Search in sources :

Example 1 with CertificateClient

use of org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient in project ozone by apache.

the class TestSecureOzoneManager method testSecureOmInitFailures.

/**
 * Test failure cases for secure OM initialization.
 */
@Test
public void testSecureOmInitFailures() throws Exception {
    PrivateKey privateKey;
    PublicKey publicKey;
    LogCapturer omLogs = LogCapturer.captureLogs(OzoneManager.getLogger());
    OMStorage omStorage = new OMStorage(conf);
    omStorage.setClusterId(clusterId);
    omStorage.setOmId(omId);
    omLogs.clearOutput();
    // Case 1: When keypair as well as certificate is missing. Initial keypair
    // boot-up. Get certificate will fail when SCM is not running.
    SecurityConfig securityConfig = new SecurityConfig(conf);
    CertificateClient client = new OMCertificateClient(securityConfig, omStorage.getOmCertSerialId());
    Assert.assertEquals(CertificateClient.InitResponse.GETCERT, client.init());
    privateKey = client.getPrivateKey();
    publicKey = client.getPublicKey();
    Assert.assertNotNull(client.getPrivateKey());
    Assert.assertNotNull(client.getPublicKey());
    Assert.assertNull(client.getCertificate());
    // Case 2: If key pair already exist than response should be RECOVER.
    client = new OMCertificateClient(securityConfig, omStorage.getOmCertSerialId());
    Assert.assertEquals(CertificateClient.InitResponse.RECOVER, client.init());
    Assert.assertNotNull(client.getPrivateKey());
    Assert.assertNotNull(client.getPublicKey());
    Assert.assertNull(client.getCertificate());
    // Case 3: When public key as well as certificate is missing.
    client = new OMCertificateClient(securityConfig);
    FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT).toString(), securityConfig.getPublicKeyFileName()).toFile());
    Assert.assertEquals(CertificateClient.InitResponse.FAILURE, client.init());
    Assert.assertNotNull(client.getPrivateKey());
    Assert.assertNull(client.getPublicKey());
    Assert.assertNull(client.getCertificate());
    // Case 4: When private key and certificate is missing.
    client = new OMCertificateClient(securityConfig);
    KeyCodec keyCodec = new KeyCodec(securityConfig, COMPONENT);
    keyCodec.writePublicKey(publicKey);
    FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT).toString(), securityConfig.getPrivateKeyFileName()).toFile());
    Assert.assertEquals(CertificateClient.InitResponse.FAILURE, client.init());
    Assert.assertNull(client.getPrivateKey());
    Assert.assertNotNull(client.getPublicKey());
    Assert.assertNull(client.getCertificate());
    // Case 5: When only certificate is present.
    FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT).toString(), securityConfig.getPublicKeyFileName()).toFile());
    CertificateCodec certCodec = new CertificateCodec(securityConfig, COMPONENT);
    X509Certificate x509Certificate = KeyStoreTestUtil.generateCertificate("CN=Test", new KeyPair(publicKey, privateKey), 10, securityConfig.getSignatureAlgo());
    certCodec.writeCertificate(new X509CertificateHolder(x509Certificate.getEncoded()));
    client = new OMCertificateClient(securityConfig, x509Certificate.getSerialNumber().toString());
    omStorage.setOmCertSerialId(x509Certificate.getSerialNumber().toString());
    Assert.assertEquals(CertificateClient.InitResponse.FAILURE, client.init());
    Assert.assertNull(client.getPrivateKey());
    Assert.assertNull(client.getPublicKey());
    Assert.assertNotNull(client.getCertificate());
    // Case 6: When private key and certificate is present.
    client = new OMCertificateClient(securityConfig, x509Certificate.getSerialNumber().toString());
    FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT).toString(), securityConfig.getPublicKeyFileName()).toFile());
    keyCodec.writePrivateKey(privateKey);
    Assert.assertEquals(CertificateClient.InitResponse.SUCCESS, client.init());
    Assert.assertNotNull(client.getPrivateKey());
    Assert.assertNotNull(client.getPublicKey());
    Assert.assertNotNull(client.getCertificate());
    // Case 7 When keypair and certificate is present.
    client = new OMCertificateClient(securityConfig, x509Certificate.getSerialNumber().toString());
    Assert.assertEquals(CertificateClient.InitResponse.SUCCESS, client.init());
    Assert.assertNotNull(client.getPrivateKey());
    Assert.assertNotNull(client.getPublicKey());
    Assert.assertNotNull(client.getCertificate());
}
Also used : OMCertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.OMCertificateClient) CertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient) KeyPair(java.security.KeyPair) PrivateKey(java.security.PrivateKey) SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig) PublicKey(java.security.PublicKey) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) LogCapturer(org.apache.ozone.test.GenericTestUtils.LogCapturer) CertificateCodec(org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec) KeyCodec(org.apache.hadoop.hdds.security.x509.keys.KeyCodec) OMCertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.OMCertificateClient) X509Certificate(java.security.cert.X509Certificate) Test(org.junit.Test)

Example 2 with CertificateClient

use of org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient in project ozone by apache.

the class OzoneManager method getSCMSignedCert.

/**
 * Get SCM signed certificate and store it using certificate client.
 */
private static void getSCMSignedCert(CertificateClient client, OzoneConfiguration config, OMStorage omStore, String scmId) throws IOException {
    CertificateSignRequest.Builder builder = client.getCSRBuilder();
    KeyPair keyPair = new KeyPair(client.getPublicKey(), client.getPrivateKey());
    InetSocketAddress omRpcAdd;
    omRpcAdd = OmUtils.getOmAddress(config);
    if (omRpcAdd == null || omRpcAdd.getAddress() == null) {
        LOG.error("Incorrect om rpc address. omRpcAdd:{}", omRpcAdd);
        throw new RuntimeException("Can't get SCM signed certificate. " + "omRpcAdd: " + omRpcAdd);
    }
    // Get host name.
    String hostname = omRpcAdd.getAddress().getHostName();
    String ip = omRpcAdd.getAddress().getHostAddress();
    String subject;
    if (builder.hasDnsName()) {
        subject = UserGroupInformation.getCurrentUser().getShortUserName() + "@" + hostname;
    } else {
        // With only IP in alt.name, certificate validation would fail if subject
        // isn't a hostname either, so omit username.
        subject = hostname;
    }
    builder.setCA(false).setKey(keyPair).setConfiguration(config).setScmID(scmId).setClusterID(omStore.getClusterID()).setSubject(subject);
    OMHANodeDetails haOMHANodeDetails = OMHANodeDetails.loadOMHAConfig(config);
    String serviceName = haOMHANodeDetails.getLocalNodeDetails().getServiceId();
    if (!StringUtils.isEmpty(serviceName)) {
        builder.addServiceName(serviceName);
    }
    LOG.info("Creating csr for OM->dns:{},ip:{},scmId:{},clusterId:{}," + "subject:{}", hostname, ip, scmId, omStore.getClusterID(), subject);
    HddsProtos.OzoneManagerDetailsProto.Builder omDetailsProtoBuilder = HddsProtos.OzoneManagerDetailsProto.newBuilder().setHostName(omRpcAdd.getHostName()).setIpAddress(ip).setUuid(omStore.getOmId()).addPorts(HddsProtos.Port.newBuilder().setName(RPC_PORT).setValue(omRpcAdd.getPort()).build());
    PKCS10CertificationRequest csr = builder.build();
    HddsProtos.OzoneManagerDetailsProto omDetailsProto = omDetailsProtoBuilder.build();
    LOG.info("OzoneManager ports added:{}", omDetailsProto.getPortsList());
    SCMSecurityProtocolClientSideTranslatorPB secureScmClient = HddsServerUtil.getScmSecurityClientWithFixedDuration(config);
    SCMGetCertResponseProto response = secureScmClient.getOMCertChain(omDetailsProto, getEncodedString(csr));
    String pemEncodedCert = response.getX509Certificate();
    try {
        // Store SCM CA certificate.
        if (response.hasX509CACertificate()) {
            String pemEncodedRootCert = response.getX509CACertificate();
            client.storeCertificate(pemEncodedRootCert, true, true);
            client.storeCertificate(pemEncodedCert, true);
            // Store Root CA certificate if available.
            if (response.hasX509RootCACertificate()) {
                client.storeRootCACertificate(response.getX509RootCACertificate(), true);
            }
            // Persist om cert serial id.
            omStore.setOmCertSerialId(CertificateCodec.getX509Certificate(pemEncodedCert).getSerialNumber().toString());
        } else {
            throw new RuntimeException("Unable to retrieve OM certificate " + "chain");
        }
    } catch (IOException | CertificateException e) {
        LOG.error("Error while storing SCM signed certificate.", e);
        throw new RuntimeException(e);
    }
}
Also used : PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest) KeyPair(java.security.KeyPair) OMHANodeDetails(org.apache.hadoop.ozone.om.ha.OMHANodeDetails) SCMSecurityProtocolClientSideTranslatorPB(org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB) InetSocketAddress(java.net.InetSocketAddress) CertificateException(java.security.cert.CertificateException) CertificateSignRequest.getEncodedString(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest.getEncodedString) IOException(java.io.IOException) UncheckedIOException(java.io.UncheckedIOException) SCMGetCertResponseProto(org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertResponseProto) HddsProtos(org.apache.hadoop.hdds.protocol.proto.HddsProtos) CertificateSignRequest(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest)

Example 3 with CertificateClient

use of org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient in project ozone by apache.

the class OzoneManager method initializeSecurity.

/**
 * Initializes secure OzoneManager.
 */
@VisibleForTesting
public static void initializeSecurity(OzoneConfiguration conf, OMStorage omStore, String scmId) throws IOException {
    LOG.info("Initializing secure OzoneManager.");
    CertificateClient certClient = new OMCertificateClient(new SecurityConfig(conf), omStore.getOmCertSerialId());
    CertificateClient.InitResponse response = certClient.init();
    LOG.info("Init response: {}", response);
    switch(response) {
        case SUCCESS:
            LOG.info("Initialization successful.");
            break;
        case GETCERT:
            getSCMSignedCert(certClient, conf, omStore, scmId);
            LOG.info("Successfully stored SCM signed certificate.");
            break;
        case FAILURE:
            LOG.error("OM security initialization failed.");
            throw new RuntimeException("OM security initialization failed.");
        case RECOVER:
            LOG.error("OM security initialization failed. OM certificate is " + "missing.");
            throw new RuntimeException("OM security initialization failed.");
        default:
            LOG.error("OM security initialization failed. Init response: {}", response);
            throw new RuntimeException("OM security initialization failed.");
    }
}
Also used : CertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient) OMCertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.OMCertificateClient) SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig) OMCertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.OMCertificateClient) VisibleForTesting(com.google.common.annotations.VisibleForTesting)

Example 4 with CertificateClient

use of org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient in project ozone by apache.

the class HASecurityUtils method getPrimarySCMSelfSignedCert.

/**
 * For primary SCM get sub-ca signed certificate and root CA certificate by
 * root CA certificate server and store it using certificate client.
 */
private static void getPrimarySCMSelfSignedCert(CertificateClient client, OzoneConfiguration config, SCMStorageConfig scmStorageConfig, InetSocketAddress scmAddress) {
    try {
        CertificateServer rootCAServer = initializeRootCertificateServer(config, null, scmStorageConfig, new DefaultCAProfile());
        PKCS10CertificationRequest csr = generateCSR(client, scmStorageConfig, config, scmAddress);
        X509CertificateHolder subSCMCertHolder = rootCAServer.requestCertificate(csr, KERBEROS_TRUSTED, SCM).get();
        X509CertificateHolder rootCACertificateHolder = rootCAServer.getCACertificate();
        String pemEncodedCert = CertificateCodec.getPEMEncodedString(subSCMCertHolder);
        String pemEncodedRootCert = CertificateCodec.getPEMEncodedString(rootCACertificateHolder);
        client.storeCertificate(pemEncodedRootCert, true, true);
        client.storeCertificate(pemEncodedCert, true);
        persistSubCACertificate(config, client, subSCMCertHolder);
        // Persist scm cert serial ID.
        scmStorageConfig.setScmCertSerialId(subSCMCertHolder.getSerialNumber().toString());
    } catch (InterruptedException | ExecutionException | IOException | CertificateException e) {
        LOG.error("Error while fetching/storing SCM signed certificate.", e);
        Thread.currentThread().interrupt();
        throw new RuntimeException(e);
    }
}
Also used : PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) CertificateServer(org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer) DefaultCAProfile(org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultCAProfile) CertificateException(java.security.cert.CertificateException) CertificateSignRequest.getEncodedString(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest.getEncodedString) IOException(java.io.IOException) ExecutionException(java.util.concurrent.ExecutionException)

Example 5 with CertificateClient

use of org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient in project ozone by apache.

the class HASecurityUtils method generateCSR.

/**
 * Generate CSR to obtain SCM sub CA certificate.
 */
private static PKCS10CertificationRequest generateCSR(CertificateClient client, SCMStorageConfig scmStorageConfig, OzoneConfiguration config, InetSocketAddress scmAddress) throws IOException {
    CertificateSignRequest.Builder builder = client.getCSRBuilder();
    KeyPair keyPair = new KeyPair(client.getPublicKey(), client.getPrivateKey());
    // Get host name.
    String hostname = scmAddress.getAddress().getHostName();
    String subject = SCM_SUB_CA_PREFIX + hostname;
    builder.setKey(keyPair).setConfiguration(config).setScmID(scmStorageConfig.getScmId()).setClusterID(scmStorageConfig.getClusterID()).setSubject(subject);
    LOG.info("Creating csr for SCM->hostName:{},scmId:{},clusterId:{}," + "subject:{}", hostname, scmStorageConfig.getScmId(), scmStorageConfig.getClusterID(), subject);
    return builder.build();
}
Also used : KeyPair(java.security.KeyPair) CertificateSignRequest.getEncodedString(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest.getEncodedString) CertificateSignRequest(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest)

Aggregations

CertificateClient (org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient)9 SecurityConfig (org.apache.hadoop.hdds.security.x509.SecurityConfig)7 Test (org.junit.Test)6 KeyPair (java.security.KeyPair)5 X509Certificate (java.security.cert.X509Certificate)4 ContainerCommandRequestProto (org.apache.hadoop.hdds.protocol.datanode.proto.ContainerProtos.ContainerCommandRequestProto)4 CertificateSignRequest.getEncodedString (org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest.getEncodedString)4 IOException (java.io.IOException)3 CertificateException (java.security.cert.CertificateException)3 OMCertificateClient (org.apache.hadoop.hdds.security.x509.certificate.client.OMCertificateClient)3 CertificateSignRequest (org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest)3 PKCS10CertificationRequest (org.bouncycastle.pkcs.PKCS10CertificationRequest)3 SCMGetCertResponseProto (org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertResponseProto)2 SCMSecurityProtocolClientSideTranslatorPB (org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB)2 CertificateCodec (org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec)2 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)2 VisibleForTesting (com.google.common.annotations.VisibleForTesting)1 UncheckedIOException (java.io.UncheckedIOException)1 InetSocketAddress (java.net.InetSocketAddress)1 PrivateKey (java.security.PrivateKey)1