You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ignite.apache.org by "Alexey Kuznetsov (JIRA)" <ji...@apache.org> on 2019/01/16 11:00:04 UTC

[jira] [Commented] (IGNITE-9845) Web Console: Add support of two way ssl authentication in Web Console agent

    [ https://issues.apache.org/jira/browse/IGNITE-9845?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16743863#comment-16743863 ] 

Alexey Kuznetsov commented on IGNITE-9845:
------------------------------------------

Merged to master.

> Web Console: Add support of two way ssl authentication in Web Console agent
> ---------------------------------------------------------------------------
>
>                 Key: IGNITE-9845
>                 URL: https://issues.apache.org/jira/browse/IGNITE-9845
>             Project: Ignite
>          Issue Type: Improvement
>          Components: wizards
>    Affects Versions: 2.6
>            Reporter: Andrey Novikov
>            Assignee: Alexey Kuznetsov
>            Priority: Major
>             Fix For: 2.8
>
>         Attachments: Selection_274.png, generate.bat, generate.sh, jetty-with-ssl.xml, ssl.pdf
>
>
> RestExecutor should not be shared between different users requests in case of two way ssl authentication:
>  * For each token with ssl we need create separated RestExecutor and set up socketFactory and trustManager.
>  * RestExecutor should be removed if token expired.
> Add program arguments for passing client certificate, client password, trust store, trust store password for ignite node connection and web console backend. 
> Example on okhttp: [https://github.com/square/okhttp/blob/cd872fd83824512c128dcd80c04d445c8a2fc8eb/okhttp-tests/src/test/java/okhttp3/internal/tls/ClientAuthTest.java]
> Upgrade socket-io from 1.x to 2.x.
> Add support for SSL cipher suites
> Add tests.
> ---------------------------
> *How to do local testing:*
> On Windows
>  # Download Open SSL:  Download Open SSL for Windows from [https://wiki.openssl.org/index.php/Binaries]
>  # Unpack it.
> On Linux - it is usually built-in.
> Generate keys with provided script (see attached generate.bat, it could be easily adapted for Linux).
>  
> Add to etc/hosts: 
>     127.0.0.1 localhost console.test.local
>  ----------------------------
> After that configure SSL for:
>  # Web Console back-end.
>  # Web Agent.
>  # Cluster.
> *Configure Web Console back-end settings:*
>   "ssl": true,
>    "key": "some_path/server.key",
>    "cert": "some_path/server.crt",
>    "ca": "some_path/ca.crt",
>    "keyPassphrase": "p123456",
> *Configure Web Agent parameters (see parameters descriptions):*
> -t your_token
> -s [https://console.test.local:3000|https://console.test.local:3000/] -n [https://console.test.local:11443|https://console.test.local:11443/]
>  -nks client.jks -nkp p123456
>  -nts ca.jks -ntp p123456
>  -sks client.jks -skp p123456
>  -sts ca.jks -stp p123456
>  *Configure cluster JETTY config (see FULL config attached):*
> <New id="httpsCfg" class="org.eclipse.jetty.server.HttpConfiguration">
>    <Set name="secureScheme">https</Set>
>    <Set name="securePort"><SystemProperty name="IGNITE_JETTY_PORT" default="11443"/></Set>
>    <Set name="sendServerVersion">true</Set>
>    <Set name="sendDateHeader">true</Set>
>    <Call name="addCustomizer">  <Arg><New class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg></Call>
>  </New>
> <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
>    <Set name="keyStorePath">some_path/server.jks</Set>
>    <Set name="keyStorePassword">p123456</Set>
>    <Set name="trustStorePath">some_path/ca.jks</Set>
>    <Set name="trustStorePassword">p123456</Set>
>    <Set name="needClientAuth">true</Set>
>  </New>
> *How to start secure web console in direct install edition in Ubuntu:*
>  # Download ignite web console direct install for linux ZIP archive .
>  # Unpack downloaded archive to goal folder.
>  # Generate SSL certificates.
>  # Copy generated certificates to folder with unpacked web console direct install.
>  # Open terminal and navigate to folder with unpacked web console direct install.
>  # Run web console with the next command:
> {code:java}
>  ignite-web-console-linux --server:port 11443 --server:ssl true --server:requestCert true --server:key "server.key" --server:cert "server.crt" --server:ca "ca.crt" --server:passphrase "p123456"{code}
>       7. Import client.p12 certificate into your browser. See attached screenstot in Chrome browser.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)