[
https://issues.apache.org/jira/browse/KNOX-188?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kevin Minder updated KNOX-188:
------------------------------
Description: URLs with encrypted query strings, which contain sensitive
cluster internal info, fail to be decrypted by the gateway after a cluster
topology is redeployed in the gateway instance. Upon redeployment the password
for encryptQueryString is being regenerated even though the credential store
already exists for a given topology file (cluster). This must be changed to
only generate if the alias doesn't already exist inside the credential store.
This only affects Knox HA cluster deployments. The effect will be that gateway
instances will not be able to decrypt URLs generated by other gateway instances
after fail-over if the password are not kept in sync after each topology
deployment. The workaround is to manually synchronize the content of the
{GATEWAY_HOME}/conf/security folder after topology deployment changes. (was:
URLs with encrypted query strings which contain sensitive cluster internal info
fail to be decrypted by the gateway after a cluster topology is redeployed in
the gateway instance.
Upon redeployment the password for encryptQueryString is being regenerated even
though the credential store already exists for a given topology file (cluster).
This must be changed to only generate if the alias doesn't already exist inside
the credential store. By not retaining previous values Knox cluster deployments
(HA) which require the passwords to be in sync across gateway instances will
not be and will create decryption problems across load balancing and failover.)
> encryptQueryString Password is Recreated when Topology is Changed.
> ------------------------------------------------------------------
>
> Key: KNOX-188
> URL: https://issues.apache.org/jira/browse/KNOX-188
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Reporter: Maksim Kononenko
> Assignee: Larry McCay
> Fix For: 0.4.0
>
>
> URLs with encrypted query strings, which contain sensitive cluster internal
> info, fail to be decrypted by the gateway after a cluster topology is
> redeployed in the gateway instance. Upon redeployment the password for
> encryptQueryString is being regenerated even though the credential store
> already exists for a given topology file (cluster). This must be changed to
> only generate if the alias doesn't already exist inside the credential store.
> This only affects Knox HA cluster deployments. The effect will be that
> gateway instances will not be able to decrypt URLs generated by other gateway
> instances after fail-over if the password are not kept in sync after each
> topology deployment. The workaround is to manually synchronize the content
> of the {GATEWAY_HOME}/conf/security folder after topology deployment changes.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
