ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jayush Luniya (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMBARI-12518) Support CA signed certificates for 2-way SSL : Make truststore file and keystore/truststore types configurable
Date Wed, 29 Jul 2015 16:44:04 GMT

    [ https://issues.apache.org/jira/browse/AMBARI-12518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14646381#comment-14646381
] 

Jayush Luniya commented on AMBARI-12518:
----------------------------------------

Trunk:
commit 8bd16add847833a54e8efc6681700b77f569531a
Author: Jayush Luniya <jluniya@hortonworks.com>
Date:   Wed Jul 29 09:42:26 2015 -0700

    AMBARI-12518: Support CA signed certificates for 2-way SSL : Make truststore file and
keystore/truststore types configurable (jluniya)

> Support CA signed certificates for 2-way SSL : Make truststore file and keystore/truststore
types configurable 
> ---------------------------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-12518
>                 URL: https://issues.apache.org/jira/browse/AMBARI-12518
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.0.1
>            Reporter: Jayush Luniya
>            Assignee: Jayush Luniya
>            Priority: Critical
>             Fix For: 2.1.1
>
>         Attachments: AMBARI-12518.0.patch, Configuring2-waySSLforambariwithCAsignedcerts.pdf
>
>
> Currently Ambari supports 2-way SSL, however CA signed certificates don't work out of
the box.
> Current Implementation:
>  Here is what happens currently when 2-way SSL is enabled.
> Certificates and keys are stored in /var/lib/ambari-server/keys and /var/lib/ambari-agent/keys.
> # Ambari Server creates a self-signed certificate (ca.crt, ca.key, ca.csr)
> # Further, Ambari Server using the self signed certificate creates a keystore in PKCS#12
format (keystore.p12). This PKCS#12 file is used as both keystore and truststore.
> # When Ambari Agent is bootstrapped, it identifies that 2-way SSL is enabled, agent downloads
the ca.crt from server, creates a private key <hostname>.key and certificate signing
request <hostname>.csr.
> # Ambari Agent then sends the certificate signing request (<hostname>.csr) to Ambari
Server which signs the csr request with the self signed certificate and returns the signed
certificate (<hostname.crt>) back to the Agent.
> # During 2-way SSL communication, Ambari Agent uses the ca.crt, <hostname>.crt,
<hostname>.key and Ambari Server uses the keystore.p12 for authentication.
> Limitations:
> This setup means that the certificates are auto-generated and Ambari Server acts as CA
to sign the client certificate requests. Since both Agent and Server check if these certificates
exist, we can work around and uploaded the CA signed certificates to appropriate places to
avoid the certificates to be generated. 
> Further Ambari Server creates keystore in PKCS#12 format keystore.p12 which is used as
both keystore and truststore. Even if we included the complete certificate chain in keystore.p12
there is no way to mark the CA certificates as "trustedCertEntry" in PKCS#12 format. This
causes authentication to fail as Ambari Server cannot find a trusted certificate (ie. CA certificate).
> The fix for 2.1.1 would be to make truststore file and truststore/keystore types configurable.
A more involved change to make it easy to setup 2-way SSL with CA signed certificates can
be made in 2.2+



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message