THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
Proposal is to add a new ssl property (ssl-use-default-provider) to let Geode use system default security provider (either JDK provided provider or a user provided custom provider). When using SSL, current implementation allows developers to set several ssl-* properties to define paths, types and passwords to keystore and truststore. Geode loads key and trust stores and initializes TrustManagerFactory(TMF) and KeyManagerFactory(KMF) to be used for secure socket management. This imposes certain limitations for developers who wants to bring in their custom implementation for some of the SPIs (Keystore/Truststore SPI, KeyManagerFactory/TrustManagerFactory SPI). Using this new property ssl-use-default-provider=true, developers can let Geode initialize the TrustMangaer & KeyManager that are provided by the system default.
Specifically on client-side, in a container world, having to read CERTs from a filesystem puts a overhead of re-building application container images when these CERTs are rotated for security(Hygenic) purposes. So application developers can provide custom implementations of TMF/KMF reading CERTs from a non-filesystem based trust and key stores.
Eg: CloudFoundry java-buildpack provides a “ContainerSecurityProvider” with a custom implementation for TurstMangaer and KeyManager to read CERTs from CredHub.
How Geode uses this flag:
geode-core/src/main/java/org/apache/geode/internal/net/SocketCreator.java
geode-core/src/main/java/org/apache/geode/internal/net/SocketCreator.java
...
...
private TrustManager[] getTrustManagers() throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
if (sslConfig.isUseDefaultProvider()) {
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init((KeyStore) null);
return tmf.getTrustManagers();
} else {
//current implementation of reading truststore and initializing TMF
...
...
}
}
private KeyManager[] getKeyManagers() throws KeyStoreException, IOException,
NoSuchAlgorithmException, CertificateException, UnrecoverableKeyException {
if (sslConfig.isUseDefaultProvider()) {
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(null, null);
return keyManagerFactory.getKeyManagers();
} else {
//current implementation of reading keystore and initializing KMF
...
...
}
}
...
...
How developers can use this flag on the client:
1. Implement custom provider as per JDK guidlines.
2. Add the custom provider.
Add custom Provider
Security.insertProviderAt(new CustomProvider(), 2); or Security.addProvider(new CustomProvider());
3. Set these gemfire properties and initialize ClientCache.
Gemfire Properties
Properties pros = new Properties();
props.setProperty(ConfigurationProperties.SSL_ENABLED_COMPONENTS, SecurableCommunicationChannels.SERVER);
props.setProperty(ConfigurationProperties.SSL_REQUIRE_AUTHENTICATION, String.valueOf("true"));
props.setProperty(ConfigurationProperties.SSL_USE_DEFAULT_PROVIDER, String.valueOf("true"));