[jira] [Commented] (IGNITE-9845) Web Console: Add support of two way ssl authentication in Web Console agent

Thu, 27 Dec 2018 01:43:01 -0800 


    [ 
https://issues.apache.org/jira/browse/IGNITE-9845?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16729478#comment-16729478
 ] 

ASF GitHub Bot commented on IGNITE-9845:
----------------------------------------

Github user akuznetsov-gridgain closed the pull request at:

    https://github.com/apache/ignite/pull/5022


> Web Console: Add support of two way ssl authentication in Web Console agent
> ---------------------------------------------------------------------------
>
>                 Key: IGNITE-9845
>                 URL: https://issues.apache.org/jira/browse/IGNITE-9845
>             Project: Ignite
>          Issue Type: Improvement
>          Components: wizards
>    Affects Versions: 2.6
>            Reporter: Andrey Novikov
>            Assignee: Pavel Konstantinov
>            Priority: Major
>             Fix For: 2.8
>
>         Attachments: Selection_274.png
>
>
> RestExecutor should not be shared between different users requests in case of 
> two way ssl authentication:
>  * For each token with ssl we need create separated RestExecutor and set up 
> socketFactory and trustManager.
>  * RestExecutor should be removed if token expired.
> Add program arguments for passing client certificate, client password, trust 
> store, trust store password for ignite node connection and web console 
> backend. 
> Example on okhttp: 
> [https://github.com/square/okhttp/blob/cd872fd83824512c128dcd80c04d445c8a2fc8eb/okhttp-tests/src/test/java/okhttp3/internal/tls/ClientAuthTest.java]
> Upgrade socket-io from 1.x to 2.x.
> Add support for SSL cipher suites
> Add tests.
> ---------------------------
> *How to do local testing:*
> On Windows
>  # Download Open SSL:  Download Open SSL for Windows from 
> [https://wiki.openssl.org/index.php/Binaries]
>  # Unpack it.
> On Linux - it is usually built-in.
> Generate keys with provided script (see attached generate.bat, it could be 
> easily adapted for Linux).
>  
> Add to etc/hosts: 
>     127.0.0.1 localhost console.test.local
>  ----------------------------
> After that configure SSL for:
>  # Web Console back-end.
>  # Web Agent.
>  # Cluster.
> *Configure Web Console back-end settings:*
>   "ssl": true,
>    "key": "some_path/server.key",
>    "cert": "some_path/server.crt",
>    "ca": "some_path/ca.crt",
>    "keyPassphrase": "p123456",
> *Configure Web Agent parameters (see parameters descriptions):*
> -t your_token
> -s [https://console.test.local:3000|https://console.test.local:3000/] -n 
> [https://console.test.local:11443|https://console.test.local:11443/]
>  -nks client.jks -nkp p123456
>  -nts ca.jks -ntp p123456
>  -sks client.jks -skp p123456
>  -sts ca.jks -stp p123456
>  *Configure cluster JETTY config:*
> <New id="httpsCfg" class="org.eclipse.jetty.server.HttpConfiguration">
>    <Set name="secureScheme">https</Set>
>    <Set name="securePort"><SystemProperty name="IGNITE_JETTY_PORT" 
> default="11443"/></Set>
>    <Set name="sendServerVersion">true</Set>
>    <Set name="sendDateHeader">true</Set>
>    <Call name="addCustomizer">  <Arg><New 
> class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg></Call>
>  </New>
> <New id="sslContextFactory" 
> class="org.eclipse.jetty.util.ssl.SslContextFactory">
>    <Set name="keyStorePath">some_path/server.jks</Set>
>    <Set name="keyStorePassword">p123456</Set>
>    <Set name="trustStorePath">some_path/ca.jks</Set>
>    <Set name="trustStorePassword">p123456</Set>
>    <Set name="needClientAuth">true</Set>
>  </New>
> *How to start secure web console in direct install edition in Ubuntu:*
>  # Download ignite web console direct install for linux ZIP archive .
>  # Unpack downloaded archive to goal folder.
>  # Generate SSL certificates.
>  # Copy generated certificates to folder with unpacked web console direct 
> install.
>  # Open terminal and navigate to folder with unpacked web console direct 
> install.
>  # Run web console with the next command:
> {code:java}
>  ignite-web-console-linux --server:port 11443 --server:ssl true 
> --server:requestCert true --server:key "server.key" --server:cert 
> "server.crt" --server:ca "ca.crt" --server:passphrase "p123456"{code}
>       7. Import client.p12 certificate into your browser. See attached 
> screenstot in Chrome browser.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to