Example 1 with SCMGetCertResponseProto
use of org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertResponseProto in project ozone by apache.
the class OzoneManager method getSCMSignedCert.
/**
* Get SCM signed certificate and store it using certificate client.
*/
private static void getSCMSignedCert(CertificateClient client, OzoneConfiguration config, OMStorage omStore, String scmId) throws IOException {
CertificateSignRequest.Builder builder = client.getCSRBuilder();
KeyPair keyPair = new KeyPair(client.getPublicKey(), client.getPrivateKey());
InetSocketAddress omRpcAdd;
omRpcAdd = OmUtils.getOmAddress(config);
if (omRpcAdd == null || omRpcAdd.getAddress() == null) {
LOG.error("Incorrect om rpc address. omRpcAdd:{}", omRpcAdd);
throw new RuntimeException("Can't get SCM signed certificate. " + "omRpcAdd: " + omRpcAdd);
}
// Get host name.
String hostname = omRpcAdd.getAddress().getHostName();
String ip = omRpcAdd.getAddress().getHostAddress();
String subject;
if (builder.hasDnsName()) {
subject = UserGroupInformation.getCurrentUser().getShortUserName() + "@" + hostname;
} else {
// With only IP in alt.name, certificate validation would fail if subject
// isn't a hostname either, so omit username.
subject = hostname;
}
builder.setCA(false).setKey(keyPair).setConfiguration(config).setScmID(scmId).setClusterID(omStore.getClusterID()).setSubject(subject);
OMHANodeDetails haOMHANodeDetails = OMHANodeDetails.loadOMHAConfig(config);
String serviceName = haOMHANodeDetails.getLocalNodeDetails().getServiceId();
if (!StringUtils.isEmpty(serviceName)) {
builder.addServiceName(serviceName);
}
LOG.info("Creating csr for OM->dns:{},ip:{},scmId:{},clusterId:{}," + "subject:{}", hostname, ip, scmId, omStore.getClusterID(), subject);
HddsProtos.OzoneManagerDetailsProto.Builder omDetailsProtoBuilder = HddsProtos.OzoneManagerDetailsProto.newBuilder().setHostName(omRpcAdd.getHostName()).setIpAddress(ip).setUuid(omStore.getOmId()).addPorts(HddsProtos.Port.newBuilder().setName(RPC_PORT).setValue(omRpcAdd.getPort()).build());
PKCS10CertificationRequest csr = builder.build();
HddsProtos.OzoneManagerDetailsProto omDetailsProto = omDetailsProtoBuilder.build();
LOG.info("OzoneManager ports added:{}", omDetailsProto.getPortsList());
SCMSecurityProtocolClientSideTranslatorPB secureScmClient = HddsServerUtil.getScmSecurityClientWithFixedDuration(config);
SCMGetCertResponseProto response = secureScmClient.getOMCertChain(omDetailsProto, getEncodedString(csr));
String pemEncodedCert = response.getX509Certificate();
try {
// Store SCM CA certificate.
if (response.hasX509CACertificate()) {
String pemEncodedRootCert = response.getX509CACertificate();
client.storeCertificate(pemEncodedRootCert, true, true);
client.storeCertificate(pemEncodedCert, true);
// Store Root CA certificate if available.
if (response.hasX509RootCACertificate()) {
client.storeRootCACertificate(response.getX509RootCACertificate(), true);
}
// Persist om cert serial id.
omStore.setOmCertSerialId(CertificateCodec.getX509Certificate(pemEncodedCert).getSerialNumber().toString());
} else {
throw new RuntimeException("Unable to retrieve OM certificate " + "chain");
}
} catch (IOException | CertificateException e) {
LOG.error("Error while storing SCM signed certificate.", e);
throw new RuntimeException(e);
}
}
Also used :
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
KeyPair(java.security.KeyPair)
OMHANodeDetails(org.apache.hadoop.ozone.om.ha.OMHANodeDetails)
SCMSecurityProtocolClientSideTranslatorPB(org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB)
InetSocketAddress(java.net.InetSocketAddress)
CertificateException(java.security.cert.CertificateException)
CertificateSignRequest.getEncodedString(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest.getEncodedString)
IOException(java.io.IOException)
UncheckedIOException(java.io.UncheckedIOException)
SCMGetCertResponseProto(org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertResponseProto)
HddsProtos(org.apache.hadoop.hdds.protocol.proto.HddsProtos)
CertificateSignRequest(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest)
Example 2 with SCMGetCertResponseProto
use of org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertResponseProto in project ozone by apache.
the class HASecurityUtils method getRootCASignedSCMCert.
/**
* For bootstrapped SCM get sub-ca signed certificate and root CA
* certificate using scm security client and store it using certificate
* client.
*/
private static void getRootCASignedSCMCert(CertificateClient client, OzoneConfiguration config, SCMStorageConfig scmStorageConfig, InetSocketAddress scmAddress) {
try {
// Generate CSR.
PKCS10CertificationRequest csr = generateCSR(client, scmStorageConfig, config, scmAddress);
ScmNodeDetailsProto scmNodeDetailsProto = ScmNodeDetailsProto.newBuilder().setClusterId(scmStorageConfig.getClusterID()).setHostName(scmAddress.getHostName()).setScmNodeId(scmStorageConfig.getScmId()).build();
// Create SCM security client.
SCMSecurityProtocolClientSideTranslatorPB secureScmClient = HddsServerUtil.getScmSecurityClientWithFixedDuration(config);
// Get SCM sub CA cert.
SCMGetCertResponseProto response = secureScmClient.getSCMCertChain(scmNodeDetailsProto, getEncodedString(csr));
String pemEncodedCert = response.getX509Certificate();
// Store SCM sub CA and root CA certificate.
if (response.hasX509CACertificate()) {
String pemEncodedRootCert = response.getX509CACertificate();
client.storeCertificate(pemEncodedRootCert, true, true);
client.storeCertificate(pemEncodedCert, true);
X509Certificate certificate = CertificateCodec.getX509Certificate(pemEncodedCert);
persistSubCACertificate(config, client, CertificateCodec.getCertificateHolder(certificate));
// Persist scm cert serial ID.
scmStorageConfig.setScmCertSerialId(certificate.getSerialNumber().toString());
} else {
throw new RuntimeException("Unable to retrieve SCM certificate chain");
}
} catch (IOException | CertificateException e) {
LOG.error("Error while fetching/storing SCM signed certificate.", e);
throw new RuntimeException(e);
}
}
Also used :
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
SCMSecurityProtocolClientSideTranslatorPB(org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB)
SCMGetCertResponseProto(org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertResponseProto)
CertificateException(java.security.cert.CertificateException)
CertificateSignRequest.getEncodedString(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest.getEncodedString)
IOException(java.io.IOException)
X509Certificate(java.security.cert.X509Certificate)
ScmNodeDetailsProto(org.apache.hadoop.hdds.protocol.proto.HddsProtos.ScmNodeDetailsProto)
Example 3 with SCMGetCertResponseProto
use of org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertResponseProto in project ozone by apache.
the class HddsDatanodeService method getSCMSignedCert.
/**
* Get SCM signed certificate and store it using certificate client.
* @param config
*/
private void getSCMSignedCert(OzoneConfiguration config) {
try {
PKCS10CertificationRequest csr = getCSR(config);
// TODO: For SCM CA we should fetch certificate from multiple SCMs.
SCMSecurityProtocolClientSideTranslatorPB secureScmClient = HddsServerUtil.getScmSecurityClientWithMaxRetry(config);
SCMGetCertResponseProto response = secureScmClient.getDataNodeCertificateChain(datanodeDetails.getProtoBufMessage(), getEncodedString(csr));
// Persist certificates.
if (response.hasX509CACertificate()) {
String pemEncodedCert = response.getX509Certificate();
dnCertClient.storeCertificate(pemEncodedCert, true);
dnCertClient.storeCertificate(response.getX509CACertificate(), true, true);
// Store Root CA certificate.
if (response.hasX509RootCACertificate()) {
dnCertClient.storeRootCACertificate(response.getX509RootCACertificate(), true);
}
String dnCertSerialId = getX509Certificate(pemEncodedCert).getSerialNumber().toString();
datanodeDetails.setCertSerialId(dnCertSerialId);
persistDatanodeDetails(datanodeDetails);
// Rebuild dnCertClient with the new CSR result so that the default
// certSerialId and the x509Certificate can be updated.
dnCertClient = new DNCertificateClient(new SecurityConfig(config), dnCertSerialId);
} else {
throw new RuntimeException("Unable to retrieve datanode certificate " + "chain");
}
} catch (IOException | CertificateException e) {
LOG.error("Error while storing SCM signed certificate.", e);
throw new RuntimeException(e);
}
}
Also used :
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
DNCertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.DNCertificateClient)
SCMSecurityProtocolClientSideTranslatorPB(org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB)
SCMGetCertResponseProto(org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertResponseProto)
SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig)
CertificateException(java.security.cert.CertificateException)
CertificateSignRequest.getEncodedString(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest.getEncodedString)
IOException(java.io.IOException)
Example 4 with SCMGetCertResponseProto
use of org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertResponseProto in project ozone by apache.
the class HAUtils method buildCAList.
/**
* Build CA list which need to be passed to client.
*
* If certificate client is null, obtain the list of CA using SCM security
* client, else it uses certificate client.
* @param certClient
* @param configuration
* @return list of CA
* @throws IOException
*/
public static List<String> buildCAList(CertificateClient certClient, ConfigurationSource configuration) throws IOException {
long waitDuration = configuration.getTimeDuration(OZONE_SCM_CA_LIST_RETRY_INTERVAL, OZONE_SCM_CA_LIST_RETRY_INTERVAL_DEFAULT, TimeUnit.SECONDS);
if (certClient != null) {
if (!SCMHAUtils.isSCMHAEnabled(configuration)) {
return generateCAList(certClient);
} else {
Collection<String> scmNodes = SCMHAUtils.getSCMNodeIds(configuration);
int expectedCount = scmNodes.size() + 1;
if (scmNodes.size() > 1) {
// First check if cert client has ca list initialized.
// This is being done, when this method is called multiple times we
// don't make call to SCM, we return from in-memory.
List<String> caCertPemList = certClient.getCAList();
if (caCertPemList != null && caCertPemList.size() == expectedCount) {
return caCertPemList;
}
return getCAListWithRetry(() -> waitForCACerts(certClient::updateCAList, expectedCount), waitDuration);
} else {
return generateCAList(certClient);
}
}
} else {
SCMSecurityProtocolClientSideTranslatorPB scmSecurityProtocolClient = HddsServerUtil.getScmSecurityClient(configuration);
if (!SCMHAUtils.isSCMHAEnabled(configuration)) {
List<String> caCertPemList = new ArrayList<>();
SCMGetCertResponseProto scmGetCertResponseProto = scmSecurityProtocolClient.getCACert();
if (scmGetCertResponseProto.hasX509Certificate()) {
caCertPemList.add(scmGetCertResponseProto.getX509Certificate());
}
if (scmGetCertResponseProto.hasX509RootCACertificate()) {
caCertPemList.add(scmGetCertResponseProto.getX509RootCACertificate());
}
return caCertPemList;
} else {
Collection<String> scmNodes = SCMHAUtils.getSCMNodeIds(configuration);
int expectedCount = scmNodes.size() + 1;
if (scmNodes.size() > 1) {
return getCAListWithRetry(() -> waitForCACerts(scmSecurityProtocolClient::listCACertificate, expectedCount), waitDuration);
} else {
return scmSecurityProtocolClient.listCACertificate();
}
}
}
}
Also used :
SCMSecurityProtocolClientSideTranslatorPB(org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB)
SCMGetCertResponseProto(org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertResponseProto)
ArrayList(java.util.ArrayList)
Aggregations
SCMGetCertResponseProto (org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertResponseProto)4
SCMSecurityProtocolClientSideTranslatorPB (org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB)4
IOException (java.io.IOException)3
CertificateException (java.security.cert.CertificateException)3
CertificateSignRequest.getEncodedString (org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest.getEncodedString)3
PKCS10CertificationRequest (org.bouncycastle.pkcs.PKCS10CertificationRequest)3
UncheckedIOException (java.io.UncheckedIOException)1
InetSocketAddress (java.net.InetSocketAddress)1
KeyPair (java.security.KeyPair)1
X509Certificate (java.security.cert.X509Certificate)1
ArrayList (java.util.ArrayList)1
HddsProtos (org.apache.hadoop.hdds.protocol.proto.HddsProtos)1
ScmNodeDetailsProto (org.apache.hadoop.hdds.protocol.proto.HddsProtos.ScmNodeDetailsProto)1
SecurityConfig (org.apache.hadoop.hdds.security.x509.SecurityConfig)1
DNCertificateClient (org.apache.hadoop.hdds.security.x509.certificate.client.DNCertificateClient)1
CertificateSignRequest (org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest)1
OMHANodeDetails (org.apache.hadoop.ozone.om.ha.OMHANodeDetails)1
