use of org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile in project ozone by apache.
the class TestDefaultCAServer method testRequestCertificate.
/**
* The most important test of this test suite. This tests that we are able
* to create a Test CA, creates it own self-Signed CA and then issue a
* certificate based on a CSR.
* @throws SCMSecurityException - on ERROR.
* @throws ExecutionException - on ERROR.
* @throws InterruptedException - on ERROR.
* @throws NoSuchProviderException - on ERROR.
* @throws NoSuchAlgorithmException - on ERROR.
*/
@Test
public void testRequestCertificate() throws IOException, ExecutionException, InterruptedException, NoSuchProviderException, NoSuchAlgorithmException {
String scmId = RandomStringUtils.randomAlphabetic(4);
String clusterId = RandomStringUtils.randomAlphabetic(4);
KeyPair keyPair = new HDDSKeyGenerator(conf).generateKey();
PKCS10CertificationRequest csr = new CertificateSignRequest.Builder().addDnsName("hadoop.apache.org").addIpAddress("8.8.8.8").addServiceName("OzoneMarketingCluster002").setCA(false).setClusterID(clusterId).setScmID(scmId).setSubject("Ozone Cluster").setConfiguration(conf).setKey(keyPair).build();
// Let us convert this to a string to mimic the common use case.
String csrString = CertificateSignRequest.getEncodedString(csr);
CertificateServer testCA = new DefaultCAServer("testCA", clusterId, scmId, caStore, new DefaultProfile(), Paths.get(SCM_CA_CERT_STORAGE_DIR, SCM_CA_PATH).toString());
testCA.init(new SecurityConfig(conf), SELF_SIGNED_CA);
Future<X509CertificateHolder> holder = testCA.requestCertificate(csrString, CertificateApprover.ApprovalType.TESTING_AUTOMATIC, SCM);
// Right now our calls are synchronous. Eventually this will have to wait.
assertTrue(holder.isDone());
assertNotNull(holder.get());
}
use of org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile in project ozone by apache.
the class TestDefaultCAServer method testMissingCertificate.
@Test
public void testMissingCertificate() {
SecurityConfig securityConfig = new SecurityConfig(conf);
CertificateServer testCA = new DefaultCAServer("testCA", RandomStringUtils.randomAlphabetic(4), RandomStringUtils.randomAlphabetic(4), caStore, new DefaultProfile(), Paths.get(SCM_CA_CERT_STORAGE_DIR, SCM_CA_PATH).toString());
Consumer<SecurityConfig> caInitializer = ((DefaultCAServer) testCA).processVerificationStatus(DefaultCAServer.VerificationStatus.MISSING_CERTIFICATE, SELF_SIGNED_CA);
try {
caInitializer.accept(securityConfig);
fail("code should not reach here, exception should have been thrown.");
} catch (IllegalStateException e) {
// This also is a runtime exception. Hence not caught by junit expected
// exception.
assertTrue(e.toString().contains("Missing Root Certs"));
}
}
use of org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile in project ozone by apache.
the class TestDefaultCAServer method testInit.
@Test
public void testInit() throws SCMSecurityException, CertificateException, IOException {
SecurityConfig securityConfig = new SecurityConfig(conf);
CertificateServer testCA = new DefaultCAServer("testCA", RandomStringUtils.randomAlphabetic(4), RandomStringUtils.randomAlphabetic(4), caStore, new DefaultProfile(), Paths.get(SCM_CA_CERT_STORAGE_DIR, SCM_CA_PATH).toString());
testCA.init(securityConfig, SELF_SIGNED_CA);
X509CertificateHolder first = testCA.getCACertificate();
assertNotNull(first);
// Init is idempotent.
testCA.init(securityConfig, SELF_SIGNED_CA);
X509CertificateHolder second = testCA.getCACertificate();
assertEquals(first, second);
}
use of org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile in project ozone by apache.
the class TestDefaultCAServer method testIntermediaryCAWithEmpty.
@Test(expected = IllegalStateException.class)
public void testIntermediaryCAWithEmpty() throws Exception {
CertificateServer scmCA = new DefaultCAServer("testCA", RandomStringUtils.randomAlphabetic(4), RandomStringUtils.randomAlphabetic(4), caStore, new DefaultProfile(), Paths.get("scm").toString());
scmCA.init(new SecurityConfig(conf), INTERMEDIARY_CA);
}
use of org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile in project ozone by apache.
the class StorageContainerManager method initializeCAnSecurityProtocol.
/**
* If security is enabled we need to have the Security Protocol and a
* default CA. This function initializes those values based on the
* configurator.
*
* @param conf - Config
* @param configurator - configurator
* @throws IOException - on Failure
* @throws AuthenticationException - on Failure
*/
private void initializeCAnSecurityProtocol(OzoneConfiguration conf, SCMConfigurator configurator) throws IOException {
// So it is easy to use different Certificate Servers if needed.
if (this.scmMetadataStore == null) {
LOG.error("Cannot initialize Certificate Server without a valid meta " + "data layer.");
throw new SCMException("Cannot initialize CA without a valid metadata " + "store", ResultCodes.SCM_NOT_INITIALIZED);
}
certificateStore = new SCMCertStore.Builder().setMetadaStore(scmMetadataStore).setRatisServer(scmHAManager.getRatisServer()).setCRLSequenceId(getLastSequenceIdForCRL()).build();
final CertificateServer scmCertificateServer;
final CertificateServer rootCertificateServer;
// performed init with SCM HA version code.
if (scmStorageConfig.checkPrimarySCMIdInitialized()) {
// Start specific instance SCM CA server.
String subject = SCM_SUB_CA_PREFIX + InetAddress.getLocalHost().getHostName();
if (configurator.getCertificateServer() != null) {
scmCertificateServer = configurator.getCertificateServer();
} else {
scmCertificateServer = new DefaultCAServer(subject, scmStorageConfig.getClusterID(), scmStorageConfig.getScmId(), certificateStore, new DefaultProfile(), scmCertificateClient.getComponentName());
// INTERMEDIARY_CA which issues certs to DN and OM.
scmCertificateServer.init(new SecurityConfig(configuration), CertificateServer.CAType.INTERMEDIARY_CA);
}
if (primaryScmNodeId.equals(scmStorageConfig.getScmId())) {
if (configurator.getCertificateServer() != null) {
rootCertificateServer = configurator.getCertificateServer();
} else {
rootCertificateServer = HASecurityUtils.initializeRootCertificateServer(conf, certificateStore, scmStorageConfig, new DefaultCAProfile());
}
persistPrimarySCMCerts();
} else {
rootCertificateServer = null;
}
} else {
// On a upgraded cluster primary scm nodeId will not be set as init will
// not be run again after upgrade. So for a upgraded cluster where init
// has not happened again we will have setup like before where it has
// one CA server which is issuing certificates to DN and OM.
rootCertificateServer = HASecurityUtils.initializeRootCertificateServer(conf, certificateStore, scmStorageConfig, new DefaultProfile());
scmCertificateServer = rootCertificateServer;
}
// We need to pass getCACertificate as rootCA certificate,
// as for SCM CA is root-CA.
securityProtocolServer = new SCMSecurityProtocolServer(conf, rootCertificateServer, scmCertificateServer, scmCertificateClient != null ? scmCertificateClient.getCACertificate() : null, this);
if (securityConfig.isContainerTokenEnabled()) {
containerTokenMgr = createContainerTokenSecretManager(configuration);
}
}
Aggregations