ignite-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alexey Kuznetsov (JIRA)" <j...@apache.org>
Subject [jira] [Assigned] (IGNITE-9845) Web Console: Add support of two way ssl authentication in Web Console agent
Date Tue, 27 Nov 2018 03:18:00 GMT

     [ https://issues.apache.org/jira/browse/IGNITE-9845?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Alexey Kuznetsov reassigned IGNITE-9845:
----------------------------------------

    Assignee: Andrey Novikov  (was: Alexey Kuznetsov)

> Web Console: Add support of two way ssl authentication in Web Console agent
> ---------------------------------------------------------------------------
>
>                 Key: IGNITE-9845
>                 URL: https://issues.apache.org/jira/browse/IGNITE-9845
>             Project: Ignite
>          Issue Type: Improvement
>          Components: wizards
>    Affects Versions: 2.6
>            Reporter: Andrey Novikov
>            Assignee: Andrey Novikov
>            Priority: Major
>             Fix For: 2.8
>
>         Attachments: generate.bat
>
>
> RestExecutor should not be shared between different users requests in case of two way
ssl authentication:
>  * For each token with ssl we need create separated RestExecutor and set up socketFactory
and trustManager.
>  * RestExecutor should be removed if token expired.
> Add program arguments for passing client certificate, client password, trust store, trust
store password for ignite node connection and web console backend. 
> Example on okhttp: [https://github.com/square/okhttp/blob/cd872fd83824512c128dcd80c04d445c8a2fc8eb/okhttp-tests/src/test/java/okhttp3/internal/tls/ClientAuthTest.java]
> Upgrade socket-io from 1.x to 2.x.
> Add support for SSL cipher suites
> Add tests.
> ---------------------------
> *How to do local testing:*
> On Windows
>  # Download Open SSL:  Download Open SSL for Windows from [https://wiki.openssl.org/index.php/Binaries]
>  # Unpack it.
> On Linux - it is usually built-in.
> Generate keys with provided script (see attached generate.bat, it could be easily adapted
for Linux).
>  
> Add to etc/hosts: 
>     127.0.0.1 localhost console.test.local
>  ----------------------------
> After that configure SSL for:
>  # Web Console back-end.
>  # Web Agent.
>  # Cluster.
> *Configure Web Console back-end settings:*
>   "ssl": true,
>    "key": "some_path/server.key",
>    "cert": "some_path/server.crt",
>    "ca": "some_path/ca.crt",
>    "keyPassphrase": "p123456",
> *Configure Web Agent parameters (see parameters descriptions):*
> -t your_token
> -s [https://console.test.local:3000|https://console.test.local:3000/] -n [https://console.test.local:11443|https://console.test.local:11443/]
>  -nks client.jks -nkp p123456
>  -nts ca.jks -ntp p123456
>  -sks client.jks -skp p123456
>  -sts ca.jks -stp p123456
>  *Configure cluster JETTY config:*
> <New id="httpsCfg" class="org.eclipse.jetty.server.HttpConfiguration">
>    <Set name="secureScheme">https</Set>
>    <Set name="securePort"><SystemProperty name="IGNITE_JETTY_PORT" default="11443"/></Set>
>    <Set name="sendServerVersion">true</Set>
>    <Set name="sendDateHeader">true</Set>
>    <Call name="addCustomizer">  <Arg><New class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg></Call>
>  </New>
> <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
>    <Set name="keyStorePath">some_path/server.jks</Set>
>    <Set name="keyStorePassword">p123456</Set>
>    <Set name="trustStorePath">some_path/ca.jks</Set>
>    <Set name="trustStorePassword">p123456</Set>
>    <Set name="needClientAuth">true</Set>
>  </New>
>   



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message