[jira] [Commented] (GEODE-9017) Reload key store and trust store upon change

Mon, 03 May 2021 10:54:08 -0700 


    [ 
https://issues.apache.org/jira/browse/GEODE-9017?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17338528#comment-17338528
 ] 

ASF subversion and git services commented on GEODE-9017:
--------------------------------------------------------

Commit 7e1ed12414c5eb401ddb4cc9b4b8a6a3d1ae4dd5 in geode's branch 
refs/heads/develop from Aaron Lindsey
[ https://gitbox.apache.org/repos/asf?p=geode.git;h=7e1ed12 ]

GEODE-9198: Key/trust store watcher follows symlinks (#6380)

GEODE-9017 introduced a file watching key/trust manager to automatically
reload the key and trust store upon change. However, in the situation
where the key/trust store files are represented by a symbolic links, the
manager would not reload the store correctly. This commit changes the
watcher to follow symbolic links.

> Reload key store and trust store upon change
> --------------------------------------------
>
>                 Key: GEODE-9017
>                 URL: https://issues.apache.org/jira/browse/GEODE-9017
>             Project: Geode
>          Issue Type: New Feature
>            Reporter: Aaron Lindsey
>            Assignee: Aaron Lindsey
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 1.15.0
>
>
> [Link to 
> RFC|https://cwiki.apache.org/confluence/display/GEODE/Make+key+and+trust+stores+reload+automatically+upon+change]
> (The below text is copied from the RFC document.)
> h3. Problem
> Currently, in order to rotate certificates each member of the cluster needs 
> to be restarted to load new certs and trust. It would be preferable if 
> certificates can be rotated without having to restart members.
> h3. Solution
> When starting up a cluster member we currently read the TLS configuration 
> which, when TLS is enabled has key and trust store files defined. In case 
> those files are defined they are read, and the information inside them is 
> loaded into the key and trust manager objects that are loaded into the 
> SSLContext.
> This solution will introduce wrapper objects for the key and trust managers 
> and file/directory watcher(s) that can detect changes to the key and trust 
> store files. When key and trust store files are changed this will trigger a 
> reload into key and trust managers and through the wrapper objects these new 
> key and trust managers will be injected into the SSLContext so that the 
> context can start using the new key and trust managers in process.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to