[GitHub] [james-project] ottoka opened a new pull request #751: JAMES-3673 : Separate trust store for S3

[GitBox <gi...@apache.org>]

ottoka opened a new pull request #751:
URL: https://github.com/apache/james-project/pull/751


   Since James supports S3 blob storage access via HTTPS, it should be possible to configure a specific trust store for validating the S3 server certificate. This lets users "pin" this certificate, and better separate the trust realms of infrastructure and public services (SMTP, IMAP etc.).
   
   This can be achieved in blob.properties with the usual set of configuration options for such cases, such as:
   
   ```
   objectstorage.s3.truststore.path=/conf/s3trust.p12
   objectstorage.s3.truststore.type=PKCS12
   objectstorage.s3.truststore.secret=yoursecret
   objectstorage.s3.truststore.algorithm=SunX509 
   
   ```
   T-Shirt size M.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org

[GitHub] [james-project] Arsnael commented on a change in pull request #751: JAMES-3673 : Separate trust store for S3

[GitBox <gi...@apache.org>]

Arsnael commented on a change in pull request #751:
URL: https://github.com/apache/james-project/pull/751#discussion_r751882135



##########
File path: src/site/xdoc/server/config-blobstore.xml
##########
@@ -167,6 +167,18 @@ generate salt with : openssl rand -hex 16
 
                         <dt><strong>objectstorage.s3.http.concurrency</strong></dt>
                         <dd>Allow setting the number of concurrent HTTP requests allowed by the Netty driver.</dd>
+
+                        <dt><strong>objectstorage.s3.truststore.path</strong></dt>
+                        <dd><i>optional:</i> Verify the S3 server certificate against this trust store file.</dd>
+
+                        <dt><strong>objectstorage.s3.truststore.type</strong></dt>
+                        <dd><i>optional:</i> Sepecify the type of the trust store, e.g. JKS, PKCS12</dd>

Review comment:
       ```suggestion
                           <dd><i>optional:</i> Specify the type of the trust store, e.g. JKS, PKCS12</dd>
   ```

##########
File path: server/apps/distributed-app/docs/modules/ROOT/pages/configure/blobstore.adoc
##########
@@ -127,6 +127,18 @@ Maximum size of stored objects expressed in bytes.
 
 | objectstorage.s3.http.concurrency
 | Allow setting the number of concurrent HTTP requests allowed by the Netty driver.
+
+| objectstorage.s3.truststore.path
+| optional: Verify the S3 server certificate against this trust store file.
+
+| objectstorage.s3.truststore.type
+| optional: Sepecify the type of the trust store, e.g. JKS, PKCS12

Review comment:
       ```suggestion
   | optional: Specify the type of the trust store, e.g. JKS, PKCS12
   ```




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org

[GitHub] [james-project] chibenwa merged pull request #751: JAMES-3673 : Separate trust store for S3

[GitBox <gi...@apache.org>]

chibenwa merged pull request #751:
URL: https://github.com/apache/james-project/pull/751


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org