Pulkit Chandra created GEODE-5338:
-------------------------------------
Summary: Geode client to support Trust and Keystore rotation
Key: GEODE-5338
URL: https://issues.apache.org/jira/browse/GEODE-5338
Project: Geode
Issue Type: Improvement
Components: security
Reporter: Pulkit Chandra
WHY: Cloud Foundry provides ability to rotate certs pretty frequently. By
default the certs are rotated every day and change be changed to rotate every
hour. Which creates a issue with Java applications. This rotation is essential
to provide a strong security stance on client applications.
WHAT: Today Geode client applications, when establishing a TLS connection to
the servers requires a path to the certificate, since these files would be
changing we need a mechanism in Geode which will watch for these changes and
use the new certs without causing service disruption.
Solution options:
Some options to consider
# Cloud Foundry has a lib which watches for changes to these certs (which are
in pem format)and converts them and creates inmemory objects of TrustStore and
KeyStore. If we have a mechanism in Geode to pass these objects instead of path
to them, we might have a solution. Also, these objects gets updates after
rotation so the geode code needs to consider that as well.
# Geode can develop its own capability to watch for change on the files and
convert them to right format using OpenSSL and create files and pass them in.
Update these file everytime someone updates the certs
# Geode starts accepting pem files and watches them directly for changes.
Key Outcomes to watch for:
1. Provide ability to rotate cert easily without downtime.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
