Uploaded image for project: 'Apache Knox'
  1. Apache Knox
  2. KNOX-1812

The Knox Gateway truststore should be configurable

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.3.0
    • Component/s: Server
    • Labels:

      Description

      The Knox Gateway truststore should be configurable

      Knox relies on a trust store for various purposes

      • The KnoxCLI (via a KnoxSession) uses a truststore to trust the connection to the Knox Gateway server
        • The truststore is determined by the Java system properties (javax.net.ssl.trustStore, javax.net.ssl.trustStorePassword) or the JVM's cacerts file
      • The Knox Gateway server uses a truststore to trust the connections going out to the services (if connecting via TLS/SSL)
        • The truststore is set to be the same keystore as the Gateway's identitiy keystore.
        • See org.apache.knox.gateway.dispatch.DefaultHttpClientFactory#createHttpClient.
      • The Knox Gateway server uses a truststore to trust the user/client connecting to it when clientauth is enabled
        • The truststore is set to be the same keystore as the Gateway's identity keystore unless one is explicitly specified in the gateway-site.xml file (gateway.truststore.path, gateway.truststore.type). If a truststore is explicitly set, the password for the truststore is looked up, using alias name "gateway-truststore-password", from the alias service.
        • See org.apache.knox.gateway.services.security.impl.JettySSLService#buildSslContextFactory.

      By making the outgoing connection truststore (#2, from above) configurable, it will be possible to use the same truststore for both incoming and outgoing connections, which will be convenient when services communicate with each other via the Knox Gateway. 

      To make sure the truststore configuration is flexible and backwards compatible with older versions of Knox,  new properties should be introduced in the gateway-site.xml file:

      • gateway.httpclient.truststore.path
      • gateway.httpclient.truststore.type
      • gateway.httpclient.truststore.password.alias

      Note: This naming convention goes along with the following properties used to configure the Gateway's HTTPClient instance:

      • gateway.httpclient.maxConnections
      • gateway.httpclient.connectionTimeout
      • gateway.httpclient.socketTimeout

      If gateway.httpclient.truststore.path is not set in the configuration, then Gateway's identity keystore will be used (which is the current implementation); else, the configured truststore details will be used.

      Also, to keep things consistent, the password alias name for the clientauth truststore should be configurable using the property name:

      • gateway.truststore.password.alias (default: "gateway-truststore-password")

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                rlevas Robert Levas
                Reporter:
                rlevas Robert Levas
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 2.5h
                  2.5h