From issues-return-82937-archive-asf-public=cust-asf.ponee.io@ignite.apache.org Thu Nov 22 12:47:04 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id D4B4B180675 for ; Thu, 22 Nov 2018 12:47:03 +0100 (CET) Received: (qmail 22513 invoked by uid 500); 22 Nov 2018 11:47:03 -0000 Mailing-List: contact issues-help@ignite.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ignite.apache.org Delivered-To: mailing list issues@ignite.apache.org Received: (qmail 22486 invoked by uid 99); 22 Nov 2018 11:47:02 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 22 Nov 2018 11:47:02 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 90C5418CA90 for ; Thu, 22 Nov 2018 11:47:02 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -109.501 X-Spam-Level: X-Spam-Status: No, score=-109.501 tagged_above=-999 required=6.31 tests=[ENV_AND_HDR_SPF_MATCH=-0.5, KAM_ASCII_DIVIDERS=0.8, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id gTZmZVZCVACX for ; Thu, 22 Nov 2018 11:47:01 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id D1A2460FC5 for ; Thu, 22 Nov 2018 11:47:00 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 5FDB9E0104 for ; Thu, 22 Nov 2018 11:47:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 2320021E0B for ; Thu, 22 Nov 2018 11:47:00 +0000 (UTC) Date: Thu, 22 Nov 2018 11:47:00 +0000 (UTC) From: "Alexey Kuznetsov (JIRA)" To: issues@ignite.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (IGNITE-9845) Web Console: Add support of two way ssl authentication in Web Console agent MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/IGNITE-9845?page=3Dcom.atlassi= an.jira.plugin.system.issuetabpanels:all-tabpanel ] Alexey Kuznetsov updated IGNITE-9845: ------------------------------------- Description:=20 RestExecutor should not be shared between different users requests in case = of two way ssl authentication: * For each token with ssl we need create separated RestExecutor and set up= socketFactory and trustManager. * RestExecutor should be removed if token expired. Add program arguments for passing client certificate, client password, trus= t store, trust store password for ignite node connection and web console ba= ckend.=C2=A0 Example on okhttp:=C2=A0[https://github.com/square/okhttp/blob/cd872fd83824= 512c128dcd80c04d445c8a2fc8eb/okhttp-tests/src/test/java/okhttp3/internal/tl= s/ClientAuthTest.java] We can also upgrade socket-io from 1.x to 2.x. --------------------------- *How to do local testing:* On Windows # Download Open SSL:=C2=A0=C2=A0Download Open SSL for Windows from [https:= //wiki.openssl.org/index.php/Binaries] # Unpack it. On Linux - it is usually built-in. Generate keys with provided script (see attached generate.bat, it could be = easily adapted for Linux). =C2=A0 Add to etc/hosts:=C2=A0 =C2=A0 =C2=A0 127.0.0.1 localhost console.test.local =C2=A0---------------------------- After that configure SSL for: # Web Console back-end. # Web Agent. # Cluster. *Configure Web Console back-end settings:* =C2=A0 "ssl": true, =C2=A0 "key": "some_path/server.key", =C2=A0 "cert": "some_path/server.crt", =C2=A0 "ca": "some_path/ca.crt", =C2=A0 "keyPassphrase": "p123456", *Configure Web Agent=C2=A0parameters (see parameters descriptions):* -t your_token -s [https://console.test.local:3000|https://console.test.local:3000/]=C2=A0= -n [https://console.test.local:11443|https://console.test.local:11443/] -nks client.jks -nkp p123456 -nts ca.jks -ntp p123456 -sks client.jks=C2=A0-skp p123456 -sts ca.jks -stp p123456 =C2=A0*Configure cluster JETTY config:* =C2=A0 https =C2=A0 =C2=A0 true =C2=A0 true =C2=A0 =C2=A0 =C2=A0 some_path/server.jks =C2=A0 p123456 =C2=A0 some_path/ca.jks =C2=A0 p123456 =C2=A0 true =C2=A0=C2=A0 was: RestExecutor should not be shared between different users requests in case = of two way ssl authentication: * For each token with ssl we need create separated RestExecutor and set up= socketFactory and trustManager. * RestExecutor should be removed if token expired. Add program arguments for passing client certificate, client password, trus= t store, trust store password for ignite node connection and web console ba= ckend.=C2=A0 Example on okhttp:=C2=A0[https://github.com/square/okhttp/blob/cd872fd83824= 512c128dcd80c04d445c8a2fc8eb/okhttp-tests/src/test/java/okhttp3/internal/tl= s/ClientAuthTest.java] We can also upgrade socket-io from 1.x to 2.x. --------------------------- *How to do local testing:* On Windows # Download Open SSL:=C2=A0=C2=A0Download Open SSL for Windows from [https:= //wiki.openssl.org/index.php/Binaries] # Unpack it. On Linux - it is usually built-in. Generate keys with provided script (see attached generate.bat, it could be = easily adapted for Linux). =C2=A0 Add to etc/hosts:=C2=A0 =C2=A0 =C2=A0 127.0.0.1 localhost console.test.local =C2=A0---------------------------- After that configure SSL for: # Web Console back-end. # Web Agent. # Cluster. *Configure Web Console back-end settings:* =C2=A0 "ssl": true, =C2=A0 "key": "some_path/server.key", =C2=A0 "cert": "some_path/server.crt", =C2=A0 "ca": "some_path/ca.crt", =C2=A0 "keyPassphrase": "p123456", *Configure Web Agent=C2=A0parameters (see parameters descriptions):* -t your_token -s [https://console.test.local:3000|https://console.test.local:3000/]=C2=A0= -n [https://console.test.local:11443|https://console.test.local:11443/] -nks client.jks -nkp p123456 -nts ca.jks -ntp p123456 -sks client.jks=C2=A0-skp p123456 -sts ca.jks -stp p123456 =C2=A0*Configure cluster JETTY config:* =C2=A0 https =C2=A0 =C2=A0 true =C2=A0 true =C2=A0 =C2=A0 =C2=A0 modules/visor-tester/keystore/mutual/serv= er.jks =C2=A0 p123456 =C2=A0 modules/visor-tester/keystore/mutual/ca= .jks =C2=A0 p123456 =C2=A0 true =C2=A0=C2=A0 > Web Console: Add support of two way ssl authentication in Web Console age= nt > -------------------------------------------------------------------------= -- > > Key: IGNITE-9845 > URL: https://issues.apache.org/jira/browse/IGNITE-9845 > Project: Ignite > Issue Type: Improvement > Components: wizards > Affects Versions: 2.6 > Reporter: Andrey Novikov > Assignee: Alexey Kuznetsov > Priority: Major > Fix For: 2.8 > > Attachments: generate.bat > > > RestExecutor should not be shared between different users requests in cas= e of two way ssl authentication: > * For each token with ssl we need create separated RestExecutor and set = up socketFactory and trustManager. > * RestExecutor should be removed if token expired. > Add program arguments for passing client certificate, client password, tr= ust store, trust store password for ignite node connection and web console = backend.=C2=A0 > Example on okhttp:=C2=A0[https://github.com/square/okhttp/blob/cd872fd838= 24512c128dcd80c04d445c8a2fc8eb/okhttp-tests/src/test/java/okhttp3/internal/= tls/ClientAuthTest.java] > We can also upgrade socket-io from 1.x to 2.x. > --------------------------- > *How to do local testing:* > On Windows > # Download Open SSL:=C2=A0=C2=A0Download Open SSL for Windows from [http= s://wiki.openssl.org/index.php/Binaries] > # Unpack it. > On Linux - it is usually built-in. > Generate keys with provided script (see attached generate.bat, it could b= e easily adapted for Linux). > =C2=A0 > Add to etc/hosts:=C2=A0 > =C2=A0 =C2=A0 127.0.0.1 localhost console.test.local > =C2=A0---------------------------- > After that configure SSL for: > # Web Console back-end. > # Web Agent. > # Cluster. > *Configure Web Console back-end settings:* > =C2=A0 "ssl": true, > =C2=A0 "key": "some_path/server.key", > =C2=A0 "cert": "some_path/server.crt", > =C2=A0 "ca": "some_path/ca.crt", > =C2=A0 "keyPassphrase": "p123456", > *Configure Web Agent=C2=A0parameters (see parameters descriptions):* > -t your_token > -s [https://console.test.local:3000|https://console.test.local:3000/]=C2= =A0-n [https://console.test.local:11443|https://console.test.local:11443/] > -nks client.jks -nkp p123456 > -nts ca.jks -ntp p123456 > -sks client.jks=C2=A0-skp p123456 > -sts ca.jks -stp p123456 > =C2=A0*Configure cluster JETTY config:* > > =C2=A0 https > =C2=A0 > =C2=A0 true > =C2=A0 true > =C2=A0 =C2=A0 > > > =C2=A0 some_path/server.jks > =C2=A0 p123456 > =C2=A0 some_path/ca.jks > =C2=A0 p123456 > =C2=A0 true > > =C2=A0=C2=A0 -- This message was sent by Atlassian JIRA (v7.6.3#76005)