egeria-docs icon indicating copy to clipboard operation
egeria-docs copied to clipboard

Published 20 hours ago verified publisher icon odpi

TLS docs - mutual SSL & clarifying certificate use

Open planetf1 opened this issue 3 years ago • 0 comments
trafficstars

  • [ ] Update the TLS docs with configuration information for mutual TLS, ie between Egeria Clients and Server Chassis

For example, using tomcat (which we use in spring) this can be done with by configuring tomcat with:

     <Connector port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol"
         maxThreads="20" SSLEnabled="true" scheme="https" secure="true" clientAuth="true"                 defaultSSLHostConfigName="test">
         <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
         <SSLHostConfig hostName="test" protocols="TLSv1.2" certificateVerification="optionalNoCA"
             truststoreFile="/Users/jonesn/src/egeria/master/open-metadata-resources/open-metadata-       deployment/certificates/EgeriaRootCA.p12"
             truststorePassword="egeria" >
             <Certificate
                 certificateKeystoreType="pkcs12"
                 certificateKeystoreFile="/Users/jonesn/src/egeria/master/open-metadata-resources/open-   metadata-deployment/certificates/EgeriaServerChassis.p12"
                 certificateKeystorePassword="egeria"
             />
         </SSLHostConfig>
     </Connector>

This can then be checked from a client using:

#!/bin/sh

cat /Users/jonesn/src/egeria/master/open-metadata-resources/open-metadata-deployment/certificates/EgeriaRootCA/certs/EgeriaRootCA.cert.pem /Users/jonesn/src/egeria/master/open-metadata-resources/open-metadata-deployment/certificates/EgeriaIntermediateCA/certs/EgeriaIntermediateCA.cert.pem > /tmp/cert.pem

curl  \
    --pass egeria \
    --cert /Users/jonesn/src/egeria/master/open-metadata-resources/open-metadata-deployment/certificates/EgeriaClient.cert.pem  \
    --key /Users/jonesn/src/egeria/master/open-metadata-resources/open-metadata-deployment/certificates/EgeriaClient.key.pem \
    --cacert /tmp/cert.pem \
    https://localhost:8443/

This is proven to work (via protocol trace & ssl debugging)

The updated docs should specifically refer to configuration of spring boot (via our application properties) in order to achieve the above configuration

The client is probably already correctly documented -

  • [ ] Clarify what should be in keystore vs truststores & elaborate on what they are

note that in the example above both CAs need to be concatenated. This is because the CLIENT needs to supply the entire certificate chain leading up to what the server trusts. Normally the SERVER would only trust the root CA.

Guidance about what should be in each store - be it for trust, or as a cert to send - should be clarified.

planetf1 avatar Mar 30 '22 12:03 planetf1