Examples with DefaultProfile org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile used on opensource projects

Example 1 with DefaultProfile

use of org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile in project ozone by apache.

the class TestDefaultCAServer method testRequestCertificate.

/**
 * The most important test of this test suite. This tests that we are able
 * to create a Test CA, creates it own self-Signed CA and then issue a
 * certificate based on a CSR.
 * @throws SCMSecurityException - on ERROR.
 * @throws ExecutionException - on ERROR.
 * @throws InterruptedException - on ERROR.
 * @throws NoSuchProviderException - on ERROR.
 * @throws NoSuchAlgorithmException - on ERROR.
 */
@Test
public void testRequestCertificate() throws IOException, ExecutionException, InterruptedException, NoSuchProviderException, NoSuchAlgorithmException {
    String scmId = RandomStringUtils.randomAlphabetic(4);
    String clusterId = RandomStringUtils.randomAlphabetic(4);
    KeyPair keyPair = new HDDSKeyGenerator(conf).generateKey();
    PKCS10CertificationRequest csr = new CertificateSignRequest.Builder().addDnsName("hadoop.apache.org").addIpAddress("8.8.8.8").addServiceName("OzoneMarketingCluster002").setCA(false).setClusterID(clusterId).setScmID(scmId).setSubject("Ozone Cluster").setConfiguration(conf).setKey(keyPair).build();
    // Let us convert this to a string to mimic the common use case.
    String csrString = CertificateSignRequest.getEncodedString(csr);
    CertificateServer testCA = new DefaultCAServer("testCA", clusterId, scmId, caStore, new DefaultProfile(), Paths.get(SCM_CA_CERT_STORAGE_DIR, SCM_CA_PATH).toString());
    testCA.init(new SecurityConfig(conf), SELF_SIGNED_CA);
    Future<X509CertificateHolder> holder = testCA.requestCertificate(csrString, CertificateApprover.ApprovalType.TESTING_AUTOMATIC, SCM);
    // Right now our calls are synchronous. Eventually this will have to wait.
    assertTrue(holder.isDone());
    assertNotNull(holder.get());
}

Example 2 with DefaultProfile

use of org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile in project ozone by apache.

the class TestDefaultCAServer method testMissingCertificate.

@Test
public void testMissingCertificate() {
    SecurityConfig securityConfig = new SecurityConfig(conf);
    CertificateServer testCA = new DefaultCAServer("testCA", RandomStringUtils.randomAlphabetic(4), RandomStringUtils.randomAlphabetic(4), caStore, new DefaultProfile(), Paths.get(SCM_CA_CERT_STORAGE_DIR, SCM_CA_PATH).toString());
    Consumer<SecurityConfig> caInitializer = ((DefaultCAServer) testCA).processVerificationStatus(DefaultCAServer.VerificationStatus.MISSING_CERTIFICATE, SELF_SIGNED_CA);
    try {
        caInitializer.accept(securityConfig);
        fail("code should not reach here, exception should have been thrown.");
    } catch (IllegalStateException e) {
        // This also is a runtime exception. Hence not caught by junit expected
        // exception.
        assertTrue(e.toString().contains("Missing Root Certs"));
    }
}

Example 3 with DefaultProfile

use of org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile in project ozone by apache.

the class TestDefaultCAServer method testInit.

@Test
public void testInit() throws SCMSecurityException, CertificateException, IOException {
    SecurityConfig securityConfig = new SecurityConfig(conf);
    CertificateServer testCA = new DefaultCAServer("testCA", RandomStringUtils.randomAlphabetic(4), RandomStringUtils.randomAlphabetic(4), caStore, new DefaultProfile(), Paths.get(SCM_CA_CERT_STORAGE_DIR, SCM_CA_PATH).toString());
    testCA.init(securityConfig, SELF_SIGNED_CA);
    X509CertificateHolder first = testCA.getCACertificate();
    assertNotNull(first);
    // Init is idempotent.
    testCA.init(securityConfig, SELF_SIGNED_CA);
    X509CertificateHolder second = testCA.getCACertificate();
    assertEquals(first, second);
}

Example 4 with DefaultProfile

use of org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile in project ozone by apache.

the class TestDefaultCAServer method testIntermediaryCAWithEmpty.

@Test(expected = IllegalStateException.class)
public void testIntermediaryCAWithEmpty() throws Exception {
    CertificateServer scmCA = new DefaultCAServer("testCA", RandomStringUtils.randomAlphabetic(4), RandomStringUtils.randomAlphabetic(4), caStore, new DefaultProfile(), Paths.get("scm").toString());
    scmCA.init(new SecurityConfig(conf), INTERMEDIARY_CA);
}

Example 5 with DefaultProfile

use of org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile in project ozone by apache.

the class StorageContainerManager method initializeCAnSecurityProtocol.

/**
 * If security is enabled we need to have the Security Protocol and a
 * default CA. This function initializes those values based on the
 * configurator.
 *
 * @param conf - Config
 * @param configurator - configurator
 * @throws IOException - on Failure
 * @throws AuthenticationException - on Failure
 */
private void initializeCAnSecurityProtocol(OzoneConfiguration conf, SCMConfigurator configurator) throws IOException {
    // So it is easy to use different Certificate Servers if needed.
    if (this.scmMetadataStore == null) {
        LOG.error("Cannot initialize Certificate Server without a valid meta " + "data layer.");
        throw new SCMException("Cannot initialize CA without a valid metadata " + "store", ResultCodes.SCM_NOT_INITIALIZED);
    }
    certificateStore = new SCMCertStore.Builder().setMetadaStore(scmMetadataStore).setRatisServer(scmHAManager.getRatisServer()).setCRLSequenceId(getLastSequenceIdForCRL()).build();
    final CertificateServer scmCertificateServer;
    final CertificateServer rootCertificateServer;
    // performed init with SCM HA version code.
    if (scmStorageConfig.checkPrimarySCMIdInitialized()) {
        // Start specific instance SCM CA server.
        String subject = SCM_SUB_CA_PREFIX + InetAddress.getLocalHost().getHostName();
        if (configurator.getCertificateServer() != null) {
            scmCertificateServer = configurator.getCertificateServer();
        } else {
            scmCertificateServer = new DefaultCAServer(subject, scmStorageConfig.getClusterID(), scmStorageConfig.getScmId(), certificateStore, new DefaultProfile(), scmCertificateClient.getComponentName());
            // INTERMEDIARY_CA which issues certs to DN and OM.
            scmCertificateServer.init(new SecurityConfig(configuration), CertificateServer.CAType.INTERMEDIARY_CA);
        }
        if (primaryScmNodeId.equals(scmStorageConfig.getScmId())) {
            if (configurator.getCertificateServer() != null) {
                rootCertificateServer = configurator.getCertificateServer();
            } else {
                rootCertificateServer = HASecurityUtils.initializeRootCertificateServer(conf, certificateStore, scmStorageConfig, new DefaultCAProfile());
            }
            persistPrimarySCMCerts();
        } else {
            rootCertificateServer = null;
        }
    } else {
        // On a upgraded cluster primary scm nodeId will not be set as init will
        // not be run again after upgrade. So for a upgraded cluster where init
        // has not happened again we will have setup like before where it has
        // one CA server which is issuing certificates to DN and OM.
        rootCertificateServer = HASecurityUtils.initializeRootCertificateServer(conf, certificateStore, scmStorageConfig, new DefaultProfile());
        scmCertificateServer = rootCertificateServer;
    }
    // We need to pass getCACertificate as rootCA certificate,
    // as for SCM CA is root-CA.
    securityProtocolServer = new SCMSecurityProtocolServer(conf, rootCertificateServer, scmCertificateServer, scmCertificateClient != null ? scmCertificateClient.getCACertificate() : null, this);
    if (securityConfig.isContainerTokenEnabled()) {
        containerTokenMgr = createContainerTokenSecretManager(configuration);
    }
}