This is an automated email from the ASF dual-hosted git repository.
nkruber pushed a commit to branch release-1.7
in repository https://gitbox.apache.org/repos/asf/flink.git
The following commit(s) were added to refs/heads/release-1.7 by this push:
new 272fafe [FLINK-12871][docs] fix separate keypass not compatible with
PKCS12 stores
272fafe is described below
commit 272fafe66830a99e99dffdc42ea27c00a6cc8a5e
Author: Nico Kruber <n...@ververica.com>
AuthorDate: Mon Jun 17 15:43:29 2019 +0200
[FLINK-12871][docs] fix separate keypass not compatible with PKCS12 stores
---
docs/ops/security-ssl.md | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/docs/ops/security-ssl.md b/docs/ops/security-ssl.md
index 77099eb..515e1f2 100644
--- a/docs/ops/security-ssl.md
+++ b/docs/ops/security-ssl.md
@@ -170,7 +170,7 @@ For the externally facing REST endpoint, the common name or
subject alternative
Execute the following keytool commands to create a key pair in a keystore:
{% highlight bash %}
-keytool -genkeypair -alias flink.internal -keystore internal.keystore -dname
"CN=flink.internal" -storepass internal_store_password -keypass
internal_key_password -keyalg RSA -keysize 4096
+keytool -genkeypair -alias flink.internal -keystore internal.keystore -dname
"CN=flink.internal" -storepass internal_store_password -keyalg RSA -keysize
4096 -storetype PKCS12
{% endhighlight %}
The single key/certificate in the keystore is used the same way by the server
and client endpoints (mutual authentication).
@@ -182,7 +182,7 @@ security.ssl.internal.keystore:
/path/to/flink/conf/internal.keystore
security.ssl.internal.truststore: /path/to/flink/conf/internal.keystore
security.ssl.internal.keystore-password: internal_store_password
security.ssl.internal.truststore-password: internal_store_password
-security.ssl.internal.key-password: internal_key_password
+security.ssl.internal.key-password: internal_store_password
{% endhighlight %}
**REST Endpoint**
@@ -198,7 +198,7 @@ This example shows how to create a simple keystore /
truststore pair. The trusts
be shared with other applications. In this example, *myhost.company.org /
ip:10.0.2.15* is the node (or service) for the Flink master.
{% highlight bash %}
-keytool -genkeypair -alias flink.rest -keystore rest.keystore -dname
"CN=myhost.company.org" -ext "SAN=dns:myhost.company.org,ip:10.0.2.15"
-storepass rest_keystore_password -keypass rest_key_password -keyalg RSA
-keysize 4096 -storetype PKCS12
+keytool -genkeypair -alias flink.rest -keystore rest.keystore -dname
"CN=myhost.company.org" -ext "SAN=dns:myhost.company.org,ip:10.0.2.15"
-storepass rest_keystore_password -keyalg RSA -keysize 4096 -storetype PKCS12
keytool -exportcert -keystore rest.keystore -alias flink.rest -storepass
rest_keystore_password -file flink.cer
@@ -211,7 +211,7 @@ security.ssl.rest.keystore:
/path/to/flink/conf/rest.keystore
security.ssl.rest.truststore: /path/to/flink/conf/rest.truststore
security.ssl.rest.keystore-password: rest_keystore_password
security.ssl.rest.truststore-password: rest_truststore_password
-security.ssl.rest.key-password: rest_key_password
+security.ssl.rest.key-password: rest_keystore_password
{% endhighlight %}
**REST Endpoint (with a self signed CA)**
@@ -219,7 +219,7 @@ security.ssl.rest.key-password: rest_key_password
Execute the following keytool commands to create a truststore with a self
signed CA.
{% highlight bash %}
-keytool -genkeypair -alias ca -keystore ca.keystore -dname "CN=Sample CA"
-storepass ca_keystore_password -keypass ca_key_password -keyalg RSA -keysize
4096 -ext "bc=ca:true" -storetype PKCS12
+keytool -genkeypair -alias ca -keystore ca.keystore -dname "CN=Sample CA"
-storepass ca_keystore_password -keyalg RSA -keysize 4096 -ext "bc=ca:true"
-storetype PKCS12
keytool -exportcert -keystore ca.keystore -alias ca -storepass
ca_keystore_password -file ca.cer
@@ -230,15 +230,15 @@ Now create a keystore for the REST endpoint with a
certificate signed by the abo
Let *flink.company.org / ip:10.0.2.15* be the hostname of the Flink master
(JobManager).
{% highlight bash %}
-keytool -genkeypair -alias flink.rest -keystore rest.signed.keystore -dname
"CN=flink.company.org" -ext "SAN=dns:flink.company.org" -storepass
rest_keystore_password -keypass rest_key_password -keyalg RSA -keysize 4096
-storetype PKCS12
+keytool -genkeypair -alias flink.rest -keystore rest.signed.keystore -dname
"CN=flink.company.org" -ext "SAN=dns:flink.company.org" -storepass
rest_keystore_password -keyalg RSA -keysize 4096 -storetype PKCS12
-keytool -certreq -alias flink.rest -keystore rest.signed.keystore -storepass
rest_keystore_password -keypass rest_key_password -file rest.csr
+keytool -certreq -alias flink.rest -keystore rest.signed.keystore -storepass
rest_keystore_password -file rest.csr
-keytool -gencert -alias ca -keystore ca.keystore -storepass
ca_keystore_password -keypass ca_key_password -ext
"SAN=dns:flink.company.org,ip:10.0.2.15" -infile rest.csr -outfile rest.cer
+keytool -gencert -alias ca -keystore ca.keystore -storepass
ca_keystore_password -ext "SAN=dns:flink.company.org,ip:10.0.2.15" -infile
rest.csr -outfile rest.cer
keytool -importcert -keystore rest.signed.keystore -storepass
rest_keystore_password -file ca.cer -alias ca -noprompt
-keytool -importcert -keystore rest.signed.keystore -storepass
rest_keystore_password -keypass rest_key_password -file rest.cer -alias
flink.rest -noprompt
+keytool -importcert -keystore rest.signed.keystore -storepass
rest_keystore_password -file rest.cer -alias flink.rest -noprompt
{% endhighlight %}
Now add the following configuration to your `flink-conf.yaml`:
@@ -248,7 +248,7 @@ security.ssl.rest.enabled: true
security.ssl.rest.keystore: /path/to/flink/conf/rest.signed.keystore
security.ssl.rest.truststore: /path/to/flink/conf/ca.truststore
security.ssl.rest.keystore-password: rest_keystore_password
-security.ssl.rest.key-password: rest_key_password
+security.ssl.rest.key-password: rest_keystore_password
security.ssl.rest.truststore-password: ca_truststore_password
{% endhighlight %}
