Author: jmaron
Date: Tue Dec 2 21:03:51 2014
New Revision: 1643005
URL: http://svn.apache.org/r1643005
Log:
updated ssl implementation docs
Modified:
incubator/slider/site/trunk/content/design/ssl_implementation.md
incubator/slider/site/trunk/content/images/agent_am_two_way_ssl.png
Modified: incubator/slider/site/trunk/content/design/ssl_implementation.md
URL:
http://svn.apache.org/viewvc/incubator/slider/site/trunk/content/design/ssl_implementation.md?rev=1643005&r1=1643004&r2=1643005&view=diff
==============================================================================
--- incubator/slider/site/trunk/content/design/ssl_implementation.md (original)
+++ incubator/slider/site/trunk/content/design/ssl_implementation.md Tue Dec 2
21:03:51 2014
@@ -14,8 +14,10 @@ As the Slider application master starts
Figure 1 - Server Certificate and Keystore/Trustore Generation
-###Agent HTTPS Server
-Once the artifacts necessary for supporting SSL transport are available, the
agent-facing HTTP server instance is created and started. This instance
creates two SSL connectors. The first connector is always configured for
one-way SSL and supports server liveness checks from the agents, the retrieval
of the server certificate, and the creation of signed agent certificates (the
latter two tasks are required for the two-way SSL support). The second
connector provides the port over which agent registration and heart beats are
transmitted. It is configured for one-way SSL by default but can be explicitly
configured for two-way SSL (hence the need for a certificate exchange mechanism
as detailed above). Figure 2 illustrates this startup sequence.
+In addition, if two-way SSL is enabled (more on that later), the Slider
application master will leverage the certificate manager to create client
certificates for every container launched as part of the application. These
certificates, along with the AM's certificate, will subsequently be seeded to
the given container's host machine via Yarn's resource localization facilities.
+
+###Agent-facing HTTPS Server
+Once the artifacts necessary for supporting SSL transport are available, the
agent-facing HTTP server instance is created and started. This instance
creates two SSL connectors. The first connector is always configured for
one-way SSL and supports server liveness checks from the agents. The second
connector provides the port over which agent registration and heart beats are
transmitted. It is configured for one-way SSL by default but can be explicitly
configured for two-way SSL (hence the need for a certificate seeding mechanism
as detailed above). Figure 2 illustrates this startup sequence.
@@ -43,14 +45,7 @@ See Figure 3 for an illustration of this
Figure 3 - Agent to AM One-way SSL Communication
### Two-way SSL
-The setup for two-way SSL is more involves since both parties must have each
others certificates available to establish the trust required for this
authentication mechanism. Therefore, in between the liveness check and
registration performed in the one-way SSL mode, the agent and application
master perform some additional steps to setup their certificate stores:
-
-1. The agent downloads the application master's certificate using the one-way
SSL port
-2. The agent generates a key
-3. The agent uploads the key and requests a signed certificate from the
application master
-4. The application master signs the key, creates a certificate, and returns
it in the response to the client. It also store the certificate in its
keystore/truststore.
-
-After this exchange of information, the two parties are configured for
communication over the configured two-way SSL port. See Figure 4 for an
illustration of this exchange.
+The setup for two-way SSL is more involved since both parties must have each
other's certificates available to establish the trust required for this
authentication mechanism. Therefore, the Application Master seeds both the
AM's certificate (trust store) and the client's certificate (key store) to the
host machine as the container is being instantiated. Therefore, the two
parties are configured for communication over the configured two-way SSL port.
See Figure 4 for an illustration of this setup.
Modified: incubator/slider/site/trunk/content/images/agent_am_two_way_ssl.png
URL:
http://svn.apache.org/viewvc/incubator/slider/site/trunk/content/images/agent_am_two_way_ssl.png?rev=1643005&r1=1643004&r2=1643005&view=diff
==============================================================================
Binary files - no diff available.
