Versions Compared

Old Version 5

changes.mady.by.user Mikhail Pochatkin

Saved on

compared with

New Version 6

changes.mady.by.user Mikhail Pochatkin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

IDIEP-105
Author
Mikhail Pochatkin 
Sponsor

Aleksandr Pakhomov 

Created

 

Status


Status
colourBlue
titleDRAFT

Table of Contents

Motivation


Basic requirements

To ensure security, all connections in the context of the cluster should be covered by the ability to configure the SSL, both internal and user interaction interfaces. 

...

Due to Micronaut limitations we are going to support PKCS12 and JKS keystore. Providing direct paths to SSL certificates is not secure and we DON’T support that.

Design

Connections

REST

The standard implementation of SSL support for REST involves configuring a secure connection on a separate port. Also, we should support the DUAL protocol feature. 

...

Code Block
"rest": {
    "dualProtocol": false,
    "httpToHttpsRedirection": false,
    "ssl": {
        "enabled": false,
        "port": 10400,
        "portRange": 100,
        "keyStore": {
            "type": "PKCS12",
            "path": "must not be empty",
            "password": "may be empty"
        }
    }
}

Ignite Thin Client and JDBC

Apache Ignite 3 Thin Client implementation based on Netty Framework. 

...

If a user has enabled SSL for clientConnector, they have to set corresponding properties in ConnectionProperties as well. 

.NET Client


Follow the existing approach from Ignite 2.x:

...

 var cfg = new IgniteClientConfiguration { SslStreamFactory = new() }

C++ Client


TBD.


CLI config

In the CLI we use OkHTTP to communicate with Ignite. To enable SSL we have to create an SSLSocketFactory and pass it to the OkHttpClient builder. 

...

Security configuration of CLI should be stored in a separate config file with special permission settings to protect it from unauthorized read\write operations. This configuration file should match profiles from a common configuration file.

Network

Node network based on Netty also and configuration will be the same as described in Ignite Client part. The only difference will be in the AI3 configuration part.

...

Code Block
"network": {
    "ssl": {
        "enabled": false,
        "clientAuth": "none",
        "keyStore": {
            "type": "PKCS12",
            "path": "must not be empty",
            "password": "may be empty"
        },
        "trustStore": {
            "type": "PKCS12",
            "path": "must not be empty",
            "password": "may be empty"
        }
    }
}

SSL client authentication (mTLS support)


In part of each connection type we should support the client authentication feature. It should be configured separately for each connection on the server side.

...

clientAuth must be one of "none", "optional", "require"


Tickets

[IGNITE-18575] Basic auth and SSL - ASF JIRA (apache.org)



...