[
https://issues.apache.org/jira/browse/KNOX-1756?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16761790#comment-16761790
]
Robert Levas edited comment on KNOX-1756 at 2/6/19 2:47 PM:
------------------------------------------------------------
[~lmccay]... I believe that this is accurate:
{quote}Currently, the TLS keystore password is stored in the Knox gateway's
credential store. A proper solution will need to allow a custom keystore
password to be stored there rather than in a plaintext configuration file.
{quote}
See
[https://github.com/apache/knox/blob/master/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/DefaultAliasService.java#L67:]
{code:java}
public char[] getGatewayIdentityPassphrase() throws AliasServiceException {
char[] passphrase =
getPasswordFromAliasForGateway(GATEWAY_IDENTITY_PASSPHRASE);
if (passphrase == null) {
passphrase = masterService.getMasterSecret();
}
return passphrase;
}
{code}
Following {{getPasswordFromAliasForGateway}}, takes to you to
{{DefaultKeystoreService.getCredentialForCluster()}}
([https://github.com/apache/knox/blob/master/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreService.java#L365]),
where {{clusterName}} is "__gateway" and {{alias}} is
"gateway-identity-passphrase".
However, if a password is not found in the credential store, the master
password is then used.
was (Author: rlevas):
[~lmccay]... I believe that this is accurate:
{quote}Currently, the TLS keystore password is stored in the Knox gateway's
credential store. A proper solution will need to allow a custom keystore
password to be stored there rather than in a plaintext configuration file.
{quote}
See
[https://github.com/apache/knox/blob/master/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/DefaultAliasService.java#L67:]
{code:java}
public char[] getGatewayIdentityPassphrase() throws AliasServiceException {
char[] passphrase =
getPasswordFromAliasForGateway(GATEWAY_IDENTITY_PASSPHRASE);
if (passphrase == null) {
passphrase = masterService.getMasterSecret();
}
return passphrase;
}
{code}
Following {{getPasswordFromAliasForGateway}}, takes to you to
{{DefaultKeystoreService.getCredentialForCluster()}}
([https://github.com/apache/knox/blob/master/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreService.java#L365]),
where {{clusterName}} is "__gateway" and {{alias}} is
"gateway-identity-passphrase".
However, if a password is not found in the credential store, the master
password is then used.
> Knox Gateway TLS Keystore and Alias Should be Configurable
> ----------------------------------------------------------
>
> Key: KNOX-1756
> URL: https://issues.apache.org/jira/browse/KNOX-1756
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Affects Versions: 1.3.0
> Reporter: Robert Levas
> Assignee: Robert Levas
> Priority: Major
> Labels: keystore, ssl
> Fix For: 1.3.0
>
>
> h1. Problem
> The location of the keystore housing the Knox Gateway TLS certificate is
> hardcoded to {{<calculated from configs>/keystores/gateway.jks}} and the
> certificate alias is hardcoded to “{{gateway-identity}}”. This limits the
> ability for external management facilities to setup a TLS key and certificate
> for the Knox Gateway. For example, a host-wide, CA-signed, TLS certificate.
> Knox has configuration hooks for the following (optional) properties
> * Home Directory
> ** Gateway-site property: GATEWAY_HOME
> ** System property: GATEWAY_HOME
> ** Environment variable: GATEWAY_HOME
> * Data Directory
> ** System property: GATEWAY_DATA_HOME
> ** Environment variable: GATEWAY_DATA_HOME
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Home Directory] + [Path Separator] + “data”
> * Security Directory
> ** Gateway-site property: gateway.security.dir
> ** Calculated: [Data Directory] + [Path Separator] + “security”
> *Note*: the calculation for the home directory is inconsistent with the other
> directory calculations. This inconsistency may be confusing to users and thus
> should be fixed to be
> * System property: GATEWAY_HOME
> * Environment variable: GATEWAY_HOME
> * Gateway-site property: gateway.home.dir
> The path to the Knox Gateway TLS keystore is calculated as
> {noformat}
> [Security Directory] + [Path Separator] + “keystores” +
> [Path Separator] + “gateway.jks”
> {noformat}
> h1. Solution
> To make it easier to use an externally provided TLS key and certificate, the
> Knox Gateway should allow the TLS keystore file and alias name to be
> configurable. The following properties should be made available:
> * TLS Keystore File Path
> ** Gateway-site property: gateway.tls.keystore.file
> ** Calculated: [Keystore Directory] + [Path Separator] + [TLS Keystore File
> Name]
> * TLS Keystore Password Alias
> ** Gateway-site property: gateway.tls.keystore.password.alias
> ** Calculated: "**gateway-identity-passphrase"
> * TLS Keystore Type
> ** Gateway-site property: gateway.tls.keystore.type
> ** Calculated: :”jks”
> * TLS Key Alias
> ** Gateway-site property: gateway.tls.key.alias
> ** Calculated: “gateway-identity”
> Currently, the TLS keystore password is stored in the Knox gateway's
> credential store. A proper solution will need to allow a custom keystore
> password to be stored there rather than in a plaintext configuration file.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
