[
https://issues.apache.org/jira/browse/IGNITE-9845?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Vasiliy Sisko updated IGNITE-9845:
----------------------------------
Description:
RestExecutor should not be shared between different users requests in case of
two way ssl authentication:
* For each token with ssl we need create separated RestExecutor and set up
socketFactory and trustManager.
* RestExecutor should be removed if token expired.
Add program arguments for passing client certificate, client password, trust
store, trust store password for ignite node connection and web console backend.
Example on okhttp:
[https://github.com/square/okhttp/blob/cd872fd83824512c128dcd80c04d445c8a2fc8eb/okhttp-tests/src/test/java/okhttp3/internal/tls/ClientAuthTest.java]
Upgrade socket-io from 1.x to 2.x.
Add support for SSL cipher suites
Add tests.
---------------------------
*How to do local testing:*
On Windows
# Download Open SSL: Download Open SSL for Windows from
[https://wiki.openssl.org/index.php/Binaries]
# Unpack it.
On Linux - it is usually built-in.
Generate keys with provided script (see attached generate.bat, it could be
easily adapted for Linux).
Add to etc/hosts:
127.0.0.1 localhost console.test.local
----------------------------
After that configure SSL for:
# Web Console back-end.
# Web Agent.
# Cluster.
*Configure Web Console back-end settings:*
"ssl": true,
"key": "some_path/server.key",
"cert": "some_path/server.crt",
"ca": "some_path/ca.crt",
"keyPassphrase": "p123456",
*Configure Web Agent parameters (see parameters descriptions):*
-t your_token
-s [https://console.test.local:3000|https://console.test.local:3000/] -n
[https://console.test.local:11443|https://console.test.local:11443/]
-nks client.jks -nkp p123456
-nts ca.jks -ntp p123456
-sks client.jks -skp p123456
-sts ca.jks -stp p123456
*Configure cluster JETTY config:*
<New id="httpsCfg" class="org.eclipse.jetty.server.HttpConfiguration">
<Set name="secureScheme">https</Set>
<Set name="securePort"><SystemProperty name="IGNITE_JETTY_PORT"
default="11443"/></Set>
<Set name="sendServerVersion">true</Set>
<Set name="sendDateHeader">true</Set>
<Call name="addCustomizer"> <Arg><New
class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg></Call>
</New>
<New id="sslContextFactory"
class="org.eclipse.jetty.util.ssl.SslContextFactory">
<Set name="keyStorePath">some_path/server.jks</Set>
<Set name="keyStorePassword">p123456</Set>
<Set name="trustStorePath">some_path/ca.jks</Set>
<Set name="trustStorePassword">p123456</Set>
<Set name="needClientAuth">true</Set>
</New>
*How to start secure web console in direct install edition in Ubuntu:*
# Download ignite web console direct install for linux ZIP archive .
# Unpack downloaded archive to goal folder.
# Generate SSL certificates.
# Copy generated certificates to folder with unpacked web console direct
install.
# Open terminal and navigate to folder with unpacked web console direct
install.
# Run web console with the next command:
{code:java}
ignite-web-console-linux --server:port 11443 --server:ssl true
--server:requestCert true --server:key "server.key" --server:cert "server.crt"
--server:ca "ca.crt" --server:passphrase "p123456"{code}
7. Import client.p12 certificate into your browser. See attached
screenstot in Chrome browser.
was:
RestExecutor should not be shared between different users requests in case of
two way ssl authentication:
* For each token with ssl we need create separated RestExecutor and set up
socketFactory and trustManager.
* RestExecutor should be removed if token expired.
Add program arguments for passing client certificate, client password, trust
store, trust store password for ignite node connection and web console backend.
Example on okhttp:
[https://github.com/square/okhttp/blob/cd872fd83824512c128dcd80c04d445c8a2fc8eb/okhttp-tests/src/test/java/okhttp3/internal/tls/ClientAuthTest.java]
Upgrade socket-io from 1.x to 2.x.
Add support for SSL cipher suites
Add tests.
---------------------------
*How to do local testing:*
On Windows
# Download Open SSL: Download Open SSL for Windows from
[https://wiki.openssl.org/index.php/Binaries]
# Unpack it.
On Linux - it is usually built-in.
Generate keys with provided script (see attached generate.bat, it could be
easily adapted for Linux).
Add to etc/hosts:
127.0.0.1 localhost console.test.local
----------------------------
After that configure SSL for:
# Web Console back-end.
# Web Agent.
# Cluster.
*Configure Web Console back-end settings:*
"ssl": true,
"key": "some_path/server.key",
"cert": "some_path/server.crt",
"ca": "some_path/ca.crt",
"keyPassphrase": "p123456",
*Configure Web Agent parameters (see parameters descriptions):*
-t your_token
-s [https://console.test.local:3000|https://console.test.local:3000/] -n
[https://console.test.local:11443|https://console.test.local:11443/]
-nks client.jks -nkp p123456
-nts ca.jks -ntp p123456
-sks client.jks -skp p123456
-sts ca.jks -stp p123456
*Configure cluster JETTY config:*
<New id="httpsCfg" class="org.eclipse.jetty.server.HttpConfiguration">
<Set name="secureScheme">https</Set>
<Set name="securePort"><SystemProperty name="IGNITE_JETTY_PORT"
default="11443"/></Set>
<Set name="sendServerVersion">true</Set>
<Set name="sendDateHeader">true</Set>
<Call name="addCustomizer"> <Arg><New
class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg></Call>
</New>
<New id="sslContextFactory"
class="org.eclipse.jetty.util.ssl.SslContextFactory">
<Set name="keyStorePath">some_path/server.jks</Set>
<Set name="keyStorePassword">p123456</Set>
<Set name="trustStorePath">some_path/ca.jks</Set>
<Set name="trustStorePassword">p123456</Set>
<Set name="needClientAuth">true</Set>
</New>
*How to start secure web console in direct install edition in Ubuntu:*
# Download ignite web console direct install for linux ZIP archive .
# Unpack downloaded archive to goal folder.
# Generate SSL certificates.
# Copy generated certificates to folder with unpacked web console direct
install.
# Open terminal and navigate to folder with unpacked web console direct
install.
# Run web console with the next command:
{code:java}
{code}
> Web Console: Add support of two way ssl authentication in Web Console agent
> ---------------------------------------------------------------------------
>
> Key: IGNITE-9845
> URL: https://issues.apache.org/jira/browse/IGNITE-9845
> Project: Ignite
> Issue Type: Improvement
> Components: wizards
> Affects Versions: 2.6
> Reporter: Andrey Novikov
> Assignee: Ilya Murchenko
> Priority: Major
> Fix For: 2.8
>
> Attachments: Selection_274.png, generate.bat
>
>
> RestExecutor should not be shared between different users requests in case of
> two way ssl authentication:
> * For each token with ssl we need create separated RestExecutor and set up
> socketFactory and trustManager.
> * RestExecutor should be removed if token expired.
> Add program arguments for passing client certificate, client password, trust
> store, trust store password for ignite node connection and web console
> backend.
> Example on okhttp:
> [https://github.com/square/okhttp/blob/cd872fd83824512c128dcd80c04d445c8a2fc8eb/okhttp-tests/src/test/java/okhttp3/internal/tls/ClientAuthTest.java]
> Upgrade socket-io from 1.x to 2.x.
> Add support for SSL cipher suites
> Add tests.
> ---------------------------
> *How to do local testing:*
> On Windows
> # Download Open SSL: Download Open SSL for Windows from
> [https://wiki.openssl.org/index.php/Binaries]
> # Unpack it.
> On Linux - it is usually built-in.
> Generate keys with provided script (see attached generate.bat, it could be
> easily adapted for Linux).
>
> Add to etc/hosts:
> 127.0.0.1 localhost console.test.local
> ----------------------------
> After that configure SSL for:
> # Web Console back-end.
> # Web Agent.
> # Cluster.
> *Configure Web Console back-end settings:*
> "ssl": true,
> "key": "some_path/server.key",
> "cert": "some_path/server.crt",
> "ca": "some_path/ca.crt",
> "keyPassphrase": "p123456",
> *Configure Web Agent parameters (see parameters descriptions):*
> -t your_token
> -s [https://console.test.local:3000|https://console.test.local:3000/] -n
> [https://console.test.local:11443|https://console.test.local:11443/]
> -nks client.jks -nkp p123456
> -nts ca.jks -ntp p123456
> -sks client.jks -skp p123456
> -sts ca.jks -stp p123456
> *Configure cluster JETTY config:*
> <New id="httpsCfg" class="org.eclipse.jetty.server.HttpConfiguration">
> <Set name="secureScheme">https</Set>
> <Set name="securePort"><SystemProperty name="IGNITE_JETTY_PORT"
> default="11443"/></Set>
> <Set name="sendServerVersion">true</Set>
> <Set name="sendDateHeader">true</Set>
> <Call name="addCustomizer"> <Arg><New
> class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg></Call>
> </New>
> <New id="sslContextFactory"
> class="org.eclipse.jetty.util.ssl.SslContextFactory">
> <Set name="keyStorePath">some_path/server.jks</Set>
> <Set name="keyStorePassword">p123456</Set>
> <Set name="trustStorePath">some_path/ca.jks</Set>
> <Set name="trustStorePassword">p123456</Set>
> <Set name="needClientAuth">true</Set>
> </New>
> *How to start secure web console in direct install edition in Ubuntu:*
> # Download ignite web console direct install for linux ZIP archive .
> # Unpack downloaded archive to goal folder.
> # Generate SSL certificates.
> # Copy generated certificates to folder with unpacked web console direct
> install.
> # Open terminal and navigate to folder with unpacked web console direct
> install.
> # Run web console with the next command:
> {code:java}
> ignite-web-console-linux --server:port 11443 --server:ssl true
> --server:requestCert true --server:key "server.key" --server:cert
> "server.crt" --server:ca "ca.crt" --server:passphrase "p123456"{code}
> 7. Import client.p12 certificate into your browser. See attached
> screenstot in Chrome browser.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
