PakhomovAlexander commented on code in PR #1725:
URL: https://github.com/apache/ignite-3/pull/1725#discussion_r1120590528
##########
docs/_docs/ssl-tls.adoc:
##########
@@ -0,0 +1,193 @@
+= SSL/TLS
+
+This page explains how to configure SSL/TLS encryption between the cluster
nodes (server and client) and the clients that connect to your cluster.
+
+== Considerations
+
+All internal connections in the cluster context, as well as cluster's user
interaction interfaces, are SSL-enabled. The communication categories are as
follows:
+
+* Between the user and the cluster (node): REST
+* Between the user and the platform clients:
+
+** CLI
+** Client
+
+* Between nodes: Network (Messaging, Scalecube)
+
+All SSL configurations activities are performed at the node level.
+
+Due to Micronaut limitations, Apache Ignite does nopt support direct paths to
SSL certificates. Instead, it utilizes PKCS12 and JKS keystore.
Review Comment:
Micronaut is an internal implementation of the REST component. I don't think
we should highlight this fact in the user documentation. The Network part is
not dependent on micronaut but still utilizes PKCS12 and JKS keystores.
##########
docs/_docs/ssl-tls.adoc:
##########
@@ -0,0 +1,193 @@
+= SSL/TLS
+
+This page explains how to configure SSL/TLS encryption between the cluster
nodes (server and client) and the clients that connect to your cluster.
+
+== Considerations
+
+All internal connections in the cluster context, as well as cluster's user
interaction interfaces, are SSL-enabled. The communication categories are as
follows:
+
+* Between the user and the cluster (node): REST
+* Between the user and the platform clients:
+
+** CLI
Review Comment:
I am not sure that CLI could be named as a platform client. It is a separate
application that communicates with the cluster through REST.
##########
docs/_docs/ssl-tls.adoc:
##########
@@ -0,0 +1,193 @@
+= SSL/TLS
+
+This page explains how to configure SSL/TLS encryption between the cluster
nodes (server and client) and the clients that connect to your cluster.
+
+== Considerations
+
+All internal connections in the cluster context, as well as cluster's user
interaction interfaces, are SSL-enabled. The communication categories are as
follows:
+
+* Between the user and the cluster (node): REST
+* Between the user and the platform clients:
+
+** CLI
+** Client
+
+* Between nodes: Network (Messaging, Scalecube)
+
+All SSL configurations activities are performed at the node level.
+
+Due to Micronaut limitations, Apache Ignite does nopt support direct paths to
SSL certificates. Instead, it utilizes PKCS12 and JKS keystore.
+//Need a link to Micronaut in general; if possible, to the limitation in
particular
+
+== REST
+
+The standard implementation of SSL support for REST involves configuring a
secure connection on a separate port. Apache Ignite also supports the DUAL
protocol feature.
+//Need a link to a description of the DUAL protocol.
+
+To configure SSL in Micronaut, all the necessary properties must be defined in
the Micronaut notation. Map the Apache Ignite 3.x REST security configuration
to the Micronaut one:
Review Comment:
I would like to ask you not to speak about Micronaut. We configure the REST
interface/component but not Micronaut.
##########
docs/_docs/ssl-tls.adoc:
##########
@@ -0,0 +1,193 @@
+= SSL/TLS
+
+This page explains how to configure SSL/TLS encryption between the cluster
nodes (server and client) and the clients that connect to your cluster.
+
+== Considerations
+
+All internal connections in the cluster context, as well as cluster's user
interaction interfaces, are SSL-enabled. The communication categories are as
follows:
+
+* Between the user and the cluster (node): REST
+* Between the user and the platform clients:
+
+** CLI
+** Client
+
+* Between nodes: Network (Messaging, Scalecube)
+
+All SSL configurations activities are performed at the node level.
+
+Due to Micronaut limitations, Apache Ignite does nopt support direct paths to
SSL certificates. Instead, it utilizes PKCS12 and JKS keystore.
Review Comment:
```suggestion
Due to Micronaut limitations, Apache Ignite does not support direct paths to
SSL certificates. Instead, it utilizes PKCS12 and JKS keystore.
```
##########
docs/_docs/ssl-tls.adoc:
##########
@@ -0,0 +1,193 @@
+= SSL/TLS
+
+This page explains how to configure SSL/TLS encryption between the cluster
nodes (server and client) and the clients that connect to your cluster.
+
+== Considerations
+
+All internal connections in the cluster context, as well as cluster's user
interaction interfaces, are SSL-enabled. The communication categories are as
follows:
+
+* Between the user and the cluster (node): REST
+* Between the user and the platform clients:
+
+** CLI
+** Client
+
+* Between nodes: Network (Messaging, Scalecube)
+
+All SSL configurations activities are performed at the node level.
+
+Due to Micronaut limitations, Apache Ignite does nopt support direct paths to
SSL certificates. Instead, it utilizes PKCS12 and JKS keystore.
+//Need a link to Micronaut in general; if possible, to the limitation in
particular
+
+== REST
+
+The standard implementation of SSL support for REST involves configuring a
secure connection on a separate port. Apache Ignite also supports the DUAL
protocol feature.
+//Need a link to a description of the DUAL protocol.
+
+To configure SSL in Micronaut, all the necessary properties must be defined in
the Micronaut notation. Map the Apache Ignite 3.x REST security configuration
to the Micronaut one:
+
+[source,json]
+----
+"rest": {
+ "dualProtocol": false,
+ "httpToHttpsRedirection": false,
+ "ssl": {
+ "enabled": false,
+ "port": 10400,
+ "portRange": 100,
+ "keyStore": {
+ "type": "PKCS12",
+ "path": "must not be empty",
+ "password": "may be empty"
+ }
+ }
+}
+----
+
+== Clients and JDBC
+
+Apache Ignite 3.x Client implementation is based on the Netty framework, which
supports configuration for security connections via SSLContextBuilder.
+
+=== Client-side Configuration
+
+[source,java]
+----
+SslContextBuilder sslBuilder = SslContextBuilder
+ .forClient()
+ .keyManager(getKeyManagerFactory())
+ .trustManager(getTrustManagerFactory());
+}
+----
+
+=== Server-side Configuration
+
+[source,java]
+----
+SslContextBuilder builder = SslContextBuilder.forServer(certChainInput,
keyInput)
+ .ciphers(getCiphers(), getCiphersFilter())
+ .sessionTimeout(serverSslConfig.getSessionTimeout())
+ .sslProvider(sslProvider);
+.trustManager(trustedCerts.toArray(new X509Certificate[0]))
+ .clientAuth(serverSslConfig.getClientAuth());
+----
+
+View the
link:https://github.com/devsunny/netty-ssl-example/blob/master/src/main/java/com/asksunny/ssl/SecureSocketSslContextFactory.java[Netty
SSL configuration].
+
+Introduce the client configuration on the Apache Ignite 3.x server side and
map it to Netty Security Context:
+
+[source,json]
+----
+"clientConnector": {
+ "ssl": {
+ "enabled": false,
+ "clientAuth": "none",
+ "keyStore": {
+ "type": "PKCS12",
+ "path": "must not be empty",
+ "password": "may be empty"
+ },
+ "trustStore": {
+ "type": "PKCS12",
+ "path": "must not be empty",
+ "password": "may be empty"
+ }
+ }
+}
+----
+
+If you have enabled SSL for `clientConnector`, set the corresponding
properties in
link:https://github.com/apache/ignite-3/blob/be6c8b290894dbd6f88eaaa2a2aafc3eff300855/modules/jdbc/src/main/java/org/apache/ignite/internal/jdbc/ConnectionProperties.java[ConnectionProperties].
+
+== Platform Clients
+
+=== .NET
+
+Add the `IgniteClientConfiguration.SslStreamFactory` property of type
`ISslStreamFactory`.
+
+Provide a
link:https://github.com/apache/ignite/blob/66f43a4bee163aadb3ad731f6eb9a6dfde9faa73/modules/platforms/dotnet/Apache.Ignite.Core/Client/SslStreamFactory.cs[predefined
implementation].
+
+Use the base class library `SslStream`.
+
+Basic usage without client authorization:
+
+[source,csharp]
+----
+var cfg = new IgniteClientConfiguration { SslStreamFactory = new() }
+----
+
+=== C++
+
+TBD
+//Do we need to include this section and say that we expect the C++ client SSL
to be done soon? Or just remove this section for now?
+
+== CLI Configuration
+
+The CLI, uses OkHTTP to communicate with Apache Ignite 3.x. To enable SSL,
create `SSLSocketFactory` and pass it to the `OkHttpClient` builder:
+
+[source,java]
+----
+X509TrustManager trustManager;
+SSLSocketFactory sslSocketFactory;
+try {
+ trustManager =
trustManagerForCertificates(trustedCertificatesInputStream());
+ SSLContext sslContext = SSLContext.getInstance("TLS");
+ sslContext.init(null, new TrustManager[] { trustManager }, null);
+ sslSocketFactory = sslContext.getSocketFactory();
+}
+catch (GeneralSecurityException e) {
+ throw new RuntimeException(e);
+}
+
+client = new OkHttpClient.Builder()
+ .sslSocketFactory(sslSocketFactory, trustManager)
+ .build();
+----
+
+You can enable SSL on the CLI side using the `cli config set` command:
+
+[source,shell]
+----
+cli.trust-store.type=
Review Comment:
This is not the whole command that the user would execute. Could you please
type here commands like:
```bash
cli config set cli.trust-store.type=<type>
cli config set cli.trust-store.path=<path>
cli config set cli.trust-store.password=<password>
##########
docs/_docs/ssl-tls.adoc:
##########
@@ -0,0 +1,193 @@
+= SSL/TLS
+
+This page explains how to configure SSL/TLS encryption between the cluster
nodes (server and client) and the clients that connect to your cluster.
+
+== Considerations
+
+All internal connections in the cluster context, as well as cluster's user
interaction interfaces, are SSL-enabled. The communication categories are as
follows:
+
+* Between the user and the cluster (node): REST
+* Between the user and the platform clients:
+
+** CLI
+** Client
+
+* Between nodes: Network (Messaging, Scalecube)
+
+All SSL configurations activities are performed at the node level.
+
+Due to Micronaut limitations, Apache Ignite does nopt support direct paths to
SSL certificates. Instead, it utilizes PKCS12 and JKS keystore.
+//Need a link to Micronaut in general; if possible, to the limitation in
particular
+
+== REST
+
+The standard implementation of SSL support for REST involves configuring a
secure connection on a separate port. Apache Ignite also supports the DUAL
protocol feature.
+//Need a link to a description of the DUAL protocol.
Review Comment:
I think there is no standard specification for dual protocol. I would say it
will be enough to explain that dual protocol means both HTTP and HTTPS are
supported on different ports.
##########
docs/_docs/ssl-tls.adoc:
##########
@@ -0,0 +1,193 @@
+= SSL/TLS
+
+This page explains how to configure SSL/TLS encryption between the cluster
nodes (server and client) and the clients that connect to your cluster.
+
+== Considerations
+
+All internal connections in the cluster context, as well as cluster's user
interaction interfaces, are SSL-enabled. The communication categories are as
follows:
+
+* Between the user and the cluster (node): REST
+* Between the user and the platform clients:
+
+** CLI
+** Client
+
+* Between nodes: Network (Messaging, Scalecube)
+
+All SSL configurations activities are performed at the node level.
+
+Due to Micronaut limitations, Apache Ignite does nopt support direct paths to
SSL certificates. Instead, it utilizes PKCS12 and JKS keystore.
+//Need a link to Micronaut in general; if possible, to the limitation in
particular
+
+== REST
+
+The standard implementation of SSL support for REST involves configuring a
secure connection on a separate port. Apache Ignite also supports the DUAL
protocol feature.
+//Need a link to a description of the DUAL protocol.
+
+To configure SSL in Micronaut, all the necessary properties must be defined in
the Micronaut notation. Map the Apache Ignite 3.x REST security configuration
to the Micronaut one:
Review Comment:
there is no "Micronaut notation", we use HOCON everywhere.
##########
docs/_docs/ssl-tls.adoc:
##########
@@ -0,0 +1,193 @@
+= SSL/TLS
+
+This page explains how to configure SSL/TLS encryption between the cluster
nodes (server and client) and the clients that connect to your cluster.
+
+== Considerations
+
+All internal connections in the cluster context, as well as cluster's user
interaction interfaces, are SSL-enabled. The communication categories are as
follows:
+
+* Between the user and the cluster (node): REST
+* Between the user and the platform clients:
+
+** CLI
+** Client
+
+* Between nodes: Network (Messaging, Scalecube)
+
+All SSL configurations activities are performed at the node level.
+
+Due to Micronaut limitations, Apache Ignite does nopt support direct paths to
SSL certificates. Instead, it utilizes PKCS12 and JKS keystore.
+//Need a link to Micronaut in general; if possible, to the limitation in
particular
+
+== REST
+
+The standard implementation of SSL support for REST involves configuring a
secure connection on a separate port. Apache Ignite also supports the DUAL
protocol feature.
+//Need a link to a description of the DUAL protocol.
+
+To configure SSL in Micronaut, all the necessary properties must be defined in
the Micronaut notation. Map the Apache Ignite 3.x REST security configuration
to the Micronaut one:
+
+[source,json]
+----
+"rest": {
+ "dualProtocol": false,
+ "httpToHttpsRedirection": false,
+ "ssl": {
+ "enabled": false,
+ "port": 10400,
+ "portRange": 100,
+ "keyStore": {
+ "type": "PKCS12",
+ "path": "must not be empty",
+ "password": "may be empty"
+ }
+ }
+}
+----
+
+== Clients and JDBC
+
+Apache Ignite 3.x Client implementation is based on the Netty framework, which
supports configuration for security connections via SSLContextBuilder.
+
+=== Client-side Configuration
+
+[source,java]
+----
+SslContextBuilder sslBuilder = SslContextBuilder
+ .forClient()
+ .keyManager(getKeyManagerFactory())
+ .trustManager(getTrustManagerFactory());
+}
+----
+
+=== Server-side Configuration
+
+[source,java]
+----
+SslContextBuilder builder = SslContextBuilder.forServer(certChainInput,
keyInput)
+ .ciphers(getCiphers(), getCiphersFilter())
+ .sessionTimeout(serverSslConfig.getSessionTimeout())
+ .sslProvider(sslProvider);
+.trustManager(trustedCerts.toArray(new X509Certificate[0]))
+ .clientAuth(serverSslConfig.getClientAuth());
+----
+
+View the
link:https://github.com/devsunny/netty-ssl-example/blob/master/src/main/java/com/asksunny/ssl/SecureSocketSslContextFactory.java[Netty
SSL configuration].
+
+Introduce the client configuration on the Apache Ignite 3.x server side and
map it to Netty Security Context:
+
+[source,json]
+----
+"clientConnector": {
+ "ssl": {
+ "enabled": false,
+ "clientAuth": "none",
+ "keyStore": {
+ "type": "PKCS12",
+ "path": "must not be empty",
+ "password": "may be empty"
+ },
+ "trustStore": {
+ "type": "PKCS12",
+ "path": "must not be empty",
+ "password": "may be empty"
+ }
+ }
+}
+----
+
+If you have enabled SSL for `clientConnector`, set the corresponding
properties in
link:https://github.com/apache/ignite-3/blob/be6c8b290894dbd6f88eaaa2a2aafc3eff300855/modules/jdbc/src/main/java/org/apache/ignite/internal/jdbc/ConnectionProperties.java[ConnectionProperties].
+
+== Platform Clients
+
+=== .NET
+
+Add the `IgniteClientConfiguration.SslStreamFactory` property of type
`ISslStreamFactory`.
+
+Provide a
link:https://github.com/apache/ignite/blob/66f43a4bee163aadb3ad731f6eb9a6dfde9faa73/modules/platforms/dotnet/Apache.Ignite.Core/Client/SslStreamFactory.cs[predefined
implementation].
+
+Use the base class library `SslStream`.
+
+Basic usage without client authorization:
+
+[source,csharp]
+----
+var cfg = new IgniteClientConfiguration { SslStreamFactory = new() }
+----
+
+=== C++
+
+TBD
+//Do we need to include this section and say that we expect the C++ client SSL
to be done soon? Or just remove this section for now?
+
+== CLI Configuration
+
+The CLI, uses OkHTTP to communicate with Apache Ignite 3.x. To enable SSL,
create `SSLSocketFactory` and pass it to the `OkHttpClient` builder:
+
+[source,java]
+----
+X509TrustManager trustManager;
+SSLSocketFactory sslSocketFactory;
+try {
+ trustManager =
trustManagerForCertificates(trustedCertificatesInputStream());
+ SSLContext sslContext = SSLContext.getInstance("TLS");
+ sslContext.init(null, new TrustManager[] { trustManager }, null);
+ sslSocketFactory = sslContext.getSocketFactory();
+}
+catch (GeneralSecurityException e) {
+ throw new RuntimeException(e);
+}
+
+client = new OkHttpClient.Builder()
+ .sslSocketFactory(sslSocketFactory, trustManager)
+ .build();
+----
+
+You can enable SSL on the CLI side using the `cli config set` command:
+
+[source,shell]
+----
+cli.trust-store.type=
+cli.trust-store.path=
+cli.trust-store.password=
+----
+
+Store the CLI security configuration in a separate file with permission
settings that protect it from unauthorized read/write operations. This
configuration file must match profiles from the common configuration file.
+
+== Network
+
+The node network is based on the Netty framework. The configuration is the
same as described for the Apache Ignite Client part except for the part that
addresses the Apache Ignite 3.x configuration:
+
+//What is "node network"?
+
+[source,json]
+----
+"network": {
+ "ssl": {
+ "enabled": false,
+ "clientAuth": "none",
+ "keyStore": {
+ "type": "PKCS12",
+ "path": "must not be empty",
+ "password": "may be empty"
+ },
+ "trustStore": {
+ "type": "PKCS12",
+ "path": "must not be empty",
+ "password": "may be empty"
+ }
+ }
+}
+----
+
+== SSL Client Authentication (mTLS Support)
+
+All connection types you utilize must support the client authentication
feature. Configute it separately for each connection on the server side.
Review Comment:
Actually, now it is possible to setup the TLS without the client
authentication feature. It is optional.
##########
docs/_docs/ssl-tls.adoc:
##########
@@ -0,0 +1,193 @@
+= SSL/TLS
+
+This page explains how to configure SSL/TLS encryption between the cluster
nodes (server and client) and the clients that connect to your cluster.
+
+== Considerations
+
+All internal connections in the cluster context, as well as cluster's user
interaction interfaces, are SSL-enabled. The communication categories are as
follows:
+
+* Between the user and the cluster (node): REST
+* Between the user and the platform clients:
+
+** CLI
+** Client
+
+* Between nodes: Network (Messaging, Scalecube)
+
+All SSL configurations activities are performed at the node level.
+
+Due to Micronaut limitations, Apache Ignite does nopt support direct paths to
SSL certificates. Instead, it utilizes PKCS12 and JKS keystore.
+//Need a link to Micronaut in general; if possible, to the limitation in
particular
+
+== REST
+
+The standard implementation of SSL support for REST involves configuring a
secure connection on a separate port. Apache Ignite also supports the DUAL
protocol feature.
+//Need a link to a description of the DUAL protocol.
+
+To configure SSL in Micronaut, all the necessary properties must be defined in
the Micronaut notation. Map the Apache Ignite 3.x REST security configuration
to the Micronaut one:
+
+[source,json]
+----
+"rest": {
+ "dualProtocol": false,
+ "httpToHttpsRedirection": false,
+ "ssl": {
+ "enabled": false,
+ "port": 10400,
+ "portRange": 100,
+ "keyStore": {
+ "type": "PKCS12",
+ "path": "must not be empty",
+ "password": "may be empty"
+ }
+ }
+}
+----
+
+== Clients and JDBC
+
+Apache Ignite 3.x Client implementation is based on the Netty framework, which
supports configuration for security connections via SSLContextBuilder.
+
+=== Client-side Configuration
+
+[source,java]
+----
+SslContextBuilder sslBuilder = SslContextBuilder
+ .forClient()
+ .keyManager(getKeyManagerFactory())
+ .trustManager(getTrustManagerFactory());
+}
+----
+
+=== Server-side Configuration
+
+[source,java]
+----
+SslContextBuilder builder = SslContextBuilder.forServer(certChainInput,
keyInput)
+ .ciphers(getCiphers(), getCiphersFilter())
+ .sessionTimeout(serverSslConfig.getSessionTimeout())
+ .sslProvider(sslProvider);
+.trustManager(trustedCerts.toArray(new X509Certificate[0]))
+ .clientAuth(serverSslConfig.getClientAuth());
+----
+
+View the
link:https://github.com/devsunny/netty-ssl-example/blob/master/src/main/java/com/asksunny/ssl/SecureSocketSslContextFactory.java[Netty
SSL configuration].
Review Comment:
I am not sure that this brings any peace of information for users. As well
as code examples. It is just internal implementation.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
