knox-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Larry McCay (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (KNOX-733) Add support for custom truststore to Knox shell client
Date Wed, 07 Sep 2016 20:58:20 GMT

    [ https://issues.apache.org/jira/browse/KNOX-733?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15471780#comment-15471780
] 

Larry McCay commented on KNOX-733:
----------------------------------

The following can be used to export the public cert for the gateway to a JKS in the GATEWAY_HOME/data/secuity/keystores
directory with a file name of gateway-client-trust.jks. The default password is "changeit"
to align with the JVM default.

{code}
bin/knoxcli.sh export-cert --type JKS
Certificate gateway-identity has been successfully exported to: /Users/larry/Projects/incubator-knox/install/knox-0.10.0-SNAPSHOT/bin/../data/security/keystores/gateway-client-trust.jks
{code}

The admin may then distribute the truststore out of band to clients that need it.

Client have a couple options to use with the truststore:

1. put it in their home directory and it will be automatically found
2. put it somewhere else and set the KNOX_CLIENT_TRUSTSTORE_DIR environment variable and it
will be found
3. you may also rename the keystore if that makes sense for multiple gateway instances or
something. You just need to set the KNOX_CLIENT_TRUSTSTORE_FILENAME environment variable.
If you change the password then you can set the KNOX_CLIENT_TRUSTSTORE_PASS to provide the
new one to use.
4. you can also set the JSSE system properties for the truststore (javax.net.ssl.trustStore)
and password (javax.net.ssl.trustStorePassword)

The following can be used to export the cert in PEM format:

{code}
bin/knoxcli.sh export-cert --type PEM
Certificate gateway-identity has been successfully exported to: /Users/larry/Projects/incubator-knox/install/knox-0.10.0-SNAPSHOT/bin/../data/security/keystores/gateway-identity.pem
{code}

The admin can then distribute the PEM formatted export to clients out of band.

The clients may then import the PEM encoded cert into cacerts or another truststore. When
using cacerts, it will be automatically found as long as it is in JAVA_HOME/lib/security/cacerts.
Otherwise, use the previously described environment variables or system properties to point
to the proper truststore.

[~snowch] - can you verify whether this set of enhancements will meet your requirements?
I don't have the find the truststore in the jar requirement covered here but we can follow
up with another JIRA if that is really necessary.


> Add support for custom truststore to Knox shell client
> ------------------------------------------------------
>
>                 Key: KNOX-733
>                 URL: https://issues.apache.org/jira/browse/KNOX-733
>             Project: Apache Knox
>          Issue Type: Bug
>            Reporter: chris snow
>            Assignee: Larry McCay
>             Fix For: 0.10.0
>
>         Attachments: KNOX-733-001.patch
>
>
> The Knox shell client does not verify the certificate of the server.  
> One option would be to provide another method where developers can provide their own
client, e.g.
> public static Hadoop login( String url, String username, String password, HttpClient
client ) throws URISyntaxException { }
> https://github.com/apache/knox/blob/master/gateway-shell/src/main/java/org/apache/hadoop/gateway/shell/Hadoop.java#L60
> I can provide a patch if you are happy with this approach.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message