[ZOOKEEPER-4259] Allow AdminServer to force https - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: 3.7.0, 3.6.2
Fix Version/s: 3.6.3, 3.8.0, 3.7.1
Component/s: security
Labels:
- pull-request-available

Description

Since portunification (~~ZOOKEEPER-3371~~), AdminServer supports https. But there is no way to disable http and allow https only. It is my understanding, that to be FIPS compliant, only https is allowed. This is one reason it is good to have such a feature.

To enable https currently, we need to set these parameters in zoo.cfg:

ssl.quorum.keyStore.location=/tmp/zookeeper/keystore.jks
ssl.quorum.keyStore.password=password
ssl.quorum.trustStore.location=/tmp/zookeeper/truststore.jks
ssl.quorum.trustStore.password=password

admin.portUnification=true

I generated keystore and truststore with the following commands:

#create test/dev keystore/truststore (ZK runs only on localhost)
keytool -genkeypair -alias zk.dev -keyalg RSA -keysize 2048 -dname "cn=zk.dev" -keypass password -keystore /tmp/zookeeper/keystore.jks -ext san=dns:localhost -storepass password

keytool -exportcert -alias zk.dev -keystore /tmp/zookeeper/keystore.jks -file /tmp/zookeeper/zk.dev.cer -rfc

keytool -keystore /tmp/zookeeper/truststore.jks -storepass password -importcert -alias zk.dev -file /tmp/zookeeper/zk.dev.cer

#check
keytool -list -v -keystore /tmp/zookeeper/truststore.jks

Attachments

Issue Links

is caused by

ZOOKEEPER-3371 Port unification for admin server

Resolved

links to

GitHub Pull Request #1652

Activity

People

Assignee:: Norbert Kalmár

Reporter:: Norbert Kalmár

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 24/Mar/21 16:02

Updated:: 21/Apr/21 22:24

Resolved:: 25/Mar/21 09:54

Time Tracking

Estimated:

Not Specified

Remaining:

Logged: