[ https://issues.apache.org/jira/browse/IGNITE-9845?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alexey Kuznetsov reassigned IGNITE-9845: ---------------------------------------- Assignee: Andrey Novikov (was: Alexey Kuznetsov) [~anovikov], I fixed review notes. Please review one more time. > Web Console: Add support of two way ssl authentication in Web Console agent > --------------------------------------------------------------------------- > > Key: IGNITE-9845 > URL: https://issues.apache.org/jira/browse/IGNITE-9845 > Project: Ignite > Issue Type: Improvement > Components: wizards > Affects Versions: 2.6 > Reporter: Andrey Novikov > Assignee: Andrey Novikov > Priority: Major > Fix For: 2.8 > > Attachments: generate.bat > > > RestExecutor should not be shared between different users requests in case of > two way ssl authentication: > * For each token with ssl we need create separated RestExecutor and set up > socketFactory and trustManager. > * RestExecutor should be removed if token expired. > Add program arguments for passing client certificate, client password, trust > store, trust store password for ignite node connection and web console > backend. > Example on okhttp: > [https://github.com/square/okhttp/blob/cd872fd83824512c128dcd80c04d445c8a2fc8eb/okhttp-tests/src/test/java/okhttp3/internal/tls/ClientAuthTest.java] > Upgrade socket-io from 1.x to 2.x. > Add support for SSL cipher suites > Add tests. > --------------------------- > *How to do local testing:* > On Windows > # Download Open SSL: Download Open SSL for Windows from > [https://wiki.openssl.org/index.php/Binaries] > # Unpack it. > On Linux - it is usually built-in. > Generate keys with provided script (see attached generate.bat, it could be > easily adapted for Linux). > > Add to etc/hosts: > 127.0.0.1 localhost console.test.local > ---------------------------- > After that configure SSL for: > # Web Console back-end. > # Web Agent. > # Cluster. > *Configure Web Console back-end settings:* > "ssl": true, > "key": "some_path/server.key", > "cert": "some_path/server.crt", > "ca": "some_path/ca.crt", > "keyPassphrase": "p123456", > *Configure Web Agent parameters (see parameters descriptions):* > -t your_token > -s [https://console.test.local:3000|https://console.test.local:3000/] -n > [https://console.test.local:11443|https://console.test.local:11443/] > -nks client.jks -nkp p123456 > -nts ca.jks -ntp p123456 > -sks client.jks -skp p123456 > -sts ca.jks -stp p123456 > *Configure cluster JETTY config:* > <New id="httpsCfg" class="org.eclipse.jetty.server.HttpConfiguration"> > <Set name="secureScheme">https</Set> > <Set name="securePort"><SystemProperty name="IGNITE_JETTY_PORT" > default="11443"/></Set> > <Set name="sendServerVersion">true</Set> > <Set name="sendDateHeader">true</Set> > <Call name="addCustomizer"> <Arg><New > class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg></Call> > </New> > <New id="sslContextFactory" > class="org.eclipse.jetty.util.ssl.SslContextFactory"> > <Set name="keyStorePath">some_path/server.jks</Set> > <Set name="keyStorePassword">p123456</Set> > <Set name="trustStorePath">some_path/ca.jks</Set> > <Set name="trustStorePassword">p123456</Set> > <Set name="needClientAuth">true</Set> > </New> > -- This message was sent by Atlassian JIRA (v7.6.3#76005)