Search in sources :

Example 1 with ScmNodeDetailsProto

use of org.apache.hadoop.hdds.protocol.proto.HddsProtos.ScmNodeDetailsProto in project ozone by apache.

the class HASecurityUtils method getRootCASignedSCMCert.

/**
 * For bootstrapped SCM get sub-ca signed certificate and root CA
 * certificate using scm security client and store it using certificate
 * client.
 */
private static void getRootCASignedSCMCert(CertificateClient client, OzoneConfiguration config, SCMStorageConfig scmStorageConfig, InetSocketAddress scmAddress) {
    try {
        // Generate CSR.
        PKCS10CertificationRequest csr = generateCSR(client, scmStorageConfig, config, scmAddress);
        ScmNodeDetailsProto scmNodeDetailsProto = ScmNodeDetailsProto.newBuilder().setClusterId(scmStorageConfig.getClusterID()).setHostName(scmAddress.getHostName()).setScmNodeId(scmStorageConfig.getScmId()).build();
        // Create SCM security client.
        SCMSecurityProtocolClientSideTranslatorPB secureScmClient = HddsServerUtil.getScmSecurityClientWithFixedDuration(config);
        // Get SCM sub CA cert.
        SCMGetCertResponseProto response = secureScmClient.getSCMCertChain(scmNodeDetailsProto, getEncodedString(csr));
        String pemEncodedCert = response.getX509Certificate();
        // Store SCM sub CA and root CA certificate.
        if (response.hasX509CACertificate()) {
            String pemEncodedRootCert = response.getX509CACertificate();
            client.storeCertificate(pemEncodedRootCert, true, true);
            client.storeCertificate(pemEncodedCert, true);
            X509Certificate certificate = CertificateCodec.getX509Certificate(pemEncodedCert);
            persistSubCACertificate(config, client, CertificateCodec.getCertificateHolder(certificate));
            // Persist scm cert serial ID.
            scmStorageConfig.setScmCertSerialId(certificate.getSerialNumber().toString());
        } else {
            throw new RuntimeException("Unable to retrieve SCM certificate chain");
        }
    } catch (IOException | CertificateException e) {
        LOG.error("Error while fetching/storing SCM signed certificate.", e);
        throw new RuntimeException(e);
    }
}
Also used : PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest) SCMSecurityProtocolClientSideTranslatorPB(org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB) SCMGetCertResponseProto(org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertResponseProto) CertificateException(java.security.cert.CertificateException) CertificateSignRequest.getEncodedString(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest.getEncodedString) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) ScmNodeDetailsProto(org.apache.hadoop.hdds.protocol.proto.HddsProtos.ScmNodeDetailsProto)

Aggregations

IOException (java.io.IOException)1 CertificateException (java.security.cert.CertificateException)1 X509Certificate (java.security.cert.X509Certificate)1 ScmNodeDetailsProto (org.apache.hadoop.hdds.protocol.proto.HddsProtos.ScmNodeDetailsProto)1 SCMGetCertResponseProto (org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertResponseProto)1 SCMSecurityProtocolClientSideTranslatorPB (org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB)1 CertificateSignRequest.getEncodedString (org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest.getEncodedString)1 PKCS10CertificationRequest (org.bouncycastle.pkcs.PKCS10CertificationRequest)1