ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jayush Luniya (JIRA)" <>
Subject [jira] [Created] (AMBARI-12518) Support CA signed certificates for 2-way SSL : Make truststore file and keystore/truststore types configurable
Date Thu, 23 Jul 2015 19:05:04 GMT
Jayush Luniya created AMBARI-12518:

             Summary: Support CA signed certificates for 2-way SSL : Make truststore file
and keystore/truststore types configurable 
                 Key: AMBARI-12518
             Project: Ambari
          Issue Type: Bug
            Reporter: Jayush Luniya
            Priority: Critical

Currently Ambari supports 2-way SSL, however CA signed certificates don't work out of the
Current Implementation:
 Here is what happens currently when 2-way SSL is enabled.
Certificates and keys are stored in /var/lib/ambari-server/keys and /var/lib/ambari-agent/keys.
# Ambari Server creates a self-signed certificate (ca.crt, ca.key, ca.csr)
# Further, Ambari Server using the self signed certificate creates a keystore in PKCS#12 format
(keystore.p12). This PKCS#12 file is used as both keystore and truststore.
# When Ambari Agent is bootstrapped, it identifies that 2-way SSL is enabled, agent downloads
the ca.crt from server, creates a private key <hostname>.key and certificate signing
request <hostname>.csr.
# Ambari Agent then sends the certificate signing request (<hostname>.csr) to Ambari
Server which signs the csr request with the self signed certificate and returns the signed
certificate (<hostname.crt>) back to the Agent.
# During 2-way SSL communication, Ambari Agent uses the ca.crt, <hostname>.crt, <hostname>.key
and Ambari Server uses the keystore.p12 for authentication.

This setup means that the certificates are auto-generated and Ambari Server acts as CA to
sign the client certificate requests. Since both Agent and Server check if these certificates
exist, we can work around and uploaded the CA signed certificates to appropriate places to
avoid the certificates to be generated. 
Further Ambari Server creates keystore in PKCS#12 format keystore.p12 which is used as both
keystore and truststore. Even if we included the complete certificate chain in keystore.p12
there is no way to mark the CA certificates as "trustedCertEntry" in PKCS#12 format. This
causes authentication to fail as Ambari Server cannot find a trusted certificate (ie. CA certificate).

The fix for 2.1.1 would be to make truststore file and truststore/keystore types configurable.
A more involved change to make it easy to setup 2-way SSL with CA signed certificates can
be made in 2.2+

This message was sent by Atlassian JIRA

View raw message