[jira] [Commented] (DISPATCH-1903) Remote upload of certificate files for new TLS configurations

Tue, 05 Jan 2021 05:34:35 -0800 


    [ 
https://issues.apache.org/jira/browse/DISPATCH-1903?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17258920#comment-17258920
 ] 

Ted Ross commented on DISPATCH-1903:
------------------------------------

+1 [~chug]

I would add one more policy value that simply enables the feature, probably 
defaulted to "disabled".

These policy attributes should be held per-vhost.  I think the common use case 
will use a default vhost for a "localhost" listener that enables this feature.  
That will allow a same-system or same-pod controller to make runtime updates to 
ssl-profiles while preventing any remote access to the feature.

This is planned as a write-only feature (as [~chug] mentioned).  There will be 
no read-back access to the temporary files.

It should also be noted that this feature cannot be used to overwrite 
pre-configured ssl-profile certificate files.

> Remote upload of certificate files for new TLS configurations
> -------------------------------------------------------------
>
>                 Key: DISPATCH-1903
>                 URL: https://issues.apache.org/jira/browse/DISPATCH-1903
>             Project: Qpid Dispatch
>          Issue Type: New Feature
>          Components: Container
>            Reporter: Ted Ross
>            Assignee: Ted Ross
>            Priority: Major
>             Fix For: 1.15.0
>
>
> Currently, when using the management protocol to create new SSL-profiles, 
> those profiles must access certificate files that are already placed in the 
> file system.  In other words, in order to create an SSL-profile on a running 
> router, files must first be placed on the file system in a location 
> accessible by the router.  This may be problematic in cases where the router 
> is remote from the managing agent, or when containerization limits access to 
> the router's underlying file system.
> This new feature allows a managing agent to remotely inject files into a 
> running router to be stored in temporary file storage.  These files are 
> usable in sslProfile management entities (by specifying the files without an 
> absolute path).  The temporary files are removed from the file system on 
> router shutdown.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

Reply via email to