You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@logging.apache.org by "Yi (Jira)" <ji...@apache.org> on 2021/01/07 08:33:00 UTC
[jira] [Comment Edited] (LOG4J2-2988) SocketAppender is not able to
reload key and certs
[ https://issues.apache.org/jira/browse/LOG4J2-2988?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17260312#comment-17260312 ]
Yi edited comment on LOG4J2-2988 at 1/7/21, 8:32 AM:
-----------------------------------------------------
Thank you guys for the quick reply.
Basically we are able to replace the same file with the renewed keys and certificates periodically.
For us, a relatively simple solution would be to let Log4j2 to watch the file specified by the location param in KeyStore and TrustStore, and reload the SslConfiguration once the file is updated.
And probably it is not an optimal solution to ask Log4j2 to actively tear down the current connection and re-establish a new one once the keys and certs are renewed. Instead, maybe it is better to do it in a passive way, to rely on the inner class Reconnector within TcpSocketManager to re-establish a connection with the renewed keys and certs when the server side tears down the connection.
Of course this solution does not solve the whole problem, but make it possible to use the new keys and certs with the least change in Log4j.
was (Author: winniegy):
Basically we are able to replace the same file with the renewed keys and certificates periodically.
For us, a relatively simple solution would be to let Log4j2 to watch the file specified by the location param in KeyStore and TrustStore, and reload the SslConfiguration once the file is updated.
And probably it is not an optimal solution to ask Log4j2 to actively tear down the current connection and re-establish a new one once the keys and certs are renewed. Instead, maybe it is better to do it in a passive way, to rely on the inner class Reconnector within TcpSocketManager to re-establish a connection with the renewed keys and certs when the server side tears down the connection.
Of course this solution does not solve the whole problem, but make it possible to use the new keys and certs with the least change in Log4j.
> SocketAppender is not able to reload key and certs
> --------------------------------------------------
>
> Key: LOG4J2-2988
> URL: https://issues.apache.org/jira/browse/LOG4J2-2988
> Project: Log4j 2
> Issue Type: Bug
> Components: Appenders
> Affects Versions: 2.13.3
> Environment: java version, 11.0.9+11
> Log4j2 2.13.3
> Reporter: Yi
> Priority: Major
>
> Hi,
> We try to use log4j2 with SocketAppender and SSL configuration to stream our logs to a dedicated server side. We use mTLS to establish a TLS connection between the Log4j2 and the log server. In other words, there are client key pair and certificate. In our environment, our client certificate is short lived and the client key and certificate are automatically renewed periodically.´And the client credentials are provided within a jks file.
> However, we discovered a problem is that Log4j2 is not able to reload the key and certificate once they are renewed, either with an updating on the current jks file, or switching to another jks file.
> We have tried to set monitor-interval in Configuration part, periodically modify the log4j2 configuration file(e.g., update keystore file path, update appender name etc.), and even invoke reconfiguration in our code but unfortunately the key and certificate are not reloaded correctly.
> We understand Log4j2 SslSocketManager and its parent TcpSocketManager basically keeps a long-lived connection with the server and does not start a new connection if the current one works fine. We observe the problem that once the server tears down the connection, Log4j2 is not able to restablish a connection due to the out-dated client certificate.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)