You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@brooklyn.apache.org by nakomis <gi...@git.apache.org> on 2014/12/12 11:42:06 UTC
[GitHub] incubator-brooklyn pull request: Adds instructions to enable HTTPS
GitHub user nakomis opened a pull request:
https://github.com/apache/incubator-brooklyn/pull/385
Adds instructions to enable HTTPS
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/nakomis/incubator-brooklyn docs/enable-https
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/incubator-brooklyn/pull/385.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #385
----
commit 6948018daca98bd24c43a7d0d94dea0f735be27b
Author: Martin Harris <gi...@nakomis.com>
Date: 2014-12-12T10:39:27Z
Adds instructions to enable HTTPS
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-brooklyn pull request: Adds instructions to enable HTTPS
Posted by richardcloudsoft <gi...@git.apache.org>.
Github user richardcloudsoft commented on a diff in the pull request:
https://github.com/apache/incubator-brooklyn/pull/385#discussion_r21737819
--- Diff: docs/use/guide/management/index.md ---
@@ -207,7 +207,23 @@ If not using the web console, you can specify
During dev/test you can specify `brooklyn.webconsole.security.provider=brooklyn.rest.security.provider.AnyoneSecurityProvider`
to allow logins with no credentials.
-
+To enable https, you will need a server certificate in a java keystore. To create a self-signed certificate, you can use the
+following command:
+
+`keytool -genkey -keyalg RSA -alias brooklyn -keystore /tmp/https/server.key -storepass mypassword -validity 360 -keysize 2048`
--- End diff --
`keytool error: java.io.FileNotFoundException: /tmp/https/server.key (No such file or directory)`
...because I don't have a folder called `/tmp/https`. It's probably also a bad idea to suggest to people that they do anything in /tmp.
I'd suggest stating in big letters that they need to substitute the directory name - e.g.
`keytool -genkey -keyalg RSA -alias brooklyn -keystore `[**FOLDER**]`/server.key -storepass mypassword -validity 360 -keysize 2048`
...
`brooklyn.webconsole.security.keystore.url=`[**FOLDER**]`/server.key`
This clearly makes it the user's responsibility to choose where they want to store their key file.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-brooklyn pull request: Adds instructions to enable HTTPS
Posted by asfgit <gi...@git.apache.org>.
Github user asfgit closed the pull request at:
https://github.com/apache/incubator-brooklyn/pull/385
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-brooklyn pull request: Adds instructions to enable HTTPS
Posted by nakomis <gi...@git.apache.org>.
Github user nakomis commented on the pull request:
https://github.com/apache/incubator-brooklyn/pull/385#issuecomment-66761144
PR comments addressed
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-brooklyn pull request: Adds instructions to enable HTTPS
Posted by richardcloudsoft <gi...@git.apache.org>.
Github user richardcloudsoft commented on the pull request:
https://github.com/apache/incubator-brooklyn/pull/385#issuecomment-66762038
Perfect. I will merge.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-brooklyn pull request: Adds instructions to enable HTTPS
Posted by richardcloudsoft <gi...@git.apache.org>.
Github user richardcloudsoft commented on the pull request:
https://github.com/apache/incubator-brooklyn/pull/385#issuecomment-66759233
I've tried out these instructions and they worked well. There's a couple of points which I think are worth making.
1. The command given is creating a keystore with the name "mypassword". The user should be told that they should pick their own password. The same password needs to be used both in the `keytool` command and in brooklyn.properties.
2. The command is creating a self-signed certificate (fail 1) without a CN field identifying the website server name (fail 2). While this is OK to get an encrypted session, web browsers *will* complain about this. We should inform about this in the instructions; IMO it is acceptable to leave the process of using keytool to insert a *valid* certificate as an exercise for the user (we don't need to describe the whole CSR flow with keytool examples etc.)
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---