[jira] [Commented] (SLIDER-580) Install SSL certs

Wed, 29 Oct 2014 13:47:25 -0700 

    [ 
https://issues.apache.org/jira/browse/SLIDER-580?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14188963#comment-14188963
 ] 

Jonathan Maron commented on SLIDER-580:
---------------------------------------

currently the server and client certs will be localized, per container, if 
2-way SSL is enabled for agent-AM communication.  You therefore would have to 
enable "ssl.server.client.auth" (set it to true) which would then localize the 
certificates.  However, to leverage them from another app would probably 
require some enhancements:

1)  The agent python process doesn't actually use a truststore, but rather 
downloads a self signed cert from the AM.  The generation of a truststore used 
by a java process would be required.
2)  The server keytstore is generated for the AM and protected by a password, 
but that password is only available to the AM.  We would have to consider 
leveraging a credential provider to allow access to the password if the server 
keystore access is required.

Though SLIDER-263 was put in place to migrate to the credential provider, given 
the fact that password persistence wasn't actually required by the AM the 
decision was made to abandon that effort for now in favor of simply not 
persisting the password (as it currently is to an AM private directory).

I think we'd have to consider exactly the use case for app certificate 
generation, walk through the likely deployment scenarios and app usages, and 
file a JIRA to track that enhancement for the next release.

> Install SSL certs
> -----------------
>
>                 Key: SLIDER-580
>                 URL: https://issues.apache.org/jira/browse/SLIDER-580
>             Project: Slider
>          Issue Type: Improvement
>            Reporter: Billie Rinaldi
>            Assignee: Jonathan Maron
>
> In addition to keytabs, it would be useful to be able to install SSL certs 
> for localization.  We could simply add jks files as a type of file understood 
> by install-keytab.  Although this does lead to the question of whether we'd 
> want to support installing arbitrary resources.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to