Return-Path: 
 <dev-return-81961-apmail-ambari-dev-archive=ambari.apache.org@ambari.apache.org>
X-Original-To: apmail-ambari-dev-archive@www.apache.org
Delivered-To: apmail-ambari-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id ECA0718661
	for <apmail-ambari-dev-archive@www.apache.org>;
 Thu, 23 Jul 2015 19:08:04 +0000 (UTC)
Received: (qmail 28714 invoked by uid 500); 23 Jul 2015 19:08:04 -0000
Delivered-To: apmail-ambari-dev-archive@ambari.apache.org
Received: (qmail 28680 invoked by uid 500); 23 Jul 2015 19:08:04 -0000
Mailing-List: contact dev-help@ambari.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@ambari.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@ambari.apache.org>
List-Post: <mailto:dev@ambari.apache.org>
List-Id: <dev.ambari.apache.org>
Reply-To: dev@ambari.apache.org
Delivered-To: mailing list dev@ambari.apache.org
Received: (qmail 28669 invoked by uid 99); 23 Jul 2015 19:08:04 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 23 Jul 2015 19:08:04 +0000
Date: Thu, 23 Jul 2015 19:08:04 +0000 (UTC)
From: "Jayush Luniya (JIRA)" <jira@apache.org>
To: dev@ambari.apache.org
Message-ID: <JIRA.12848661.1437678278000.274300.1437678484534@Atlassian.JIRA>
In-Reply-To: <JIRA.12848661.1437678278000@Atlassian.JIRA>
References: <JIRA.12848661.1437678278000@Atlassian.JIRA>
 <JIRA.12848661.1437678278049@arcas>
Subject: [jira] [Updated] (AMBARI-12518) Support CA signed certificates for
 2-way SSL : Make truststore file and keystore/truststore types configurable
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


     [ https://issues.apache.org/jira/browse/AMBARI-12518?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jayush Luniya updated AMBARI-12518:
-----------------------------------
    Attachment: Configuring2-waySSLforambariwithCAsignedcerts.pdf

> Support CA signed certificates for 2-way SSL : Make truststore file and keystore/truststore types configurable 
> ---------------------------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-12518
>                 URL: https://issues.apache.org/jira/browse/AMBARI-12518
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.0.1
>            Reporter: Jayush Luniya
>            Assignee: Jayush Luniya
>            Priority: Critical
>             Fix For: 2.1.1
>
>         Attachments: Configuring2-waySSLforambariwithCAsignedcerts.pdf
>
>
> Currently Ambari supports 2-way SSL, however CA signed certificates don't work out of the box.
> Current Implementation:
>  Here is what happens currently when 2-way SSL is enabled.
> Certificates and keys are stored in /var/lib/ambari-server/keys and /var/lib/ambari-agent/keys.
> # Ambari Server creates a self-signed certificate (ca.crt, ca.key, ca.csr)
> # Further, Ambari Server using the self signed certificate creates a keystore in PKCS#12 format (keystore.p12). This PKCS#12 file is used as both keystore and truststore.
> # When Ambari Agent is bootstrapped, it identifies that 2-way SSL is enabled, agent downloads the ca.crt from server, creates a private key <hostname>.key and certificate signing request <hostname>.csr.
> # Ambari Agent then sends the certificate signing request (<hostname>.csr) to Ambari Server which signs the csr request with the self signed certificate and returns the signed certificate (<hostname.crt>) back to the Agent.
> # During 2-way SSL communication, Ambari Agent uses the ca.crt, <hostname>.crt, <hostname>.key and Ambari Server uses the keystore.p12 for authentication.
> Limitations:
> This setup means that the certificates are auto-generated and Ambari Server acts as CA to sign the client certificate requests. Since both Agent and Server check if these certificates exist, we can work around and uploaded the CA signed certificates to appropriate places to avoid the certificates to be generated. 
> Further Ambari Server creates keystore in PKCS#12 format keystore.p12 which is used as both keystore and truststore. Even if we included the complete certificate chain in keystore.p12 there is no way to mark the CA certificates as "trustedCertEntry" in PKCS#12 format. This causes authentication to fail as Ambari Server cannot find a trusted certificate (ie. CA certificate).
> The fix for 2.1.1 would be to make truststore file and truststore/keystore types configurable. A more involved change to make it easy to setup 2-way SSL with CA signed certificates can be made in 2.2+



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)