[jira] [Commented] (GEODE-5338) Geode client to support Trust and Keystore rotation

Mon, 17 Sep 2018 07:48:35 -0700 


    [ 
https://issues.apache.org/jira/browse/GEODE-5338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16617630#comment-16617630
 ] 

ASF subversion and git services commented on GEODE-5338:
--------------------------------------------------------

Commit d3cbbfc884b84e18b92afb9c1568529cf7741e6a in geode's branch 
refs/heads/feature/GEODE-5338 from Sai Boorlagadda
[ https://gitbox.apache.org/repos/asf?p=geode.git;h=d3cbbfc ]

Merge branch 'develop' into feature/GEODE-5338


> Geode client to support Trust and Keystore rotation
> ---------------------------------------------------
>
>                 Key: GEODE-5338
>                 URL: https://issues.apache.org/jira/browse/GEODE-5338
>             Project: Geode
>          Issue Type: Improvement
>          Components: docs, security
>            Reporter: Pulkit Chandra
>            Assignee: Sai Boorlagadda
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 1.8.0
>
>          Time Spent: 3.5h
>  Remaining Estimate: 0h
>
> WHY: Cloud Foundry provides ability to rotate certs pretty frequently. By 
> default the certs are rotated every day and change be changed to rotate every 
> hour. Which creates a issue with Java applications. This rotation is 
> essential to provide a strong security stance on client applications.
> WHAT: Today Geode client applications, when establishing a TLS connection to 
> the servers requires a path to the certificate, since these files would be 
> changing we need a mechanism in Geode which will watch for these changes and 
> use the new certs without causing service disruption.
>  
> Solution options:
> Some options to consider
>  # Cloud Foundry has a lib which watches for changes to these certs (which 
> are in pem format)and converts them and creates inmemory objects of 
> TrustStore and KeyStore. If we have a mechanism in Geode to pass these 
> objects instead of path to them, we might have a solution. Also, these 
> objects gets updates after rotation so the geode code needs to consider that 
> as well.
>  # Geode can develop its own capability to watch for change on the files and 
> convert them to right format using OpenSSL and create files and pass them in. 
> Update these file everytime someone updates the certs
>  # Geode starts accepting pem files and watches them directly for changes.
>  
> Key Outcomes to watch for:
>  1. Provide ability to rotate cert easily without downtime.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to