As pointed out by Kevin the KnoxShell can download the cert today by just
going to https://KNOX_HOSTNAME:KNOX_PORT. The only thing we need to
implement within the scope of this JIRA is to add a new KnoxShell
command to make it happen.
Larry's recommendation about creating a new landing page that
I think it is mostly a client side replacement for what KnoxCLI export-cert
does which doesn't require SSH to the gateway machine.
Think about KnoxShell users and that they may only have line of site of the
gateway endpoints but not access to the machine.
Yes, one could do the same with openssl
What is the use case for this?
If a user just wants to download the TLS certificate, couldn't they execute
the following on the command line?
openssl s_client -connect *knoxhost*:*knoxport* -showcerts /dev/null | openssl x509 -outform PEM > knox_gateway.pem
Then the user can import the PEM
I'll echo the reservations around the overhead (config, performance,
etc...) associated with an additional endpoint.
I like the idea of leveraging the browser (cited by Larry), which already
has a built-in mechanism for allowing the user to explicitly allow the
interaction with the potentially
Hi Sandor -
Thanks for starting this discussion and taking up that task!
+1 to Kevin's points.
KnoxSession already has a loginInsecure() method as well.
I also think that it needs to be available from the Admin UI - in which
case the SSL cert is already trusted by your browser or the exception
I agree with Kevin, having to endpoints would be a bit confusing for the
users (HTTP for this and HTTPS for others) as well as from the code
perspective, also I am not sure how resource intensive two jetty servers
would be, I hear that it is not that bad.
On Mon, Feb 25, 2019 at 9:54 AM Kevin
I'm not a fan of adding a new endpoint. This port would need to be
configurable. We would need to ensure that it always points to the correct
location.
Instead, can we download the cert from the existing HTTPS endpoint? We
would have to not trust the TLS connection to pull the public cert, but
Hi folks,
I've just started to think about how to resolve
https://issues.apache.org/jira/browse/KNOX-1418 and an approach could be:
1.) Server-side changes
I'm thinking of starting a new embedded Jetty instance when the gateway
server starts on a pre-configured port (e.g. 8100) with a simple