You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Larry McCay (JIRA)" <ji...@apache.org> on 2016/09/07 20:58:20 UTC
[jira] [Commented] (KNOX-733) Add support for custom truststore to
Knox shell client
[ https://issues.apache.org/jira/browse/KNOX-733?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15471780#comment-15471780 ]
Larry McCay commented on KNOX-733:
----------------------------------
The following can be used to export the public cert for the gateway to a JKS in the GATEWAY_HOME/data/secuity/keystores directory with a file name of gateway-client-trust.jks. The default password is "changeit" to align with the JVM default.
{code}
bin/knoxcli.sh export-cert --type JKS
Certificate gateway-identity has been successfully exported to: /Users/larry/Projects/incubator-knox/install/knox-0.10.0-SNAPSHOT/bin/../data/security/keystores/gateway-client-trust.jks
{code}
The admin may then distribute the truststore out of band to clients that need it.
Client have a couple options to use with the truststore:
1. put it in their home directory and it will be automatically found
2. put it somewhere else and set the KNOX_CLIENT_TRUSTSTORE_DIR environment variable and it will be found
3. you may also rename the keystore if that makes sense for multiple gateway instances or something. You just need to set the KNOX_CLIENT_TRUSTSTORE_FILENAME environment variable. If you change the password then you can set the KNOX_CLIENT_TRUSTSTORE_PASS to provide the new one to use.
4. you can also set the JSSE system properties for the truststore (javax.net.ssl.trustStore) and password (javax.net.ssl.trustStorePassword)
The following can be used to export the cert in PEM format:
{code}
bin/knoxcli.sh export-cert --type PEM
Certificate gateway-identity has been successfully exported to: /Users/larry/Projects/incubator-knox/install/knox-0.10.0-SNAPSHOT/bin/../data/security/keystores/gateway-identity.pem
{code}
The admin can then distribute the PEM formatted export to clients out of band.
The clients may then import the PEM encoded cert into cacerts or another truststore. When using cacerts, it will be automatically found as long as it is in JAVA_HOME/lib/security/cacerts. Otherwise, use the previously described environment variables or system properties to point to the proper truststore.
[~snowch] - can you verify whether this set of enhancements will meet your requirements?
I don't have the find the truststore in the jar requirement covered here but we can follow up with another JIRA if that is really necessary.
> Add support for custom truststore to Knox shell client
> ------------------------------------------------------
>
> Key: KNOX-733
> URL: https://issues.apache.org/jira/browse/KNOX-733
> Project: Apache Knox
> Issue Type: Bug
> Reporter: chris snow
> Assignee: Larry McCay
> Fix For: 0.10.0
>
> Attachments: KNOX-733-001.patch
>
>
> The Knox shell client does not verify the certificate of the server.
> One option would be to provide another method where developers can provide their own client, e.g.
> public static Hadoop login( String url, String username, String password, HttpClient client ) throws URISyntaxException { }
> https://github.com/apache/knox/blob/master/gateway-shell/src/main/java/org/apache/hadoop/gateway/shell/Hadoop.java#L60
> I can provide a patch if you are happy with this approach.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)