You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Status

Current-Status: In-progress

Discussion thread:

JIRA:  KNOX-1756

Motivation

The location of the keystore housing the Knox Gateway TLS certificate is hardcoded to <calculated from configs>/keystores/gateway.jks and the certificate alias is hardcoded to “gateway-identity”.  This limits the ability for external management facilities to setup a custom TLS identity for the Knox Gateway. For example, a host-wide, CA-signed, certificate.

Knox has configuration hooks for the following (optional) properties

  • Home Directory
    • Gateway-site property: GATEWAY_HOME
    • System property: GATEWAY_HOME
    • Environment variable: GATEWAY_HOME
  • Data Directory
    • System property: GATEWAY_DATA_HOME
    • Environment variable: GATEWAY_DATA_HOME
    • Gateway-site property: gateway.data.dir
    • Calculated: [Home Directory] + [Path Separator] + “data”
  • Security Directory
    • Gateway-site property: gateway.security.dir
    • Calculated: [Data Directory] + [Path Separator] + “security”

Note: the calculation for the home directory is inconsistent with the other directory calculations. This inconsistency may be confusing to users and thus should be fixed to be

  • System property: GATEWAY_HOME
  • Environment variable: GATEWAY_HOME
  • Gateway-site property: gateway.home.dir

The path to the Knox Gateway TLS keystore is calculated as

[Security Directory] + [Path Separator] + “keystores” + [Path Separator] + “gateway.jks”

Design

To make it easier to use an externally provided TLS identity, the Knox Gateway should allow the TLS keystore file and alias names to be configurable. The following properties should be made available:

  • TLS Keystore File Path
    • Gateway-site property: gateway.tls.keystore.path
    • Calculated: [Security Directory] + [Path Separator] + "keystores" [Path Separator] "gateway.jks"
  • TLS Keystore Password Alias 
    • Gateway-site property: gateway.tls.keystore.password.alias
    • Calculated: "gateway-identity-keystore-password"
  • TLS Keystore Type
    • Gateway-site property: gateway.tls.keystore.type
    • Calculated: :”jks”
  • TLS Key Alias
    • Gateway-site property: gateway.tls.key.alias
    • Calculated: “gateway-identity”
  • TLS Key Passphrase Alias
    • Gateway-site property: gateway.tls.key.passphrase.alias
    • Calculated: "gateway-identity-passphrase"

Note: the calculated values are set so they are backwards compatible with older versions of Knox to ease the upgrading process.

An IdentityService is needed to manage the different identities (keystore files, alias names, etc...) and use the existing MasterService, KeystoreService and AliasService implementations to obtain the requested data.  This is different than the current architecture where the caller need to know which service implementation is needed to get keystores, certificates, keys, and passwords.

This IdentityService is to be used by callers when attempting to get access to keys and certificates for identities needed in the Gateway.  Any related calls directly to a KeystoreService or an AliasService should be changed to go through a relevant Identity implementation. 

  • No labels