Re: [DISCUSS] Knox Shell command for downloading the public cert from a Knox instance

As pointed out by Kevin the KnoxShell can download the cert today by just going to https://KNOX_HOSTNAME:KNOX_PORT. The only thing we need to implement within the scope of this JIRA is to add a new KnoxShell command to make it happen. Larry's recommendation about creating a new landing page that

Re: [DISCUSS] Knox Shell command for downloading the public cert from a Knox instance

I think it is mostly a client side replacement for what KnoxCLI export-cert does which doesn't require SSH to the gateway machine. Think about KnoxShell users and that they may only have line of site of the gateway endpoints but not access to the machine. Yes, one could do the same with openssl

Re: [DISCUSS] Knox Shell command for downloading the public cert from a Knox instance

What is the use case for this? If a user just wants to download the TLS certificate, couldn't they execute the following on the command line? openssl s_client -connect *knoxhost*:*knoxport* -showcerts /dev/null | openssl x509 -outform PEM > knox_gateway.pem Then the user can import the PEM

Re: [DISCUSS] Knox Shell command for downloading the public cert from a Knox instance

I'll echo the reservations around the overhead (config, performance, etc...) associated with an additional endpoint. I like the idea of leveraging the browser (cited by Larry), which already has a built-in mechanism for allowing the user to explicitly allow the interaction with the potentially

Re: [DISCUSS] Knox Shell command for downloading the public cert from a Knox instance

Hi Sandor - Thanks for starting this discussion and taking up that task! +1 to Kevin's points. KnoxSession already has a loginInsecure() method as well. I also think that it needs to be available from the Admin UI - in which case the SSL cert is already trusted by your browser or the exception

Re: [DISCUSS] Knox Shell command for downloading the public cert from a Knox instance

I agree with Kevin, having to endpoints would be a bit confusing for the users (HTTP for this and HTTPS for others) as well as from the code perspective, also I am not sure how resource intensive two jetty servers would be, I hear that it is not that bad. On Mon, Feb 25, 2019 at 9:54 AM Kevin

Re: [DISCUSS] Knox Shell command for downloading the public cert from a Knox instance

I'm not a fan of adding a new endpoint. This port would need to be configurable. We would need to ensure that it always points to the correct location. Instead, can we download the cert from the existing HTTPS endpoint? We would have to not trust the TLS connection to pull the public cert, but

[DISCUSS] Knox Shell command for downloading the public cert from a Knox instance

Hi folks, I've just started to think about how to resolve https://issues.apache.org/jira/browse/KNOX-1418 and an approach could be: 1.) Server-side changes I'm thinking of starting a new embedded Jetty instance when the gateway server starts on a pre-configured port (e.g. 8100) with a simple