Author: jmaron Date: Tue Dec 2 21:03:51 2014 New Revision: 1643005 URL: http://svn.apache.org/r1643005 Log: updated ssl implementation docs
Modified: incubator/slider/site/trunk/content/design/ssl_implementation.md incubator/slider/site/trunk/content/images/agent_am_two_way_ssl.png Modified: incubator/slider/site/trunk/content/design/ssl_implementation.md URL: http://svn.apache.org/viewvc/incubator/slider/site/trunk/content/design/ssl_implementation.md?rev=1643005&r1=1643004&r2=1643005&view=diff ============================================================================== --- incubator/slider/site/trunk/content/design/ssl_implementation.md (original) +++ incubator/slider/site/trunk/content/design/ssl_implementation.md Tue Dec 2 21:03:51 2014 @@ -14,8 +14,10 @@ As the Slider application master starts Figure 1 - Server Certificate and Keystore/Trustore Generation -###Agent HTTPS Server -Once the artifacts necessary for supporting SSL transport are available, the agent-facing HTTP server instance is created and started. This instance creates two SSL connectors. The first connector is always configured for one-way SSL and supports server liveness checks from the agents, the retrieval of the server certificate, and the creation of signed agent certificates (the latter two tasks are required for the two-way SSL support). The second connector provides the port over which agent registration and heart beats are transmitted. It is configured for one-way SSL by default but can be explicitly configured for two-way SSL (hence the need for a certificate exchange mechanism as detailed above). Figure 2 illustrates this startup sequence. +In addition, if two-way SSL is enabled (more on that later), the Slider application master will leverage the certificate manager to create client certificates for every container launched as part of the application. These certificates, along with the AM's certificate, will subsequently be seeded to the given container's host machine via Yarn's resource localization facilities. + +###Agent-facing HTTPS Server +Once the artifacts necessary for supporting SSL transport are available, the agent-facing HTTP server instance is created and started. This instance creates two SSL connectors. The first connector is always configured for one-way SSL and supports server liveness checks from the agents. The second connector provides the port over which agent registration and heart beats are transmitted. It is configured for one-way SSL by default but can be explicitly configured for two-way SSL (hence the need for a certificate seeding mechanism as detailed above). Figure 2 illustrates this startup sequence. ![Agent HTTPS server](../images/server_ssl_startup.png) @@ -43,14 +45,7 @@ See Figure 3 for an illustration of this Figure 3 - Agent to AM One-way SSL Communication ### Two-way SSL -The setup for two-way SSL is more involves since both parties must have each others certificates available to establish the trust required for this authentication mechanism. Therefore, in between the liveness check and registration performed in the one-way SSL mode, the agent and application master perform some additional steps to setup their certificate stores: - -1. The agent downloads the application master's certificate using the one-way SSL port -2. The agent generates a key -3. The agent uploads the key and requests a signed certificate from the application master -4. The application master signs the key, creates a certificate, and returns it in the response to the client. It also store the certificate in its keystore/truststore. - -After this exchange of information, the two parties are configured for communication over the configured two-way SSL port. See Figure 4 for an illustration of this exchange. +The setup for two-way SSL is more involved since both parties must have each other's certificates available to establish the trust required for this authentication mechanism. Therefore, the Application Master seeds both the AM's certificate (trust store) and the client's certificate (key store) to the host machine as the container is being instantiated. Therefore, the two parties are configured for communication over the configured two-way SSL port. See Figure 4 for an illustration of this setup. ![Two-way SSL](../images/agent_am_two_way_ssl.png) Modified: incubator/slider/site/trunk/content/images/agent_am_two_way_ssl.png URL: http://svn.apache.org/viewvc/incubator/slider/site/trunk/content/images/agent_am_two_way_ssl.png?rev=1643005&r1=1643004&r2=1643005&view=diff ============================================================================== Binary files - no diff available.