[jira] [Updated] (GEODE-5338) Geode client to support Trust and Keystore rotation

Thu, 08 Nov 2018 13:26:43 -0800 


     [ 
https://issues.apache.org/jira/browse/GEODE-5338?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Alexander Murmann updated GEODE-5338:
-------------------------------------
    Fix Version/s:     (was: 1.8.0)
                   1.9.0

> Geode client to support Trust and Keystore rotation
> ---------------------------------------------------
>
>                 Key: GEODE-5338
>                 URL: https://issues.apache.org/jira/browse/GEODE-5338
>             Project: Geode
>          Issue Type: Improvement
>          Components: docs, security
>            Reporter: Pulkit Chandra
>            Assignee: Sai Boorlagadda
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 1.9.0
>
>          Time Spent: 4h 20m
>  Remaining Estimate: 0h
>
> WHY: Cloud Foundry provides ability to rotate certs pretty frequently. By 
> default the certs are rotated every day and change be changed to rotate every 
> hour. Which creates a issue with Java applications. This rotation is 
> essential to provide a strong security stance on client applications.
> WHAT: Today Geode client applications, when establishing a TLS connection to 
> the servers requires a path to the certificate, since these files would be 
> changing we need a mechanism in Geode which will watch for these changes and 
> use the new certs without causing service disruption.
>  
> Solution options:
> Some options to consider
>  # Cloud Foundry has a lib which watches for changes to these certs (which 
> are in pem format)and converts them and creates inmemory objects of 
> TrustStore and KeyStore. If we have a mechanism in Geode to pass these 
> objects instead of path to them, we might have a solution. Also, these 
> objects gets updates after rotation so the geode code needs to consider that 
> as well.
>  # Geode can develop its own capability to watch for change on the files and 
> convert them to right format using OpenSSL and create files and pass them in. 
> Update these file everytime someone updates the certs
>  # Geode starts accepting pem files and watches them directly for changes.
>  
> Key Outcomes to watch for:
>  1. Provide ability to rotate cert easily without downtime.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to