Example 1 with CertificateClient
use of org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient in project ozone by apache.
the class TestSecureOzoneManager method testSecureOmInitFailures.
/**
* Test failure cases for secure OM initialization.
*/
@Test
public void testSecureOmInitFailures() throws Exception {
PrivateKey privateKey;
PublicKey publicKey;
LogCapturer omLogs = LogCapturer.captureLogs(OzoneManager.getLogger());
OMStorage omStorage = new OMStorage(conf);
omStorage.setClusterId(clusterId);
omStorage.setOmId(omId);
omLogs.clearOutput();
// Case 1: When keypair as well as certificate is missing. Initial keypair
// boot-up. Get certificate will fail when SCM is not running.
SecurityConfig securityConfig = new SecurityConfig(conf);
CertificateClient client = new OMCertificateClient(securityConfig, omStorage.getOmCertSerialId());
Assert.assertEquals(CertificateClient.InitResponse.GETCERT, client.init());
privateKey = client.getPrivateKey();
publicKey = client.getPublicKey();
Assert.assertNotNull(client.getPrivateKey());
Assert.assertNotNull(client.getPublicKey());
Assert.assertNull(client.getCertificate());
// Case 2: If key pair already exist than response should be RECOVER.
client = new OMCertificateClient(securityConfig, omStorage.getOmCertSerialId());
Assert.assertEquals(CertificateClient.InitResponse.RECOVER, client.init());
Assert.assertNotNull(client.getPrivateKey());
Assert.assertNotNull(client.getPublicKey());
Assert.assertNull(client.getCertificate());
// Case 3: When public key as well as certificate is missing.
client = new OMCertificateClient(securityConfig);
FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT).toString(), securityConfig.getPublicKeyFileName()).toFile());
Assert.assertEquals(CertificateClient.InitResponse.FAILURE, client.init());
Assert.assertNotNull(client.getPrivateKey());
Assert.assertNull(client.getPublicKey());
Assert.assertNull(client.getCertificate());
// Case 4: When private key and certificate is missing.
client = new OMCertificateClient(securityConfig);
KeyCodec keyCodec = new KeyCodec(securityConfig, COMPONENT);
keyCodec.writePublicKey(publicKey);
FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT).toString(), securityConfig.getPrivateKeyFileName()).toFile());
Assert.assertEquals(CertificateClient.InitResponse.FAILURE, client.init());
Assert.assertNull(client.getPrivateKey());
Assert.assertNotNull(client.getPublicKey());
Assert.assertNull(client.getCertificate());
// Case 5: When only certificate is present.
FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT).toString(), securityConfig.getPublicKeyFileName()).toFile());
CertificateCodec certCodec = new CertificateCodec(securityConfig, COMPONENT);
X509Certificate x509Certificate = KeyStoreTestUtil.generateCertificate("CN=Test", new KeyPair(publicKey, privateKey), 10, securityConfig.getSignatureAlgo());
certCodec.writeCertificate(new X509CertificateHolder(x509Certificate.getEncoded()));
client = new OMCertificateClient(securityConfig, x509Certificate.getSerialNumber().toString());
omStorage.setOmCertSerialId(x509Certificate.getSerialNumber().toString());
Assert.assertEquals(CertificateClient.InitResponse.FAILURE, client.init());
Assert.assertNull(client.getPrivateKey());
Assert.assertNull(client.getPublicKey());
Assert.assertNotNull(client.getCertificate());
// Case 6: When private key and certificate is present.
client = new OMCertificateClient(securityConfig, x509Certificate.getSerialNumber().toString());
FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT).toString(), securityConfig.getPublicKeyFileName()).toFile());
keyCodec.writePrivateKey(privateKey);
Assert.assertEquals(CertificateClient.InitResponse.SUCCESS, client.init());
Assert.assertNotNull(client.getPrivateKey());
Assert.assertNotNull(client.getPublicKey());
Assert.assertNotNull(client.getCertificate());
// Case 7 When keypair and certificate is present.
client = new OMCertificateClient(securityConfig, x509Certificate.getSerialNumber().toString());
Assert.assertEquals(CertificateClient.InitResponse.SUCCESS, client.init());
Assert.assertNotNull(client.getPrivateKey());
Assert.assertNotNull(client.getPublicKey());
Assert.assertNotNull(client.getCertificate());
}
Also used :
OMCertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.OMCertificateClient)
CertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient)
KeyPair(java.security.KeyPair)
PrivateKey(java.security.PrivateKey)
SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig)
PublicKey(java.security.PublicKey)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
LogCapturer(org.apache.ozone.test.GenericTestUtils.LogCapturer)
CertificateCodec(org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec)
KeyCodec(org.apache.hadoop.hdds.security.x509.keys.KeyCodec)
OMCertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.OMCertificateClient)
X509Certificate(java.security.cert.X509Certificate)
Test(org.junit.Test)
Example 2 with CertificateClient
use of org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient in project ozone by apache.
the class OzoneManager method getSCMSignedCert.
/**
* Get SCM signed certificate and store it using certificate client.
*/
private static void getSCMSignedCert(CertificateClient client, OzoneConfiguration config, OMStorage omStore, String scmId) throws IOException {
CertificateSignRequest.Builder builder = client.getCSRBuilder();
KeyPair keyPair = new KeyPair(client.getPublicKey(), client.getPrivateKey());
InetSocketAddress omRpcAdd;
omRpcAdd = OmUtils.getOmAddress(config);
if (omRpcAdd == null || omRpcAdd.getAddress() == null) {
LOG.error("Incorrect om rpc address. omRpcAdd:{}", omRpcAdd);
throw new RuntimeException("Can't get SCM signed certificate. " + "omRpcAdd: " + omRpcAdd);
}
// Get host name.
String hostname = omRpcAdd.getAddress().getHostName();
String ip = omRpcAdd.getAddress().getHostAddress();
String subject;
if (builder.hasDnsName()) {
subject = UserGroupInformation.getCurrentUser().getShortUserName() + "@" + hostname;
} else {
// With only IP in alt.name, certificate validation would fail if subject
// isn't a hostname either, so omit username.
subject = hostname;
}
builder.setCA(false).setKey(keyPair).setConfiguration(config).setScmID(scmId).setClusterID(omStore.getClusterID()).setSubject(subject);
OMHANodeDetails haOMHANodeDetails = OMHANodeDetails.loadOMHAConfig(config);
String serviceName = haOMHANodeDetails.getLocalNodeDetails().getServiceId();
if (!StringUtils.isEmpty(serviceName)) {
builder.addServiceName(serviceName);
}
LOG.info("Creating csr for OM->dns:{},ip:{},scmId:{},clusterId:{}," + "subject:{}", hostname, ip, scmId, omStore.getClusterID(), subject);
HddsProtos.OzoneManagerDetailsProto.Builder omDetailsProtoBuilder = HddsProtos.OzoneManagerDetailsProto.newBuilder().setHostName(omRpcAdd.getHostName()).setIpAddress(ip).setUuid(omStore.getOmId()).addPorts(HddsProtos.Port.newBuilder().setName(RPC_PORT).setValue(omRpcAdd.getPort()).build());
PKCS10CertificationRequest csr = builder.build();
HddsProtos.OzoneManagerDetailsProto omDetailsProto = omDetailsProtoBuilder.build();
LOG.info("OzoneManager ports added:{}", omDetailsProto.getPortsList());
SCMSecurityProtocolClientSideTranslatorPB secureScmClient = HddsServerUtil.getScmSecurityClientWithFixedDuration(config);
SCMGetCertResponseProto response = secureScmClient.getOMCertChain(omDetailsProto, getEncodedString(csr));
String pemEncodedCert = response.getX509Certificate();
try {
// Store SCM CA certificate.
if (response.hasX509CACertificate()) {
String pemEncodedRootCert = response.getX509CACertificate();
client.storeCertificate(pemEncodedRootCert, true, true);
client.storeCertificate(pemEncodedCert, true);
// Store Root CA certificate if available.
if (response.hasX509RootCACertificate()) {
client.storeRootCACertificate(response.getX509RootCACertificate(), true);
}
// Persist om cert serial id.
omStore.setOmCertSerialId(CertificateCodec.getX509Certificate(pemEncodedCert).getSerialNumber().toString());
} else {
throw new RuntimeException("Unable to retrieve OM certificate " + "chain");
}
} catch (IOException | CertificateException e) {
LOG.error("Error while storing SCM signed certificate.", e);
throw new RuntimeException(e);
}
}
Also used :
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
KeyPair(java.security.KeyPair)
OMHANodeDetails(org.apache.hadoop.ozone.om.ha.OMHANodeDetails)
SCMSecurityProtocolClientSideTranslatorPB(org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB)
InetSocketAddress(java.net.InetSocketAddress)
CertificateException(java.security.cert.CertificateException)
CertificateSignRequest.getEncodedString(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest.getEncodedString)
IOException(java.io.IOException)
UncheckedIOException(java.io.UncheckedIOException)
SCMGetCertResponseProto(org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertResponseProto)
HddsProtos(org.apache.hadoop.hdds.protocol.proto.HddsProtos)
CertificateSignRequest(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest)
Example 3 with CertificateClient
use of org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient in project ozone by apache.
the class OzoneManager method initializeSecurity.
/**
* Initializes secure OzoneManager.
*/
@VisibleForTesting
public static void initializeSecurity(OzoneConfiguration conf, OMStorage omStore, String scmId) throws IOException {
LOG.info("Initializing secure OzoneManager.");
CertificateClient certClient = new OMCertificateClient(new SecurityConfig(conf), omStore.getOmCertSerialId());
CertificateClient.InitResponse response = certClient.init();
LOG.info("Init response: {}", response);
switch(response) {
case SUCCESS:
LOG.info("Initialization successful.");
break;
case GETCERT:
getSCMSignedCert(certClient, conf, omStore, scmId);
LOG.info("Successfully stored SCM signed certificate.");
break;
case FAILURE:
LOG.error("OM security initialization failed.");
throw new RuntimeException("OM security initialization failed.");
case RECOVER:
LOG.error("OM security initialization failed. OM certificate is " + "missing.");
throw new RuntimeException("OM security initialization failed.");
default:
LOG.error("OM security initialization failed. Init response: {}", response);
throw new RuntimeException("OM security initialization failed.");
}
}
Also used :
CertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient)
OMCertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.OMCertificateClient)
SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig)
OMCertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.OMCertificateClient)
VisibleForTesting(com.google.common.annotations.VisibleForTesting)
Example 4 with CertificateClient
use of org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient in project ozone by apache.
the class HASecurityUtils method getPrimarySCMSelfSignedCert.
/**
* For primary SCM get sub-ca signed certificate and root CA certificate by
* root CA certificate server and store it using certificate client.
*/
private static void getPrimarySCMSelfSignedCert(CertificateClient client, OzoneConfiguration config, SCMStorageConfig scmStorageConfig, InetSocketAddress scmAddress) {
try {
CertificateServer rootCAServer = initializeRootCertificateServer(config, null, scmStorageConfig, new DefaultCAProfile());
PKCS10CertificationRequest csr = generateCSR(client, scmStorageConfig, config, scmAddress);
X509CertificateHolder subSCMCertHolder = rootCAServer.requestCertificate(csr, KERBEROS_TRUSTED, SCM).get();
X509CertificateHolder rootCACertificateHolder = rootCAServer.getCACertificate();
String pemEncodedCert = CertificateCodec.getPEMEncodedString(subSCMCertHolder);
String pemEncodedRootCert = CertificateCodec.getPEMEncodedString(rootCACertificateHolder);
client.storeCertificate(pemEncodedRootCert, true, true);
client.storeCertificate(pemEncodedCert, true);
persistSubCACertificate(config, client, subSCMCertHolder);
// Persist scm cert serial ID.
scmStorageConfig.setScmCertSerialId(subSCMCertHolder.getSerialNumber().toString());
} catch (InterruptedException | ExecutionException | IOException | CertificateException e) {
LOG.error("Error while fetching/storing SCM signed certificate.", e);
Thread.currentThread().interrupt();
throw new RuntimeException(e);
}
}
Also used :
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
CertificateServer(org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer)
DefaultCAProfile(org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultCAProfile)
CertificateException(java.security.cert.CertificateException)
CertificateSignRequest.getEncodedString(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest.getEncodedString)
IOException(java.io.IOException)
ExecutionException(java.util.concurrent.ExecutionException)
Example 5 with CertificateClient
use of org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient in project ozone by apache.
the class HASecurityUtils method generateCSR.
/**
* Generate CSR to obtain SCM sub CA certificate.
*/
private static PKCS10CertificationRequest generateCSR(CertificateClient client, SCMStorageConfig scmStorageConfig, OzoneConfiguration config, InetSocketAddress scmAddress) throws IOException {
CertificateSignRequest.Builder builder = client.getCSRBuilder();
KeyPair keyPair = new KeyPair(client.getPublicKey(), client.getPrivateKey());
// Get host name.
String hostname = scmAddress.getAddress().getHostName();
String subject = SCM_SUB_CA_PREFIX + hostname;
builder.setKey(keyPair).setConfiguration(config).setScmID(scmStorageConfig.getScmId()).setClusterID(scmStorageConfig.getClusterID()).setSubject(subject);
LOG.info("Creating csr for SCM->hostName:{},scmId:{},clusterId:{}," + "subject:{}", hostname, scmStorageConfig.getScmId(), scmStorageConfig.getClusterID(), subject);
return builder.build();
}
Also used :
KeyPair(java.security.KeyPair)
CertificateSignRequest.getEncodedString(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest.getEncodedString)
CertificateSignRequest(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest)
Aggregations
CertificateClient (org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient)9
SecurityConfig (org.apache.hadoop.hdds.security.x509.SecurityConfig)7
Test (org.junit.Test)6
KeyPair (java.security.KeyPair)5
X509Certificate (java.security.cert.X509Certificate)4
ContainerCommandRequestProto (org.apache.hadoop.hdds.protocol.datanode.proto.ContainerProtos.ContainerCommandRequestProto)4
CertificateSignRequest.getEncodedString (org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest.getEncodedString)4
IOException (java.io.IOException)3
CertificateException (java.security.cert.CertificateException)3
OMCertificateClient (org.apache.hadoop.hdds.security.x509.certificate.client.OMCertificateClient)3
CertificateSignRequest (org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest)3
PKCS10CertificationRequest (org.bouncycastle.pkcs.PKCS10CertificationRequest)3
SCMGetCertResponseProto (org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertResponseProto)2
SCMSecurityProtocolClientSideTranslatorPB (org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB)2
CertificateCodec (org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec)2
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)2
VisibleForTesting (com.google.common.annotations.VisibleForTesting)1
UncheckedIOException (java.io.UncheckedIOException)1
InetSocketAddress (java.net.InetSocketAddress)1
PrivateKey (java.security.PrivateKey)1
