This is an automated email from the ASF dual-hosted git repository.
yiguolei pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/master by this push:
new c32cd5b25a6 FE ssl certificates are of various formats #26039 #26044
c32cd5b25a6 is described below
commit c32cd5b25a675806b3ef7b4c9c5f8fd7ad590288
Author: Guangming Lu <[email protected]>
AuthorDate: Sat Oct 28 22:37:38 2023 +0800
FE ssl certificates are of various formats #26039 #26044
---
docs/en/docs/admin-manual/certificate.md | 2 +-
docs/zh-CN/docs/admin-manual/certificate.md | 2 +-
fe/fe-common/src/main/java/org/apache/doris/common/Config.java | 6 ++++++
.../src/main/java/org/apache/doris/mysql/MysqlSslContext.java | 5 +++--
4 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/docs/en/docs/admin-manual/certificate.md
b/docs/en/docs/admin-manual/certificate.md
index 05e6027ff9c..eccbc2d293d 100644
--- a/docs/en/docs/admin-manual/certificate.md
+++ b/docs/en/docs/admin-manual/certificate.md
@@ -65,7 +65,7 @@ openssl x509 -req -in client-req.pem -days 3600 \
openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
```
-3. Combine your key and certificate in a PKCS#12 (P12) bundle.
+3. Combine your key and certificate in a PKCS#12 (P12) bundle. You can also
specify a certificate format (PKCS12 by default). You can modify the
conf/fe.conf configuration file and add parameter ssl_trust_store_type to
specify the certificate format.
```bash
# Package the CA key and certificate
openssl pkcs12 -inkey ca-key.pem -in ca.pem -export -out ca_certificate.p12
diff --git a/docs/zh-CN/docs/admin-manual/certificate.md
b/docs/zh-CN/docs/admin-manual/certificate.md
index 5f9186c9d3d..1bf6a83c3fb 100644
--- a/docs/zh-CN/docs/admin-manual/certificate.md
+++ b/docs/zh-CN/docs/admin-manual/certificate.md
@@ -65,7 +65,7 @@ openssl x509 -req -in client-req.pem -days 3600 \
openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
```
-3.将您的CA密钥和证书和Sever端密钥和证书分别合并到 PKCS#12 (P12) 包中。
+3.将您的CA密钥和证书和Sever端密钥和证书分别合并到 PKCS#12 (P12)
包中。您也可以指定某个证书格式,默认PKCS12,可以通过修改conf/fe.conf配置文件,添加参数ssl_trust_store_type指定证书格式
```bash
# 打包CA密钥和证书
diff --git a/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
b/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
index c4e7c1b3d4a..aa9ad15edea 100644
--- a/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
+++ b/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
@@ -1918,6 +1918,12 @@ public class Config extends ConfigBase {
@ConfField(mutable = false, masterOnly = false)
public static boolean ssl_force_client_auth = false;
+ /**
+ * ssl connection needs to authenticate client's certificate store type.
+ */
+ @ConfField(mutable = false, masterOnly = false)
+ public static String ssl_trust_store_type = "PKCS12";
+
/**
* Default CA certificate file location for mysql ssl connection.
*/
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlSslContext.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlSslContext.java
index f4abdbc5cde..b59b493ceaf 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlSslContext.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlSslContext.java
@@ -52,6 +52,7 @@ public class MysqlSslContext {
private static final String trustStoreFile =
Config.mysql_ssl_default_ca_certificate;
private static final String caCertificatePassword =
Config.mysql_ssl_default_ca_certificate_password;
private static final String serverCertificatePassword =
Config.mysql_ssl_default_server_certificate_password;
+ private static final String trustStoreType = Config.ssl_trust_store_type;
private ByteBuffer serverNetData;
private ByteBuffer clientAppData;
private ByteBuffer clientNetData;
@@ -67,8 +68,8 @@ public class MysqlSslContext {
private void initSslContext() {
try {
- KeyStore ks = KeyStore.getInstance("PKCS12");
- KeyStore ts = KeyStore.getInstance("PKCS12");
+ KeyStore ks = KeyStore.getInstance(trustStoreType);
+ KeyStore ts = KeyStore.getInstance(trustStoreType);
char[] serverPassword = serverCertificatePassword.toCharArray();
char[] caPassword = caCertificatePassword.toCharArray();
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
