Search in sources :

Example 1 with SCMCertificateClient

use of org.apache.hadoop.hdds.security.x509.certificate.client.SCMCertificateClient in project ozone by apache.

the class StorageContainerManager method createContainerTokenSecretManager.

private ContainerTokenSecretManager createContainerTokenSecretManager(OzoneConfiguration conf) throws IOException {
    long expiryTime = conf.getTimeDuration(HddsConfigKeys.HDDS_BLOCK_TOKEN_EXPIRY_TIME, HddsConfigKeys.HDDS_BLOCK_TOKEN_EXPIRY_TIME_DEFAULT, TimeUnit.MILLISECONDS);
    // root CA cert.
    if (scmCertificateClient == null) {
        Preconditions.checkState(!scmStorageConfig.checkPrimarySCMIdInitialized());
        String certSerialNumber;
        try {
            certSerialNumber = getScmCertificateServer().getCACertificate().getSerialNumber().toString();
        } catch (CertificateException ex) {
            LOG.error("Get CA Certificate failed", ex);
            throw new IOException(ex);
        } catch (IOException ex) {
            LOG.error("Get CA Certificate failed", ex);
            throw ex;
        }
        scmCertificateClient = new SCMCertificateClient(securityConfig, certSerialNumber, SCM_ROOT_CA_COMPONENT_NAME);
    }
    String certId = scmCertificateClient.getCertificate().getSerialNumber().toString();
    return new ContainerTokenSecretManager(securityConfig, expiryTime, certId);
}
Also used : SCMCertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.SCMCertificateClient) CertificateException(java.security.cert.CertificateException) UncheckedIOException(java.io.UncheckedIOException) IOException(java.io.IOException) ContainerTokenSecretManager(org.apache.hadoop.hdds.security.token.ContainerTokenSecretManager)

Example 2 with SCMCertificateClient

use of org.apache.hadoop.hdds.security.x509.certificate.client.SCMCertificateClient in project ozone by apache.

the class StorageContainerManager method initializeCAnSecurityProtocol.

/**
 * If security is enabled we need to have the Security Protocol and a
 * default CA. This function initializes those values based on the
 * configurator.
 *
 * @param conf - Config
 * @param configurator - configurator
 * @throws IOException - on Failure
 * @throws AuthenticationException - on Failure
 */
private void initializeCAnSecurityProtocol(OzoneConfiguration conf, SCMConfigurator configurator) throws IOException {
    // So it is easy to use different Certificate Servers if needed.
    if (this.scmMetadataStore == null) {
        LOG.error("Cannot initialize Certificate Server without a valid meta " + "data layer.");
        throw new SCMException("Cannot initialize CA without a valid metadata " + "store", ResultCodes.SCM_NOT_INITIALIZED);
    }
    certificateStore = new SCMCertStore.Builder().setMetadaStore(scmMetadataStore).setRatisServer(scmHAManager.getRatisServer()).setCRLSequenceId(getLastSequenceIdForCRL()).build();
    final CertificateServer scmCertificateServer;
    final CertificateServer rootCertificateServer;
    // performed init with SCM HA version code.
    if (scmStorageConfig.checkPrimarySCMIdInitialized()) {
        // Start specific instance SCM CA server.
        String subject = SCM_SUB_CA_PREFIX + InetAddress.getLocalHost().getHostName();
        if (configurator.getCertificateServer() != null) {
            scmCertificateServer = configurator.getCertificateServer();
        } else {
            scmCertificateServer = new DefaultCAServer(subject, scmStorageConfig.getClusterID(), scmStorageConfig.getScmId(), certificateStore, new DefaultProfile(), scmCertificateClient.getComponentName());
            // INTERMEDIARY_CA which issues certs to DN and OM.
            scmCertificateServer.init(new SecurityConfig(configuration), CertificateServer.CAType.INTERMEDIARY_CA);
        }
        if (primaryScmNodeId.equals(scmStorageConfig.getScmId())) {
            if (configurator.getCertificateServer() != null) {
                rootCertificateServer = configurator.getCertificateServer();
            } else {
                rootCertificateServer = HASecurityUtils.initializeRootCertificateServer(conf, certificateStore, scmStorageConfig, new DefaultCAProfile());
            }
            persistPrimarySCMCerts();
        } else {
            rootCertificateServer = null;
        }
    } else {
        // On a upgraded cluster primary scm nodeId will not be set as init will
        // not be run again after upgrade. So for a upgraded cluster where init
        // has not happened again we will have setup like before where it has
        // one CA server which is issuing certificates to DN and OM.
        rootCertificateServer = HASecurityUtils.initializeRootCertificateServer(conf, certificateStore, scmStorageConfig, new DefaultProfile());
        scmCertificateServer = rootCertificateServer;
    }
    // We need to pass getCACertificate as rootCA certificate,
    // as for SCM CA is root-CA.
    securityProtocolServer = new SCMSecurityProtocolServer(conf, rootCertificateServer, scmCertificateServer, scmCertificateClient != null ? scmCertificateClient.getCACertificate() : null, this);
    if (securityConfig.isContainerTokenEnabled()) {
        containerTokenMgr = createContainerTokenSecretManager(configuration);
    }
}
Also used : DefaultProfile(org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile) SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig) CertificateServer(org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer) DefaultCAServer(org.apache.hadoop.hdds.security.x509.certificate.authority.DefaultCAServer) DefaultCAProfile(org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultCAProfile) SCMException(org.apache.hadoop.hdds.scm.exceptions.SCMException)

Example 3 with SCMCertificateClient

use of org.apache.hadoop.hdds.security.x509.certificate.client.SCMCertificateClient in project ozone by apache.

the class TestDefaultCAServer method testIntermediaryCA.

@Test
public void testIntermediaryCA() throws Exception {
    conf.set(HddsConfigKeys.HDDS_X509_MAX_DURATION, "P3650D");
    String clusterId = RandomStringUtils.randomAlphanumeric(4);
    String scmId = RandomStringUtils.randomAlphanumeric(4);
    CertificateServer rootCA = new DefaultCAServer("rootCA", clusterId, scmId, caStore, new DefaultProfile(), Paths.get("scm", "ca").toString());
    rootCA.init(new SecurityConfig(conf), SELF_SIGNED_CA);
    SCMCertificateClient scmCertificateClient = new SCMCertificateClient(new SecurityConfig(conf));
    CertificateClient.InitResponse response = scmCertificateClient.init();
    Assert.assertEquals(CertificateClient.InitResponse.GETCERT, response);
    // Generate cert
    KeyPair keyPair = new HDDSKeyGenerator(conf).generateKey();
    PKCS10CertificationRequest csr = new CertificateSignRequest.Builder().addDnsName("hadoop.apache.org").addIpAddress("8.8.8.8").setCA(false).setSubject("testCA").setConfiguration(conf).setKey(keyPair).build();
    Future<X509CertificateHolder> holder = rootCA.requestCertificate(csr, CertificateApprover.ApprovalType.TESTING_AUTOMATIC, SCM);
    Assert.assertTrue(holder.isDone());
    X509CertificateHolder certificateHolder = holder.get();
    Assert.assertNotNull(certificateHolder);
    LocalDate invalidAfterDate = certificateHolder.getNotAfter().toInstant().atZone(ZoneId.systemDefault()).toLocalDate();
    LocalDate now = LocalDate.now();
    assertEquals(0, invalidAfterDate.compareTo(now.plusDays(3650)));
    X509CertificateHolder rootCertHolder = rootCA.getCACertificate();
    scmCertificateClient.storeCertificate(CertificateCodec.getPEMEncodedString(rootCertHolder), true, true);
    // Write to the location where Default CA Server reads from.
    scmCertificateClient.storeCertificate(CertificateCodec.getPEMEncodedString(certificateHolder), true);
    CertificateCodec certCodec = new CertificateCodec(new SecurityConfig(conf), scmCertificateClient.getComponentName());
    certCodec.writeCertificate(certificateHolder);
    // The certificate generated by above cert client will be used by scmCA.
    // Now scmCA init should be successful.
    CertificateServer scmCA = new DefaultCAServer("scmCA", clusterId, scmId, caStore, new DefaultProfile(), scmCertificateClient.getComponentName());
    try {
        scmCA.init(new SecurityConfig(conf), INTERMEDIARY_CA);
    } catch (Exception e) {
        fail("testIntermediaryCA failed during init");
    }
}
Also used : PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest) DefaultProfile(org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile) SCMCertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.SCMCertificateClient) KeyPair(java.security.KeyPair) HDDSKeyGenerator(org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator) CertificateCodec(org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec) LocalDate(java.time.LocalDate) SCMSecurityException(org.apache.hadoop.hdds.security.exception.SCMSecurityException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) IOException(java.io.IOException) CertificateException(java.security.cert.CertificateException) ExecutionException(java.util.concurrent.ExecutionException) NoSuchProviderException(java.security.NoSuchProviderException) SCMCertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.SCMCertificateClient) CertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient) SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) CertificateSignRequest(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest) Test(org.junit.Test)

Example 4 with SCMCertificateClient

use of org.apache.hadoop.hdds.security.x509.certificate.client.SCMCertificateClient in project ozone by apache.

the class HASecurityUtils method initializeSecurity.

/**
 * Initialize Security which generates public, private key pair and get SCM
 * signed certificate and persist to local disk.
 * @param scmStorageConfig
 * @param conf
 * @param scmAddress
 * @throws IOException
 */
public static void initializeSecurity(SCMStorageConfig scmStorageConfig, OzoneConfiguration conf, InetSocketAddress scmAddress, boolean primaryscm) throws IOException {
    LOG.info("Initializing secure StorageContainerManager.");
    CertificateClient certClient = new SCMCertificateClient(new SecurityConfig(conf));
    InitResponse response = certClient.init();
    LOG.info("Init response: {}", response);
    switch(response) {
        case SUCCESS:
            LOG.info("Initialization successful.");
            break;
        case GETCERT:
            if (!primaryscm) {
                getRootCASignedSCMCert(certClient, conf, scmStorageConfig, scmAddress);
            } else {
                getPrimarySCMSelfSignedCert(certClient, conf, scmStorageConfig, scmAddress);
            }
            LOG.info("Successfully stored SCM signed certificate.");
            break;
        case FAILURE:
            LOG.error("SCM security initialization failed.");
            throw new RuntimeException("OM security initialization failed.");
        case RECOVER:
            LOG.error("SCM security initialization failed. SCM certificate is " + "missing.");
            throw new RuntimeException("SCM security initialization failed.");
        default:
            LOG.error("SCM security initialization failed. Init response: {}", response);
            throw new RuntimeException("SCM security initialization failed.");
    }
}
Also used : SCMCertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.SCMCertificateClient) CertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient) SCMCertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.SCMCertificateClient) InitResponse(org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient.InitResponse) SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig)

Aggregations

SecurityConfig (org.apache.hadoop.hdds.security.x509.SecurityConfig)3 SCMCertificateClient (org.apache.hadoop.hdds.security.x509.certificate.client.SCMCertificateClient)3 IOException (java.io.IOException)2 CertificateException (java.security.cert.CertificateException)2 DefaultProfile (org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile)2 CertificateClient (org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient)2 UncheckedIOException (java.io.UncheckedIOException)1 KeyPair (java.security.KeyPair)1 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1 NoSuchProviderException (java.security.NoSuchProviderException)1 LocalDate (java.time.LocalDate)1 ExecutionException (java.util.concurrent.ExecutionException)1 SCMException (org.apache.hadoop.hdds.scm.exceptions.SCMException)1 SCMSecurityException (org.apache.hadoop.hdds.security.exception.SCMSecurityException)1 ContainerTokenSecretManager (org.apache.hadoop.hdds.security.token.ContainerTokenSecretManager)1 CertificateServer (org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer)1 DefaultCAServer (org.apache.hadoop.hdds.security.x509.certificate.authority.DefaultCAServer)1 DefaultCAProfile (org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultCAProfile)1 InitResponse (org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient.InitResponse)1 CertificateCodec (org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec)1