Details
-
Sub-task
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
Description
To enable private key and certificate hotswap in OM and DN without a service restart, we need to replace the private key and certificates used in running grpc servers/clients.
To build a secure netty or grpc server/client, SslContextBuilder is used hold the ssl context. SslContextBuilder currently supports several ways to configure the key, cert of service itself and trust certs to verify remote peer.
For trust certs, user can use one of following ways to configure, provide a
a. trustManager
b. trustManagerFactory
c. a list of trust certificates objects
For key and cert of service itself, user can provide
a. a private key file, and a cert chain file
b. a private key file input stream and a cert chain file input stream
c. a PrivateKey object and a list of certs objects
d. a keyManager
e. a keyManagerFactory
Of all the ways that SslContextBuilder accepts, only the keyManager and keyManagerFactory have the room to do a dynamic key and cert refresh at runtime. keyManager is easier to do that than keyManagerFactory.
So this task is to implement a Ozone customized KeyStoreFactory which will provide the customized KeyManager and trustManager which is capable of reload and refresh used key and certs at runtime.
For a established tls/ssl connection, usually it will not be impacted when the certificate is expired after the connection established. But the new client will fail because the connection from client to server will fail due to the expired server certificate.
Attachments
Issue Links
- relates to
-
HDDS-9410 Upgrade stall from 1.3 to current code when gRPC TLS is enabled.
-
- Resolved
-
- links to