Robert Levas created KNOX-1812:
----------------------------------
Summary: The Knox Gateway truststore should be configurable
Key: KNOX-1812
URL: https://issues.apache.org/jira/browse/KNOX-1812
Project: Apache Knox
Issue Type: Improvement
Components: Server
Affects Versions: 1.3.0
Reporter: Robert Levas
Assignee: Robert Levas
Fix For: 1.3.0
The Knox Gateway truststore should be configurable
Knox relies on a trust store for various purposes
# The *KnoxCLI* (via a KnoxSession) uses a truststore to trust the connection
to the Knox Gateway server
** The truststore is determined by the Java system properties
({{javax.net.ssl.trustStore}}, {{javax.net.ssl.trustStorePassword}}) or the
JVM's cacerts file
# The *Knox Gateway* server uses a truststore to trust the connections going
out to the services (if connecting via TLS/SSL)
** The truststore is set to be the same keystore as the Gateway's identitiy
keystore.
** See
{{org.apache.knox.gateway.dispatch.DefaultHttpClientFactory#createHttpClient}}.
# The *Knox Gateway* server uses a truststore to trust the user/client
connecting to it when clientauth is enabled
** The truststore is set to be the same keystore as the Gateway's identity
keystore unless one is explicitly specified in the gateway-site.xml file
({{gateway.truststore.path}}, {{gateway.truststore.type}}). If a truststore is
explicitly set, the password for the truststore is looked up, using alias name
"{{gateway-truststore-password}}", from the alias service.
** See
{{org.apache.knox.gateway.services.security.impl.JettySSLService#buildSslContextFactory}}.
By making the outgoing connection truststore (#2, from above) configurable, it
will be possible to use the same truststore for both incoming and outgoing
connections, which will be convenient when services communicate with each other
via the Knox Gateway.
To make sure the truststore configuration is flexible and backwards compatible
with older versions of Knox, new properties should be introduced in the
gateway-site.xml file:
* {{gateway.httpclient.truststore.path}}
* {{gateway.httpclient.truststore.type}}
* {{gateway.httpclient.truststore.password.alias}}
Note: This naming convention goes along with the following properties used to
configure the Gateway's HTTPClient instance:
* {{gateway.httpclient.maxConnections}}
* {{gateway.httpclient.connectionTimeout}}
* {{gateway.httpclient.socketTimeout}}
If {{gateway.httpclient.truststore.path}} is not set in the configuration, then
Gateway's identity keystore will be used (which is the current implementation);
else, the configured truststore details will be used.
Also, to keep things consistent, the password alias name for the _clientauth_
truststore should be configurable using the property name:
* {{gateway.truststore.password.alias}} (default:
"{{gateway-truststore-password}}")
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
