geode-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (GEODE-5338) Geode client to support Trust and Keystore rotation
Date Wed, 01 Aug 2018 22:03:00 GMT

     [ https://issues.apache.org/jira/browse/GEODE-5338?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

ASF GitHub Bot updated GEODE-5338:
----------------------------------
    Labels: pull-request-available  (was: )

> Geode client to support Trust and Keystore rotation
> ---------------------------------------------------
>
>                 Key: GEODE-5338
>                 URL: https://issues.apache.org/jira/browse/GEODE-5338
>             Project: Geode
>          Issue Type: Improvement
>          Components: security
>            Reporter: Pulkit Chandra
>            Priority: Major
>              Labels: pull-request-available
>
> WHY: Cloud Foundry provides ability to rotate certs pretty frequently. By default the
certs are rotated every day and change be changed to rotate every hour. Which creates a issue
with Java applications. This rotation is essential to provide a strong security stance on
client applications.
> WHAT: Today Geode client applications, when establishing a TLS connection to the servers
requires a path to the certificate, since these files would be changing we need a mechanism
in Geode which will watch for these changes and use the new certs without causing service
disruption.
>  
> Solution options:
> Some options to consider
>  # Cloud Foundry has a lib which watches for changes to these certs (which are in pem
format)and converts them and creates inmemory objects of TrustStore and KeyStore. If we have
a mechanism in Geode to pass these objects instead of path to them, we might have a solution.
Also, these objects gets updates after rotation so the geode code needs to consider that as
well.
>  # Geode can develop its own capability to watch for change on the files and convert
them to right format using OpenSSL and create files and pass them in. Update these file everytime
someone updates the certs
>  # Geode starts accepting pem files and watches them directly for changes.
>  
> Key Outcomes to watch for:
>  1. Provide ability to rotate cert easily without downtime.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message