ignite-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alexey Kuznetsov (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (IGNITE-9845) Web Console: Add support of two way ssl authentication in Web Console agent
Date Thu, 22 Nov 2018 11:47:00 GMT

     [ https://issues.apache.org/jira/browse/IGNITE-9845?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Alexey Kuznetsov updated IGNITE-9845:
-------------------------------------
    Description: 
RestExecutor should not be shared between different users requests in case of two way ssl
authentication:
 * For each token with ssl we need create separated RestExecutor and set up socketFactory
and trustManager.
 * RestExecutor should be removed if token expired.

Add program arguments for passing client certificate, client password, trust store, trust
store password for ignite node connection and web console backend. 

Example on okhttp: [https://github.com/square/okhttp/blob/cd872fd83824512c128dcd80c04d445c8a2fc8eb/okhttp-tests/src/test/java/okhttp3/internal/tls/ClientAuthTest.java]

We can also upgrade socket-io from 1.x to 2.x.

---------------------------

*How to do local testing:*

On Windows
 # Download Open SSL:  Download Open SSL for Windows from [https://wiki.openssl.org/index.php/Binaries]
 # Unpack it.

On Linux - it is usually built-in.

Generate keys with provided script (see attached generate.bat, it could be easily adapted
for Linux).

 

Add to etc/hosts: 

    127.0.0.1 localhost console.test.local

 ----------------------------

After that configure SSL for:
 # Web Console back-end.
 # Web Agent.
 # Cluster.

*Configure Web Console back-end settings:*

  "ssl": true,
   "key": "some_path/server.key",
   "cert": "some_path/server.crt",
   "ca": "some_path/ca.crt",
   "keyPassphrase": "p123456",

*Configure Web Agent parameters (see parameters descriptions):*

-t your_token

-s [https://console.test.local:3000|https://console.test.local:3000/] -n [https://console.test.local:11443|https://console.test.local:11443/]
 -nks client.jks -nkp p123456
 -nts ca.jks -ntp p123456
 -sks client.jks -skp p123456
 -sts ca.jks -stp p123456

 *Configure cluster JETTY config:*

<New id="httpsCfg" class="org.eclipse.jetty.server.HttpConfiguration">
   <Set name="secureScheme">https</Set>
   <Set name="securePort"><SystemProperty name="IGNITE_JETTY_PORT" default="11443"/></Set>
   <Set name="sendServerVersion">true</Set>
   <Set name="sendDateHeader">true</Set>
   <Call name="addCustomizer">  <Arg><New class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg></Call>
 </New>

<New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
   <Set name="keyStorePath">some_path/server.jks</Set>
   <Set name="keyStorePassword">p123456</Set>
   <Set name="trustStorePath">some_path/ca.jks</Set>
   <Set name="trustStorePassword">p123456</Set>
   <Set name="needClientAuth">true</Set>
 </New>

  

  was:
RestExecutor should not be shared between different users requests in case of two way ssl
authentication:
 * For each token with ssl we need create separated RestExecutor and set up socketFactory
and trustManager.
 * RestExecutor should be removed if token expired.

Add program arguments for passing client certificate, client password, trust store, trust
store password for ignite node connection and web console backend. 

Example on okhttp: [https://github.com/square/okhttp/blob/cd872fd83824512c128dcd80c04d445c8a2fc8eb/okhttp-tests/src/test/java/okhttp3/internal/tls/ClientAuthTest.java]

We can also upgrade socket-io from 1.x to 2.x.

---------------------------

*How to do local testing:*

On Windows
 # Download Open SSL:  Download Open SSL for Windows from [https://wiki.openssl.org/index.php/Binaries]
 # Unpack it.

On Linux - it is usually built-in.

Generate keys with provided script (see attached generate.bat, it could be easily adapted
for Linux).

 

Add to etc/hosts: 

    127.0.0.1 localhost console.test.local

 ----------------------------

After that configure SSL for:
 # Web Console back-end.
 # Web Agent.
 # Cluster.

*Configure Web Console back-end settings:*

  "ssl": true,
  "key": "some_path/server.key",
  "cert": "some_path/server.crt",
  "ca": "some_path/ca.crt",
  "keyPassphrase": "p123456",

*Configure Web Agent parameters (see parameters descriptions):*

-t your_token

-s [https://console.test.local:3000|https://console.test.local:3000/] -n [https://console.test.local:11443|https://console.test.local:11443/]
 -nks client.jks -nkp p123456
 -nts ca.jks -ntp p123456
 -sks client.jks -skp p123456
 -sts ca.jks -stp p123456

 *Configure cluster JETTY config:*

<New id="httpsCfg" class="org.eclipse.jetty.server.HttpConfiguration">
  <Set name="secureScheme">https</Set>
  <Set name="securePort"><SystemProperty name="IGNITE_JETTY_PORT" default="11443"/></Set>
  <Set name="sendServerVersion">true</Set>
  <Set name="sendDateHeader">true</Set>
  <Call name="addCustomizer">  <Arg><New class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg></Call>
</New>

<New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
  <Set name="keyStorePath">modules/visor-tester/keystore/mutual/server.jks</Set>
  <Set name="keyStorePassword">p123456</Set>
  <Set name="trustStorePath">modules/visor-tester/keystore/mutual/ca.jks</Set>
  <Set name="trustStorePassword">p123456</Set>
  <Set name="needClientAuth">true</Set>
</New>

  


> Web Console: Add support of two way ssl authentication in Web Console agent
> ---------------------------------------------------------------------------
>
>                 Key: IGNITE-9845
>                 URL: https://issues.apache.org/jira/browse/IGNITE-9845
>             Project: Ignite
>          Issue Type: Improvement
>          Components: wizards
>    Affects Versions: 2.6
>            Reporter: Andrey Novikov
>            Assignee: Alexey Kuznetsov
>            Priority: Major
>             Fix For: 2.8
>
>         Attachments: generate.bat
>
>
> RestExecutor should not be shared between different users requests in case of two way
ssl authentication:
>  * For each token with ssl we need create separated RestExecutor and set up socketFactory
and trustManager.
>  * RestExecutor should be removed if token expired.
> Add program arguments for passing client certificate, client password, trust store, trust
store password for ignite node connection and web console backend. 
> Example on okhttp: [https://github.com/square/okhttp/blob/cd872fd83824512c128dcd80c04d445c8a2fc8eb/okhttp-tests/src/test/java/okhttp3/internal/tls/ClientAuthTest.java]
> We can also upgrade socket-io from 1.x to 2.x.
> ---------------------------
> *How to do local testing:*
> On Windows
>  # Download Open SSL:  Download Open SSL for Windows from [https://wiki.openssl.org/index.php/Binaries]
>  # Unpack it.
> On Linux - it is usually built-in.
> Generate keys with provided script (see attached generate.bat, it could be easily adapted
for Linux).
>  
> Add to etc/hosts: 
>     127.0.0.1 localhost console.test.local
>  ----------------------------
> After that configure SSL for:
>  # Web Console back-end.
>  # Web Agent.
>  # Cluster.
> *Configure Web Console back-end settings:*
>   "ssl": true,
>    "key": "some_path/server.key",
>    "cert": "some_path/server.crt",
>    "ca": "some_path/ca.crt",
>    "keyPassphrase": "p123456",
> *Configure Web Agent parameters (see parameters descriptions):*
> -t your_token
> -s [https://console.test.local:3000|https://console.test.local:3000/] -n [https://console.test.local:11443|https://console.test.local:11443/]
>  -nks client.jks -nkp p123456
>  -nts ca.jks -ntp p123456
>  -sks client.jks -skp p123456
>  -sts ca.jks -stp p123456
>  *Configure cluster JETTY config:*
> <New id="httpsCfg" class="org.eclipse.jetty.server.HttpConfiguration">
>    <Set name="secureScheme">https</Set>
>    <Set name="securePort"><SystemProperty name="IGNITE_JETTY_PORT" default="11443"/></Set>
>    <Set name="sendServerVersion">true</Set>
>    <Set name="sendDateHeader">true</Set>
>    <Call name="addCustomizer">  <Arg><New class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg></Call>
>  </New>
> <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
>    <Set name="keyStorePath">some_path/server.jks</Set>
>    <Set name="keyStorePassword">p123456</Set>
>    <Set name="trustStorePath">some_path/ca.jks</Set>
>    <Set name="trustStorePassword">p123456</Set>
>    <Set name="needClientAuth">true</Set>
>  </New>
>   



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message