You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ozone.apache.org by "István Fajth (Jira)" <ji...@apache.org> on 2023/05/10 13:24:00 UTC

[jira] [Updated] (HDDS-7486) Support KeyStoreFactory which supports keyManager and trustManager reload

     [ https://issues.apache.org/jira/browse/HDDS-7486?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

István Fajth updated HDDS-7486:
-------------------------------
        Parent: HDDS-7332
    Issue Type: Sub-task  (was: Improvement)

> Support KeyStoreFactory which supports keyManager and trustManager reload
> -------------------------------------------------------------------------
>
>                 Key: HDDS-7486
>                 URL: https://issues.apache.org/jira/browse/HDDS-7486
>             Project: Apache Ozone
>          Issue Type: Sub-task
>          Components: Security
>            Reporter: Sammi Chen
>            Assignee: Sammi Chen
>            Priority: Major
>              Labels: pki, pull-request-available
>             Fix For: 1.4.0
>
>
> To enable private key and certificate hotswap in OM and DN without a service restart, we need to replace the private key and certificates used in running grpc servers/clients. 
>  
> To build a secure netty or grpc server/client,  SslContextBuilder is used hold the ssl context.  SslContextBuilder currently supports several ways to configure the key, cert of service itself and trust certs to verify remote peer.
> For trust certs, user can use one of following ways to configure, provide a
> a. trustManager
> b. trustManagerFactory
> c. a list of trust certificates objects
>  
> For key and cert of service itself, user can provide
> a. a private key file, and a cert chain file
> b. a private key file input stream and a cert chain file input stream
> c. a PrivateKey object and a list of certs objects
> d. a keyManager
> e. a keyManagerFactory
>  
> Of all the ways that SslContextBuilder accepts, only the keyManager and keyManagerFactory have the room to do a dynamic key and cert refresh at runtime. keyManager is easier to do that than keyManagerFactory. 
> So this task is to implement a Ozone customized KeyStoreFactory which will provide the customized KeyManager and trustManager which is capable of reload and refresh used key and certs at runtime. 
>  
> For a established tls/ssl connection, usually it will not be impacted when the certificate is expired after the connection established. But the new client will fail because the connection from client to server will fail due to the expired server certificate. 
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org