Return-Path: X-Original-To: apmail-ambari-dev-archive@www.apache.org Delivered-To: apmail-ambari-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 1B2B51864B for ; Thu, 23 Jul 2015 19:05:05 +0000 (UTC) Received: (qmail 19115 invoked by uid 500); 23 Jul 2015 19:05:04 -0000 Delivered-To: apmail-ambari-dev-archive@ambari.apache.org Received: (qmail 19085 invoked by uid 500); 23 Jul 2015 19:05:04 -0000 Mailing-List: contact dev-help@ambari.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ambari.apache.org Delivered-To: mailing list dev@ambari.apache.org Received: (qmail 18816 invoked by uid 99); 23 Jul 2015 19:05:04 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 23 Jul 2015 19:05:04 +0000 Date: Thu, 23 Jul 2015 19:05:04 +0000 (UTC) From: "Jayush Luniya (JIRA)" To: dev@ambari.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Created] (AMBARI-12518) Support CA signed certificates for 2-way SSL : Make truststore file and keystore/truststore types configurable MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 Jayush Luniya created AMBARI-12518: -------------------------------------- Summary: Support CA signed certificates for 2-way SSL : Make truststore file and keystore/truststore types configurable Key: AMBARI-12518 URL: https://issues.apache.org/jira/browse/AMBARI-12518 Project: Ambari Issue Type: Bug Reporter: Jayush Luniya Priority: Critical Currently Ambari supports 2-way SSL, however CA signed certificates don't work out of the box. Current Implementation: Here is what happens currently when 2-way SSL is enabled. Certificates and keys are stored in /var/lib/ambari-server/keys and /var/lib/ambari-agent/keys. # Ambari Server creates a self-signed certificate (ca.crt, ca.key, ca.csr) # Further, Ambari Server using the self signed certificate creates a keystore in PKCS#12 format (keystore.p12). This PKCS#12 file is used as both keystore and truststore. # When Ambari Agent is bootstrapped, it identifies that 2-way SSL is enabled, agent downloads the ca.crt from server, creates a private key .key and certificate signing request .csr. # Ambari Agent then sends the certificate signing request (.csr) to Ambari Server which signs the csr request with the self signed certificate and returns the signed certificate () back to the Agent. # During 2-way SSL communication, Ambari Agent uses the ca.crt, .crt, .key and Ambari Server uses the keystore.p12 for authentication. Limitations: This setup means that the certificates are auto-generated and Ambari Server acts as CA to sign the client certificate requests. Since both Agent and Server check if these certificates exist, we can work around and uploaded the CA signed certificates to appropriate places to avoid the certificates to be generated. Further Ambari Server creates keystore in PKCS#12 format keystore.p12 which is used as both keystore and truststore. Even if we included the complete certificate chain in keystore.p12 there is no way to mark the CA certificates as "trustedCertEntry" in PKCS#12 format. This causes authentication to fail as Ambari Server cannot find a trusted certificate (ie. CA certificate). The fix for 2.1.1 would be to make truststore file and truststore/keystore types configurable. A more involved change to make it easy to setup 2-way SSL with CA signed certificates can be made in 2.2+ -- This message was sent by Atlassian JIRA (v6.3.4#6332)