Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS docs - mutual SSL & clarifying certificate use #395

Open
2 tasks
planetf1 opened this issue Mar 30, 2022 · 0 comments
Open
2 tasks

TLS docs - mutual SSL & clarifying certificate use #395

planetf1 opened this issue Mar 30, 2022 · 0 comments

Comments

@planetf1
Copy link
Member

planetf1 commented Mar 30, 2022
edited

  • Update the TLS docs with configuration information for mutual TLS, ie between Egeria Clients and Server Chassis

For example, using tomcat (which we use in spring) this can be done with by configuring tomcat with:

     <Connector port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol"
         maxThreads="20" SSLEnabled="true" scheme="https" secure="true" clientAuth="true"                 defaultSSLHostConfigName="test">
         <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
         <SSLHostConfig hostName="test" protocols="TLSv1.2" certificateVerification="optionalNoCA"
             truststoreFile="/Users/jonesn/src/egeria/master/open-metadata-resources/open-metadata-       deployment/certificates/EgeriaRootCA.p12"
             truststorePassword="egeria" >
             <Certificate
                 certificateKeystoreType="pkcs12"
                 certificateKeystoreFile="/Users/jonesn/src/egeria/master/open-metadata-resources/open-   metadata-deployment/certificates/EgeriaServerChassis.p12"
                 certificateKeystorePassword="egeria"
             />
         </SSLHostConfig>
     </Connector>

This can then be checked from a client using:

#!/bin/sh

cat /Users/jonesn/src/egeria/master/open-metadata-resources/open-metadata-deployment/certificates/EgeriaRootCA/certs/EgeriaRootCA.cert.pem /Users/jonesn/src/egeria/master/open-metadata-resources/open-metadata-deployment/certificates/EgeriaIntermediateCA/certs/EgeriaIntermediateCA.cert.pem > /tmp/cert.pem

curl  \
    --pass egeria \
    --cert /Users/jonesn/src/egeria/master/open-metadata-resources/open-metadata-deployment/certificates/EgeriaClient.cert.pem  \
    --key /Users/jonesn/src/egeria/master/open-metadata-resources/open-metadata-deployment/certificates/EgeriaClient.key.pem \
    --cacert /tmp/cert.pem \
    https://localhost:8443/

This is proven to work (via protocol trace & ssl debugging)

The updated docs should specifically refer to configuration of spring boot (via our application properties) in order to achieve the above configuration

The client is probably already correctly documented -

  • Clarify what should be in keystore vs truststores & elaborate on what they are

note that in the example above both CAs need to be concatenated. This is because the CLIENT needs to supply the entire certificate chain leading up to what the server trusts. Normally the SERVER would only trust the root CA.

Guidance about what should be in each store - be it for trust, or as a cert to send - should be clarified.
@planetf1 planetf1 self-assigned this Mar 30, 2022
@planetf1 planetf1 changed the title TLS docs - mutual SSL TLS docs - mutual SSL & clarifying certificate use Mar 30, 2022
@planetf1 planetf1 removed their assignment Jun 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@planetf1