', 'c', 'd', 'e', 'f', 'g',
Review comment:
This has been moved to `org.apache.knox.gateway.util.PasswordUtils` couple
of days ago and no longer used within this class
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 201799)
Time Spent: 2.5h (was: 2h 20m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 2.5h
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=201804&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-201804
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 08:29
Start Date: 21/Feb/19 08:29
Worklog Time Spent: 10m
Work Description: smolnar82 commented on pull request #56: KNOX-1756 -
Knox Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r258819798
##
File path:
gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/RemoteAliasService.java
##
@@ -379,8 +378,44 @@ public void generateAliasForCluster(final String
clusterName,
@Override
public char[] getGatewayIdentityPassphrase() throws AliasServiceException {
-char[] passphrase = getPasswordFromAliasForGateway(
-GATEWAY_IDENTITY_PASSPHRASE);
+char[] passphrase =
getPasswordFromAliasForGateway(config.getIdentityKeyPassphraseAlias());
+if (passphrase == null) {
+ // Fall back to the keystore password if a key-specific password was not
explicitly set.
+ passphrase = getGatewayIdentityKeystorePassword();
+}
+if (passphrase == null) {
+ // Use the master password if not password was found
+ passphrase = ms.getMasterSecret();
+}
+return passphrase;
+ }
+
+ @Override
+ public char[] getGatewayIdentityKeystorePassword() throws
AliasServiceException {
+char[] passphrase =
getPasswordFromAliasForGateway(config.getIdentityKeystorePasswordAlias());
+if (passphrase == null) {
+ passphrase = ms.getMasterSecret();
+}
+return passphrase;
+ }
+
+ @Override
+ public char[] getSigningKeyPassphrase() throws AliasServiceException {
Review comment:
This is almost the same as `getGatewayIdentityPassphrase` except for the
passphrase alias; consider creating a private method and invoke it using the
proper parameters.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 201804)
Time Spent: 3h 10m (was: 3h)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 3h 10m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=201801&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-201801
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 08:29
Start Date: 21/Feb/19 08:29
Worklog Time Spent: 10m
Work Description: smolnar82 commented on pull request #56: KNOX-1756 -
Knox Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r258818070
##
File path:
gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreService.java
##
@@ -450,6 +481,22 @@ private void removeFromCache(String clusterName, String
alias) {
@Override
public String getKeystorePath() {
-return keyStoreDir + GATEWAY_KEYSTORE;
+return config.getIdentityKeystorePath();
+ }
+
+ private char[] getIdentityKeystorePassword() throws KeystoreServiceException
{
Review comment:
`getIdentityKeystorePassword` and `getSigningKeystorePassword` has the same
implementation except for the password alias they are fetching the credential
for. What if you create a new private method `getKeystorePassword(String
passwordAlias)` and you invoke this one with the proper params
(`config.getIdentityKeystorePasswordAlias()` or
`config.getSigningKeystorePasswordAlias()`)?
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 201801)
Time Spent: 2h 50m (was: 2h 40m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 2h 50m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
-
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=201798&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-201798
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 08:29
Start Date: 21/Feb/19 08:29
Worklog Time Spent: 10m
Work Description: smolnar82 commented on pull request #56: KNOX-1756 -
Knox Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r258808047
##
File path:
gateway-provider-security-pac4j/src/main/java/org/apache/knox/gateway/pac4j/filter/Pac4jDispatcherFilter.java
##
@@ -201,15 +211,11 @@ private void addDefaultConfig(String
clientNameParameter, Map pr
catch(AliasServiceException ase) {
log.noPrivateKeyPasshraseProvisioned(ase);
}
- if (gip != null) {
-properties.put(PropertiesConfigFactory.SAML_PRIVATE_KEY_PASSWORD,
-new String(gip));
- }
- else {
+ if (gip == null) {
Review comment:
Renaming to `gatewayIdentityPassword` or `samlPrivateKeyPassword`?
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 201798)
Time Spent: 2.5h (was: 2h 20m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 2.5h
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=201802&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-201802
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 08:29
Start Date: 21/Feb/19 08:29
Worklog Time Spent: 10m
Work Description: smolnar82 commented on pull request #56: KNOX-1756 -
Knox Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56#discussion_r258814865
##
File path:
gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreService.java
##
@@ -300,6 +310,27 @@ public Key getKeyForGateway(String alias, char[]
passphrase) throws KeystoreServ
}
}
+ @Override
+ public Key getKeyForGateway(char[] passphrase) throws
KeystoreServiceException {
+return getKeyForGateway(config.getIdentityKeyAlias(), passphrase);
+ }
+
+ @Override
+ public Certificate getCertificateForGateway() throws
KeystoreServiceException, KeyStoreException {
+Certificate cert = null;
+readLock.lock();
Review comment:
Just a minor note: `getKeystoreForGateway` already applies read lock; do we
need to lock here? I mean the only critical step here is to fetch the `ks`
instance which is already guarded by the `readLock`.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 201802)
Time Spent: 2h 50m (was: 2h 40m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 2h 50m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JI
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=201697&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-201697
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 21/Feb/19 00:11
Start Date: 21/Feb/19 00:11
Worklog Time Spent: 10m
Work Description: rlevas commented on pull request #56: KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/56
## What changes were proposed in this pull request?
**Problem**
The location of the keystore housing the Knox Gateway TLS certificate is
hardcoded to /keystores/gateway.jks and the
certificate alias is hardcoded to “gateway-identity”. This limits the ability
for external management facilities to setup a custom TLS key and certificate
for the Knox Gateway. For example, a host-wide, CA-signed, TLS certificate.
Knox has configuration hooks for the following (optional) properties
- Home Directory
- Gateway-site property: GATEWAY_HOME
- System property: GATEWAY_HOME
- Environment variable: GATEWAY_HOME
- Data Directory
- System property: GATEWAY_DATA_HOME
- Environment variable: GATEWAY_DATA_HOME
- Gateway-site property: gateway.data.dir
- Calculated: [Home Directory] + [Path Separator] + “data”
- Security Directory
- Gateway-site property: gateway.security.dir
- Calculated: [Data Directory] + [Path Separator] + “security”
The path to the Knox Gateway TLS keystore is calculated as
```
[Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
“gateway.jks”
```
**Solution**
To make it easier to use an externally provided TLS key and certificate, the
Knox Gateway should allow the TLS keystore file and alias name to be
configurable. The following properties should be made available:
- TLS Keystore File Path
- Gateway-site property: gateway.tls.keystore.path
- Calculated: [Security Directory] + [Path Separator] + "keystores"
[Path Separator] "gateway.jks"
- TLS Keystore Password Alias (value to be stored in the Knox Gateway
credential store)
- Gateway-site property: gateway.tls.keystore.password.alias
- Calculated: "gateway-identity-keystore-password"
- TLS Keystore Type
- Gateway-site property: gateway.tls.keystore.type
- Calculated: :”jks”
- TLS Key Alias
- Gateway-site property: gateway.tls.key.alias
- Calculated: “gateway-identity”
- TLS Key Passphrase Alias (value to be stored in the Knox Gateway
credential store)
- Gateway-site property: gateway.tls.key.passphrase.alias
- Calculated: "gateway-identity-passphrase"
## How was this patch tested?
Updated unit tests
Manually tested using
- default keystore for identity and signing
- custom keystore for identity, default keystore for signing (falls to
custom keystore for identitiy)
- custom keystore for identity, custom keystore for signing
Please review [Knox Contributing
Process](https://cwiki.apache.org/confluence/display/KNOX/Contribution+Process#ContributionProcess-GithubWorkflow)
before opening a pull request.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 201697)
Time Spent: 2h 20m (was: 2h 10m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 2h 20m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System p
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200853&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200853
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 19/Feb/19 20:04
Start Date: 19/Feb/19 20:04
Worklog Time Spent: 10m
Work Description: rlevas commented on issue #54: [WIP] KNOX-1756 - Knox
Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/54#issuecomment-465288878
Abandoning this change due to popular demand.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 200853)
Time Spent: 2h (was: 1h 50m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 2h
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200854&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200854
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 19/Feb/19 20:04
Start Date: 19/Feb/19 20:04
Worklog Time Spent: 10m
Work Description: rlevas commented on pull request #54: [WIP] KNOX-1756 -
Knox Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/54
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 200854)
Time Spent: 2h 10m (was: 2h)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 2h 10m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200735&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200735
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 19/Feb/19 16:11
Start Date: 19/Feb/19 16:11
Worklog Time Spent: 10m
Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756
- Knox Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/54#discussion_r258111920
##
File path:
gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreServiceTest.java
##
@@ -0,0 +1,384 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.services.security.impl;
+
+import static
org.apache.knox.gateway.config.GatewayConfig.IDENTITY_KEYSTORE_PASSWORD_ALIAS;
+import static
org.apache.knox.gateway.config.GatewayConfig.IDENTITY_KEYSTORE_PATH;
+import static
org.apache.knox.gateway.config.GatewayConfig.IDENTITY_KEYSTORE_TYPE;
+import static org.apache.knox.gateway.config.GatewayConfig.IDENTITY_KEY_ALIAS;
+import static
org.apache.knox.gateway.config.GatewayConfig.IDENTITY_KEY_PASSPHRASE_ALIAS;
+import static
org.apache.knox.gateway.config.GatewayConfig.SIGNING_KEYSTORE_NAME;
+import static org.apache.knox.gateway.config.GatewayConfig.SIGNING_KEY_ALIAS;
+import static org.easymock.EasyMock.eq;
+import static org.easymock.EasyMock.expect;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import java.io.File;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Paths;
+import java.security.Key;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.Collections;
+import java.util.Locale;
+
+import org.apache.knox.gateway.config.GatewayConfig;
+import org.apache.knox.gateway.config.impl.GatewayConfigImpl;
+import org.apache.knox.gateway.services.ServiceLifecycleException;
+import org.apache.knox.gateway.services.security.KeystoreService;
+import org.apache.knox.gateway.services.security.KeystoreServiceException;
+import org.apache.knox.gateway.services.security.MasterService;
+import org.easymock.EasyMockSupport;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TemporaryFolder;
+
+public class DefaultKeystoreServiceTest extends EasyMockSupport {
Review comment:
Don't need to extend `EasyMockSupport`
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 200735)
Time Spent: 1h 50m (was: 1h 40m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 1h 50m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gatewa
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200730&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200730
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 19/Feb/19 16:08
Start Date: 19/Feb/19 16:08
Worklog Time Spent: 10m
Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756
- Knox Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/54#discussion_r258100423
##
File path:
gateway-spi/src/test/java/org/apache/knox/gateway/services/security/impl/BaseKeystoreServiceTest.java
##
@@ -0,0 +1,240 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.services.security.impl;
+
+import static org.easymock.EasyMock.expect;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotSame;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import org.apache.knox.gateway.config.GatewayConfig;
+import org.apache.knox.gateway.services.security.KeystoreServiceException;
+import org.apache.knox.gateway.services.security.MasterService;
+import org.easymock.EasyMockSupport;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TemporaryFolder;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.security.KeyPairGenerator;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
+import java.util.Locale;
+
+public class BaseKeystoreServiceTest extends EasyMockSupport {
Review comment:
Looks like this would be useful outside of this PR
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 200730)
Time Spent: 1.5h (was: 1h 20m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 1.5h
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent wi
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200716&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200716
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 19/Feb/19 16:08
Start Date: 19/Feb/19 16:08
Worklog Time Spent: 10m
Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756
- Knox Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/54#discussion_r258100235
##
File path:
gateway-spi/src/test/java/org/apache/knox/gateway/services/security/impl/X509CertificateUtilTest.java
##
@@ -0,0 +1,162 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.services.security.impl;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+
+import org.junit.BeforeClass;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TemporaryFolder;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.X509Certificate;
+import java.util.Calendar;
+import java.util.Locale;
+import java.util.TimeZone;
+
+public class X509CertificateUtilTest {
Review comment:
Looks like this would be useful outside of this PR
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 200716)
Time Spent: 20m (was: 10m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200728&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200728
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 19/Feb/19 16:08
Start Date: 19/Feb/19 16:08
Worklog Time Spent: 10m
Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756
- Knox Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/54#discussion_r258104823
##
File path:
gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java
##
@@ -643,14 +648,58 @@ public long getGatewayDeploymentsBackupAgeLimit() {
return d;
}
+ @Override
+ public String getIdentityKeystorePath() {
+String keystorePath = get(IDENTITY_KEYSTORE_PATH);
+if(StringUtils.isEmpty(keystorePath)) {
+ keystorePath = getGatewayKeystoreDir() + File.separatorChar +
"gateway.jks";
Review comment:
`Paths.get`
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 200728)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 1h 20m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200724&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200724
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 19/Feb/19 16:08
Start Date: 19/Feb/19 16:08
Worklog Time Spent: 10m
Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756
- Knox Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/54#discussion_r258095744
##
File path:
gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreService.java
##
@@ -307,22 +283,15 @@ public Key getSigningKey(String alias, char[]
passphrase) throws KeystoreService
@Override
public Key getSigningKey(String keystoreName, String alias, char[]
passphrase) throws KeystoreServiceException {
-Key key = null;
readLock.lock();
try {
- KeyStore ks = getSigningKeystore(keystoreName);
- if (passphrase == null) {
-passphrase = masterService.getMasterSecret();
-LOG.assumingKeyPassphraseIsMaster();
- }
- if (ks != null) {
-try {
- key = ks.getKey(alias, passphrase);
-} catch (UnrecoverableKeyException | NoSuchAlgorithmException |
KeyStoreException e) {
- LOG.failedToGetKeyForGateway( alias, e );
-}
+ try {
Review comment:
Do we need nested try blocks here?
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 200724)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 1h
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated:
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200726&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200726
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 19/Feb/19 16:08
Start Date: 19/Feb/19 16:08
Worklog Time Spent: 10m
Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756
- Knox Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/54#discussion_r258102739
##
File path:
gateway-spi/src/main/java/org/apache/knox/gateway/services/security/impl/BaseKeystoreService.java
##
@@ -39,28 +39,26 @@
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
-public class BaseKeystoreService {
+abstract class BaseKeystoreService {
private static GatewaySpiMessages LOG = MessagesFactory.get(
GatewaySpiMessages.class );
- protected MasterService masterService;
- protected String keyStoreDir;
+ private MasterService masterService;
- private static KeyStore loadKeyStore(final File keyStoreFile, final char[]
masterPassword, String storeType)
+ private static KeyStore loadKeyStore(final File keyStoreFile, final char[]
storePassword, String storeType)
throws CertificateException, IOException, KeyStoreException,
NoSuchAlgorithmException {
final KeyStore keyStore = KeyStore.getInstance(storeType);
if ( keyStoreFile.exists() ) {
try (InputStream input =
Files.newInputStream(keyStoreFile.toPath())) {
- keyStore.load( input, masterPassword );
+ keyStore.load( input, storePassword );
}
} else {
- keyStore.load( null, masterPassword );
+ keyStore.load( null, storePassword );
}
return keyStore;
}
- private static OutputStream createKeyStoreFile(String fileName ) throws
IOException {
-File file = new File( fileName );
+ private static OutputStream createKeyStoreFile(File file) throws IOException
{
Review comment:
Since we are changing the method signature anyway, can we go with `Path`
instead of `File`?
`Path` is preferred to `File`.
https://docs.oracle.com/javase/tutorial/essential/io/legacy.html
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 200726)
Time Spent: 1h 10m (was: 1h)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200731&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200731
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 19/Feb/19 16:08
Start Date: 19/Feb/19 16:08
Worklog Time Spent: 10m
Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756
- Knox Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/54#discussion_r258109073
##
File path:
gateway-server/src/test/java/org/apache/knox/gateway/util/KnoxCLITest.java
##
@@ -54,12 +55,14 @@
/**
* @author larry
- *
*/
public class KnoxCLITest {
Review comment:
These changes don't look tied to the PR itself. Would be good to separate.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 200731)
Time Spent: 1h 40m (was: 1.5h)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 1h 40m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200725&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200725
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 19/Feb/19 16:08
Start Date: 19/Feb/19 16:08
Worklog Time Spent: 10m
Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756
- Knox Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/54#discussion_r258100857
##
File path:
gateway-spi/src/test/java/org/apache/knox/gateway/services/security/impl/X509CertificateUtilTest.java
##
@@ -0,0 +1,162 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.services.security.impl;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+
+import org.junit.BeforeClass;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TemporaryFolder;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.X509Certificate;
+import java.util.Calendar;
+import java.util.Locale;
+import java.util.TimeZone;
+
+public class X509CertificateUtilTest {
+ @Rule
+ public TemporaryFolder testFolder = new TemporaryFolder();
+
+ static X509Certificate certificate;
+
+ @BeforeClass
+ public static void createCertificate() throws NoSuchAlgorithmException {
+KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
+keyPairGenerator.initialize(2048);
+KeyPair keyPair = keyPairGenerator.generateKeyPair();
+String dn = "cn=test,ou=hadoop";
+
+certificate = X509CertificateUtil.generateCertificate(dn, keyPair, 365,
"SHA1withRSA");
+ }
+
+ @Test
+ public void testGenerateCertificate() throws Exception {
+String expectedDn = "CN=test, OU=hadoop";
+
+assertEquals(expectedDn, certificate.getIssuerDN().getName());
+assertEquals(expectedDn, certificate.getSubjectDN().getName());
+assertEquals("SHA1withRSA", certificate.getSigAlgName());
+
+certificate.checkValidity();
+ }
+
+ @Test(expected = CertificateNotYetValidException.class)
+ public void testGenerateCertificateValidityPeriodBefore() throws Exception {
+Calendar calendar = Calendar.getInstance(TimeZone.getDefault(),
Locale.ROOT);
+calendar.add(Calendar.DAY_OF_YEAR, -1);
+certificate.checkValidity(calendar.getTime());
+ }
+
+ @Test(expected = CertificateExpiredException.class)
+ public void testGenerateCertificateValidityPeriodAfter() throws Exception {
+Calendar calendar = Calendar.getInstance(TimeZone.getDefault(),
Locale.ROOT);
+calendar.add(Calendar.DAY_OF_YEAR, 365);
+certificate.checkValidity(calendar.getTime());
+ }
+
+ @Test
+ public void testWriteCertificateToFile() throws Exception {
+File file = testFolder.newFile();
+assertTrue(file.delete());
+
+assertFalse(file.exists());
+X509CertificateUtil.writeCertificateToFile(certificate, file);
+assertTrue(file.exists());
+
+BufferedReader fileReader = Files.newBufferedReader(file.toPath(),
StandardCharsets.UTF_8);
Review comment:
Make sure this gets closed
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Tim
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200733&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200733
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 19/Feb/19 16:08
Start Date: 19/Feb/19 16:08
Worklog Time Spent: 10m
Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756
- Knox Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/54#discussion_r258103226
##
File path:
gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/JettySSLService.java
##
@@ -159,21 +159,36 @@ private void logAndValidateCertificate() throws
ServiceLifecycleException {
throw new ServiceLifecycleException("Gateway SSL Certificate is not
yet valid. Server will not start.", e);
}
} else {
-throw new ServiceLifecycleException("Public certificate for the
gateway cannot be found with the alias gateway-identity. Plase check the
identity certificate alias.");
+throw new ServiceLifecycleException("Public certificate for the
gateway cannot be found. Please check the identity certificate alias.");
}
} else {
throw new ServiceLifecycleException("Public certificate for the gateway
is not of the expected type of X509Certificate. Something is wrong with the
gateway keystore.");
}
}
@Override
- public Object buildSslContextFactory(String keystoreFileName ) throws
KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException {
+ public Object buildSslContextFactory(GatewayConfig gatewayConfig) throws
KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException {
+char[] master = ms.getMasterSecret();
Review comment:
move this to line 188?
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 200733)
Time Spent: 1h 40m (was: 1.5h)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 1h 40m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** C
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200718&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200718
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 19/Feb/19 16:08
Start Date: 19/Feb/19 16:08
Worklog Time Spent: 10m
Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756
- Knox Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/54#discussion_r258098677
##
File path:
gateway-spi/src/test/java/org/apache/knox/gateway/services/security/impl/BaseKeystoreServiceTest.java
##
@@ -0,0 +1,240 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.services.security.impl;
+
+import static org.easymock.EasyMock.expect;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotSame;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import org.apache.knox.gateway.config.GatewayConfig;
+import org.apache.knox.gateway.services.security.KeystoreServiceException;
+import org.apache.knox.gateway.services.security.MasterService;
+import org.easymock.EasyMockSupport;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TemporaryFolder;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.security.KeyPairGenerator;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
+import java.util.Locale;
+
+public class BaseKeystoreServiceTest extends EasyMockSupport {
+
+ @Rule
+ public TemporaryFolder testFolder = new TemporaryFolder();
+
+ @Test(expected = KeystoreServiceException.class)
+ public void testCreateKeystoreWithBadType() throws IOException,
KeystoreServiceException {
+BaseKeystoreService baseKeystoreService =
createMockBuilder(BaseKeystoreService.class).createMock();
+baseKeystoreService.createKeystore(testFolder.newFile(), "INVALID_TYPE",
"password".toCharArray());
+ }
+
+ @Test(expected = IllegalArgumentException.class)
+ public void testCreateKeystoreWithNullPassword() throws IOException,
KeystoreServiceException {
+BaseKeystoreService baseKeystoreService =
createMockBuilder(BaseKeystoreService.class).createMock();
+baseKeystoreService.createKeystore(testFolder.newFile(), "JKS", null);
+ }
+
+ @Test
+ public void testCreateGetAndCheckKeystore() throws IOException,
KeystoreServiceException, KeyStoreException {
+BaseKeystoreService baseKeystoreService =
createMockBuilder(BaseKeystoreService.class).createMock();
+
+// Test the popular keystore types...
+for (String keystoreType : new String[]{"jks", "jceks", "pkcs12"}) {
+ testCreateGetAndCheckKeystore(baseKeystoreService, keystoreType);
+}
+ }
+
+ @Test
+ public void testCreateGetAndRemoveCredential() throws Exception {
+BaseKeystoreService baseKeystoreService =
createMockBuilder(BaseKeystoreService.class).createMock();
+
+// This appears to only work for JCEKS keystores.
+testCreateGetAndRemoveCredential(baseKeystoreService, "jceks");
+ }
+
+ @Test
+ public void testWriteCertificateToFile() throws IOException,
NoSuchAlgorithmException, CertificateEncodingException {
+BaseKeystoreService baseKeystoreService =
createMockBuilder(BaseKeystoreService.class).createMock();
+
+File file = testFolder.newFile();
+Certificate outCertificate = createCertificate();
+baseKeystoreService.writeCertificateToFile(outCertificate, file);
+
+assertTrue(file.exists());
+
+BufferedReader fileReader = Files.newBufferedReader(file.toPath(),
StandardCharsets.UTF_8);
Review comment:
use try-
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200721&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200721
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 19/Feb/19 16:08
Start Date: 19/Feb/19 16:08
Worklog Time Spent: 10m
Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756
- Knox Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/54#discussion_r258100577
##
File path:
gateway-spi/src/test/java/org/apache/knox/gateway/services/security/impl/BaseKeystoreServiceTest.java
##
@@ -0,0 +1,240 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.services.security.impl;
+
+import static org.easymock.EasyMock.expect;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotSame;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import org.apache.knox.gateway.config.GatewayConfig;
+import org.apache.knox.gateway.services.security.KeystoreServiceException;
+import org.apache.knox.gateway.services.security.MasterService;
+import org.easymock.EasyMockSupport;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TemporaryFolder;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.security.KeyPairGenerator;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
+import java.util.Locale;
+
+public class BaseKeystoreServiceTest extends EasyMockSupport {
Review comment:
don't need to extend `EasyMockSupport`
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 200721)
Time Spent: 40m (was: 0.5h)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
>
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200717&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200717
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 19/Feb/19 16:08
Start Date: 19/Feb/19 16:08
Worklog Time Spent: 10m
Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756
- Knox Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/54#discussion_r258097302
##
File path:
gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreService.java
##
@@ -260,16 +247,13 @@ public boolean
isCredentialStoreForClusterAvailable(String clusterName) throws K
@Override
public boolean isKeystoreForGatewayAvailable() throws
KeystoreServiceException {
-boolean rc;
-final File keyStoreFile = new File( keyStoreDir + GATEWAY_KEYSTORE );
readLock.lock();
try {
try {
Review comment:
Don't need nested try/catch block
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 200717)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200719&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200719
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 19/Feb/19 16:08
Start Date: 19/Feb/19 16:08
Worklog Time Spent: 10m
Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756
- Knox Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/54#discussion_r258099372
##
File path:
gateway-spi/src/test/java/org/apache/knox/gateway/services/security/impl/X509CertificateUtilTest.java
##
@@ -0,0 +1,162 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.services.security.impl;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+
+import org.junit.BeforeClass;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TemporaryFolder;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.X509Certificate;
+import java.util.Calendar;
+import java.util.Locale;
+import java.util.TimeZone;
+
+public class X509CertificateUtilTest {
+ @Rule
+ public TemporaryFolder testFolder = new TemporaryFolder();
+
+ static X509Certificate certificate;
+
+ @BeforeClass
+ public static void createCertificate() throws NoSuchAlgorithmException {
+KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
+keyPairGenerator.initialize(2048);
+KeyPair keyPair = keyPairGenerator.generateKeyPair();
+String dn = "cn=test,ou=hadoop";
+
+certificate = X509CertificateUtil.generateCertificate(dn, keyPair, 365,
"SHA1withRSA");
+ }
+
+ @Test
+ public void testGenerateCertificate() throws Exception {
+String expectedDn = "CN=test, OU=hadoop";
+
+assertEquals(expectedDn, certificate.getIssuerDN().getName());
+assertEquals(expectedDn, certificate.getSubjectDN().getName());
+assertEquals("SHA1withRSA", certificate.getSigAlgName());
+
+certificate.checkValidity();
+ }
+
+ @Test(expected = CertificateNotYetValidException.class)
+ public void testGenerateCertificateValidityPeriodBefore() throws Exception {
+Calendar calendar = Calendar.getInstance(TimeZone.getDefault(),
Locale.ROOT);
+calendar.add(Calendar.DAY_OF_YEAR, -1);
+certificate.checkValidity(calendar.getTime());
+ }
+
+ @Test(expected = CertificateExpiredException.class)
+ public void testGenerateCertificateValidityPeriodAfter() throws Exception {
+Calendar calendar = Calendar.getInstance(TimeZone.getDefault(),
Locale.ROOT);
+calendar.add(Calendar.DAY_OF_YEAR, 365);
+certificate.checkValidity(calendar.getTime());
+ }
+
+ @Test
+ public void testWriteCertificateToFile() throws Exception {
+File file = testFolder.newFile();
+assertTrue(file.delete());
+
+assertFalse(file.exists());
+X509CertificateUtil.writeCertificateToFile(certificate, file);
+assertTrue(file.exists());
+
+BufferedReader fileReader = Files.newBufferedReader(file.toPath(),
StandardCharsets.UTF_8);
+
+String line = fileReader.readLine();
+String lastLine = null;
+
+assertEquals("-BEGIN CERTIFICATE-", line);
+while (line != null) {
+ lastLine = line;
+ line = fileReader.readLine();
+}
+
+assertEquals("-END CERTIFICATE-", lastLine);
+ }
+
+ @Test
+ public void testWriteCertificateToJks() throws Exception {
+testWri
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200723&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200723
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 19/Feb/19 16:08
Start Date: 19/Feb/19 16:08
Worklog Time Spent: 10m
Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756
- Knox Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/54#discussion_r258104585
##
File path:
gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java
##
@@ -426,6 +426,11 @@ public String getGatewaySecurityDir() {
return get(SECURITY_DIR, getGatewayDataDir() + File.separator +
DEFAULT_SECURITY_DIR);
}
+ @Override
+ public String getGatewayKeystoreDir() {
+return new File(getGatewaySecurityDir(), "keystores").getAbsolutePath();
Review comment:
Can use `Paths.get` here
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 200723)
Time Spent: 50m (was: 40m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200727&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200727
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 19/Feb/19 16:08
Start Date: 19/Feb/19 16:08
Worklog Time Spent: 10m
Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756
- Knox Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/54#discussion_r258101064
##
File path:
gateway-test/src/test/java/org/apache/knox/gateway/SimpleDescriptorHandlerFuncTest.java
##
@@ -50,6 +51,9 @@
import static org.junit.Assert.fail;
public class SimpleDescriptorHandlerFuncTest {
+ @Rule
Review comment:
Useful but change should be outside of this PR
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 200727)
Time Spent: 1h 20m (was: 1h 10m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 1h 20m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200732&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200732
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 19/Feb/19 16:08
Start Date: 19/Feb/19 16:08
Worklog Time Spent: 10m
Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756
- Knox Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/54#discussion_r258104177
##
File path:
gateway-provider-security-pac4j/src/main/java/org/apache/knox/gateway/pac4j/Pac4jMessages.java
##
@@ -47,4 +47,8 @@
@Message( level = MessageLevel.INFO, text =
"No private key passphrase alias found. Defaulting to master. Exception
encountered: {0}")
void noPrivateKeyPasshraseProvisioned(Exception e);
+
+ @Message( level = MessageLevel.ERROR, text =
+ "No keystore password alias found. Defaulting to master. Exception
encountered: {0}")
Review comment:
master secret
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 200732)
Time Spent: 1h 40m (was: 1.5h)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 1h 40m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200729&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200729
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 19/Feb/19 16:08
Start Date: 19/Feb/19 16:08
Worklog Time Spent: 10m
Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756
- Knox Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/54#discussion_r258108015
##
File path:
gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreServiceTest.java
##
@@ -0,0 +1,384 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.services.security.impl;
+
+import static
org.apache.knox.gateway.config.GatewayConfig.IDENTITY_KEYSTORE_PASSWORD_ALIAS;
+import static
org.apache.knox.gateway.config.GatewayConfig.IDENTITY_KEYSTORE_PATH;
+import static
org.apache.knox.gateway.config.GatewayConfig.IDENTITY_KEYSTORE_TYPE;
+import static org.apache.knox.gateway.config.GatewayConfig.IDENTITY_KEY_ALIAS;
+import static
org.apache.knox.gateway.config.GatewayConfig.IDENTITY_KEY_PASSPHRASE_ALIAS;
+import static
org.apache.knox.gateway.config.GatewayConfig.SIGNING_KEYSTORE_NAME;
+import static org.apache.knox.gateway.config.GatewayConfig.SIGNING_KEY_ALIAS;
+import static org.easymock.EasyMock.eq;
+import static org.easymock.EasyMock.expect;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import java.io.File;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Paths;
+import java.security.Key;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.Collections;
+import java.util.Locale;
+
+import org.apache.knox.gateway.config.GatewayConfig;
+import org.apache.knox.gateway.config.impl.GatewayConfigImpl;
+import org.apache.knox.gateway.services.ServiceLifecycleException;
+import org.apache.knox.gateway.services.security.KeystoreService;
+import org.apache.knox.gateway.services.security.KeystoreServiceException;
+import org.apache.knox.gateway.services.security.MasterService;
+import org.easymock.EasyMockSupport;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TemporaryFolder;
+
+public class DefaultKeystoreServiceTest extends EasyMockSupport {
Review comment:
Looks like this would be useful outside of the PR
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 200729)
Time Spent: 1.5h (was: 1h 20m)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 1.5h
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200720&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200720
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 19/Feb/19 16:08
Start Date: 19/Feb/19 16:08
Worklog Time Spent: 10m
Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756
- Knox Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/54#discussion_r258097404
##
File path:
gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreService.java
##
@@ -278,22 +262,14 @@ public boolean isKeystoreForGatewayAvailable() throws
KeystoreServiceException {
@Override
public Key getKeyForGateway(String alias, char[] passphrase) throws
KeystoreServiceException {
-Key key = null;
readLock.lock();
try {
- KeyStore ks = getKeystoreForGateway();
- if (passphrase == null) {
-passphrase = masterService.getMasterSecret();
-LOG.assumingKeyPassphraseIsMaster();
- }
- if (ks != null) {
-try {
- key = ks.getKey(alias, passphrase);
-} catch (UnrecoverableKeyException | NoSuchAlgorithmException |
KeyStoreException e) {
- LOG.failedToGetKeyForGateway( alias, e );
-}
+ try {
Review comment:
nested try/catch block not needed
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 200720)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphr
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200722&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200722
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 19/Feb/19 16:08
Start Date: 19/Feb/19 16:08
Worklog Time Spent: 10m
Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756
- Knox Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/54#discussion_r258101889
##
File path:
gateway-spi/src/main/java/org/apache/knox/gateway/services/security/impl/CMFKeystoreService.java
##
@@ -41,26 +41,24 @@
private static final String TEST_CERT_DN =
"CN=hadoop,OU=Test,O=Hadoop,L=Test,ST=Test,C=US";
private static final String CREDENTIALS_SUFFIX = "-credentials.jceks";
- private String serviceName;
+ private final String serviceName;
+ private final File keyStoreDir;
public CMFKeystoreService(String keystoreDir, String serviceName)
throws ServiceLifecycleException {
this.serviceName = serviceName;
-this.keyStoreDir = keystoreDir + File.separator;
-File ksd = new File(this.keyStoreDir);
-if (!ksd.exists() && !ksd.mkdirs()) {
+this.keyStoreDir = new File(keystoreDir);
+if (!this.keyStoreDir.exists() && !this.keyStoreDir.mkdirs()) {
throw new ServiceLifecycleException("Cannot create the keystore
directory");
}
}
public void createKeystore() throws KeystoreServiceException {
-String filename = keyStoreDir + serviceName + ".jks";
-createKeystore(filename, "JKS");
+createKeystore(new File(keyStoreDir, serviceName + ".jks"), "JKS",
getMasterSecret());
Review comment:
you have keystore type defined elsewhere. Use it here instead of "JKS"?
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 200722)
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.data.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” + [Path Separator] +
> “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-sit
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[
https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=199453&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-199453
]
ASF GitHub Bot logged work on KNOX-1756:
Author: ASF GitHub Bot
Created on: 15/Feb/19 21:49
Start Date: 15/Feb/19 21:49
Worklog Time Spent: 10m
Work Description: rlevas commented on pull request #54: [WIP] KNOX-1756 -
Knox Gateway TLS Keystore and Alias Should be Configurable
URL: https://github.com/apache/knox/pull/54
(It is very **important** that you created an Apache Knox JIRA for this
change and that the PR title/commit message includes the Apache Knox JIRA ID!)
## What changes were proposed in this pull request?
(Please fill in changes proposed in this fix)
## How was this patch tested?
(Please explain how this patch was tested. For instance: running automated
unit/integration tests, manual tests. Please write down your test steps as
detailed as possible)
(If this patch involves UI changes, please attach a screen-shot; otherwise,
remove this)
Please review [Knox Contributing
Process](https://cwiki.apache.org/confluence/display/KNOX/Contribution+Process#ContributionProcess-GithubWorkflow)
before opening a pull request.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 199453)
Time Spent: 10m
Remaining Estimate: 0h
> Knox Gateway TLS Keystore and Alias Should be Configurable
> --
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.3.0
>Reporter: Robert Levas
>Assignee: Robert Levas
>Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a custom TLS key and
> certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS
> certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” +
> [Path Separator] + “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.path
> ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path
> Separator]+ "gateway.jks"
> * TLS Keystore Password Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "gateway-identity-keystore-password"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> * TLS Key Passphrase Alias (value to be stored in the Knox Gateway
> credential store)
> ** Gateway-site property: gateway.tls.key.passphrase.alias
> ** Calculated: "gateway-identity-passphrase"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
