You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ignite.apache.org by "Alexey Kuznetsov (JIRA)" <ji...@apache.org> on 2019/01/16 11:00:04 UTC
[jira] [Commented] (IGNITE-9845) Web Console: Add support of two
way ssl authentication in Web Console agent
[ https://issues.apache.org/jira/browse/IGNITE-9845?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16743863#comment-16743863 ]
Alexey Kuznetsov commented on IGNITE-9845:
------------------------------------------
Merged to master.
> Web Console: Add support of two way ssl authentication in Web Console agent
> ---------------------------------------------------------------------------
>
> Key: IGNITE-9845
> URL: https://issues.apache.org/jira/browse/IGNITE-9845
> Project: Ignite
> Issue Type: Improvement
> Components: wizards
> Affects Versions: 2.6
> Reporter: Andrey Novikov
> Assignee: Alexey Kuznetsov
> Priority: Major
> Fix For: 2.8
>
> Attachments: Selection_274.png, generate.bat, generate.sh, jetty-with-ssl.xml, ssl.pdf
>
>
> RestExecutor should not be shared between different users requests in case of two way ssl authentication:
> * For each token with ssl we need create separated RestExecutor and set up socketFactory and trustManager.
> * RestExecutor should be removed if token expired.
> Add program arguments for passing client certificate, client password, trust store, trust store password for ignite node connection and web console backend.
> Example on okhttp: [https://github.com/square/okhttp/blob/cd872fd83824512c128dcd80c04d445c8a2fc8eb/okhttp-tests/src/test/java/okhttp3/internal/tls/ClientAuthTest.java]
> Upgrade socket-io from 1.x to 2.x.
> Add support for SSL cipher suites
> Add tests.
> ---------------------------
> *How to do local testing:*
> On Windows
> # Download Open SSL: Download Open SSL for Windows from [https://wiki.openssl.org/index.php/Binaries]
> # Unpack it.
> On Linux - it is usually built-in.
> Generate keys with provided script (see attached generate.bat, it could be easily adapted for Linux).
>
> Add to etc/hosts:
> 127.0.0.1 localhost console.test.local
> ----------------------------
> After that configure SSL for:
> # Web Console back-end.
> # Web Agent.
> # Cluster.
> *Configure Web Console back-end settings:*
> "ssl": true,
> "key": "some_path/server.key",
> "cert": "some_path/server.crt",
> "ca": "some_path/ca.crt",
> "keyPassphrase": "p123456",
> *Configure Web Agent parameters (see parameters descriptions):*
> -t your_token
> -s [https://console.test.local:3000|https://console.test.local:3000/] -n [https://console.test.local:11443|https://console.test.local:11443/]
> -nks client.jks -nkp p123456
> -nts ca.jks -ntp p123456
> -sks client.jks -skp p123456
> -sts ca.jks -stp p123456
> *Configure cluster JETTY config (see FULL config attached):*
> <New id="httpsCfg" class="org.eclipse.jetty.server.HttpConfiguration">
> <Set name="secureScheme">https</Set>
> <Set name="securePort"><SystemProperty name="IGNITE_JETTY_PORT" default="11443"/></Set>
> <Set name="sendServerVersion">true</Set>
> <Set name="sendDateHeader">true</Set>
> <Call name="addCustomizer"> <Arg><New class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg></Call>
> </New>
> <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
> <Set name="keyStorePath">some_path/server.jks</Set>
> <Set name="keyStorePassword">p123456</Set>
> <Set name="trustStorePath">some_path/ca.jks</Set>
> <Set name="trustStorePassword">p123456</Set>
> <Set name="needClientAuth">true</Set>
> </New>
> *How to start secure web console in direct install edition in Ubuntu:*
> # Download ignite web console direct install for linux ZIP archive .
> # Unpack downloaded archive to goal folder.
> # Generate SSL certificates.
> # Copy generated certificates to folder with unpacked web console direct install.
> # Open terminal and navigate to folder with unpacked web console direct install.
> # Run web console with the next command:
> {code:java}
> ignite-web-console-linux --server:port 11443 --server:ssl true --server:requestCert true --server:key "server.key" --server:cert "server.crt" --server:ca "ca.crt" --server:passphrase "p123456"{code}
> 7. Import client.p12 certificate into your browser. See attached screenstot in Chrome browser.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)