Example 1 with SCMCertificateClient
use of org.apache.hadoop.hdds.security.x509.certificate.client.SCMCertificateClient in project ozone by apache.
the class StorageContainerManager method createContainerTokenSecretManager.
private ContainerTokenSecretManager createContainerTokenSecretManager(OzoneConfiguration conf) throws IOException {
long expiryTime = conf.getTimeDuration(HddsConfigKeys.HDDS_BLOCK_TOKEN_EXPIRY_TIME, HddsConfigKeys.HDDS_BLOCK_TOKEN_EXPIRY_TIME_DEFAULT, TimeUnit.MILLISECONDS);
// root CA cert.
if (scmCertificateClient == null) {
Preconditions.checkState(!scmStorageConfig.checkPrimarySCMIdInitialized());
String certSerialNumber;
try {
certSerialNumber = getScmCertificateServer().getCACertificate().getSerialNumber().toString();
} catch (CertificateException ex) {
LOG.error("Get CA Certificate failed", ex);
throw new IOException(ex);
} catch (IOException ex) {
LOG.error("Get CA Certificate failed", ex);
throw ex;
}
scmCertificateClient = new SCMCertificateClient(securityConfig, certSerialNumber, SCM_ROOT_CA_COMPONENT_NAME);
}
String certId = scmCertificateClient.getCertificate().getSerialNumber().toString();
return new ContainerTokenSecretManager(securityConfig, expiryTime, certId);
}
Also used :
SCMCertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.SCMCertificateClient)
CertificateException(java.security.cert.CertificateException)
UncheckedIOException(java.io.UncheckedIOException)
IOException(java.io.IOException)
ContainerTokenSecretManager(org.apache.hadoop.hdds.security.token.ContainerTokenSecretManager)
Example 2 with SCMCertificateClient
use of org.apache.hadoop.hdds.security.x509.certificate.client.SCMCertificateClient in project ozone by apache.
the class StorageContainerManager method initializeCAnSecurityProtocol.
/**
* If security is enabled we need to have the Security Protocol and a
* default CA. This function initializes those values based on the
* configurator.
*
* @param conf - Config
* @param configurator - configurator
* @throws IOException - on Failure
* @throws AuthenticationException - on Failure
*/
private void initializeCAnSecurityProtocol(OzoneConfiguration conf, SCMConfigurator configurator) throws IOException {
// So it is easy to use different Certificate Servers if needed.
if (this.scmMetadataStore == null) {
LOG.error("Cannot initialize Certificate Server without a valid meta " + "data layer.");
throw new SCMException("Cannot initialize CA without a valid metadata " + "store", ResultCodes.SCM_NOT_INITIALIZED);
}
certificateStore = new SCMCertStore.Builder().setMetadaStore(scmMetadataStore).setRatisServer(scmHAManager.getRatisServer()).setCRLSequenceId(getLastSequenceIdForCRL()).build();
final CertificateServer scmCertificateServer;
final CertificateServer rootCertificateServer;
// performed init with SCM HA version code.
if (scmStorageConfig.checkPrimarySCMIdInitialized()) {
// Start specific instance SCM CA server.
String subject = SCM_SUB_CA_PREFIX + InetAddress.getLocalHost().getHostName();
if (configurator.getCertificateServer() != null) {
scmCertificateServer = configurator.getCertificateServer();
} else {
scmCertificateServer = new DefaultCAServer(subject, scmStorageConfig.getClusterID(), scmStorageConfig.getScmId(), certificateStore, new DefaultProfile(), scmCertificateClient.getComponentName());
// INTERMEDIARY_CA which issues certs to DN and OM.
scmCertificateServer.init(new SecurityConfig(configuration), CertificateServer.CAType.INTERMEDIARY_CA);
}
if (primaryScmNodeId.equals(scmStorageConfig.getScmId())) {
if (configurator.getCertificateServer() != null) {
rootCertificateServer = configurator.getCertificateServer();
} else {
rootCertificateServer = HASecurityUtils.initializeRootCertificateServer(conf, certificateStore, scmStorageConfig, new DefaultCAProfile());
}
persistPrimarySCMCerts();
} else {
rootCertificateServer = null;
}
} else {
// On a upgraded cluster primary scm nodeId will not be set as init will
// not be run again after upgrade. So for a upgraded cluster where init
// has not happened again we will have setup like before where it has
// one CA server which is issuing certificates to DN and OM.
rootCertificateServer = HASecurityUtils.initializeRootCertificateServer(conf, certificateStore, scmStorageConfig, new DefaultProfile());
scmCertificateServer = rootCertificateServer;
}
// We need to pass getCACertificate as rootCA certificate,
// as for SCM CA is root-CA.
securityProtocolServer = new SCMSecurityProtocolServer(conf, rootCertificateServer, scmCertificateServer, scmCertificateClient != null ? scmCertificateClient.getCACertificate() : null, this);
if (securityConfig.isContainerTokenEnabled()) {
containerTokenMgr = createContainerTokenSecretManager(configuration);
}
}
Also used :
DefaultProfile(org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile)
SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig)
CertificateServer(org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer)
DefaultCAServer(org.apache.hadoop.hdds.security.x509.certificate.authority.DefaultCAServer)
DefaultCAProfile(org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultCAProfile)
SCMException(org.apache.hadoop.hdds.scm.exceptions.SCMException)
Example 3 with SCMCertificateClient
use of org.apache.hadoop.hdds.security.x509.certificate.client.SCMCertificateClient in project ozone by apache.
the class TestDefaultCAServer method testIntermediaryCA.
@Test
public void testIntermediaryCA() throws Exception {
conf.set(HddsConfigKeys.HDDS_X509_MAX_DURATION, "P3650D");
String clusterId = RandomStringUtils.randomAlphanumeric(4);
String scmId = RandomStringUtils.randomAlphanumeric(4);
CertificateServer rootCA = new DefaultCAServer("rootCA", clusterId, scmId, caStore, new DefaultProfile(), Paths.get("scm", "ca").toString());
rootCA.init(new SecurityConfig(conf), SELF_SIGNED_CA);
SCMCertificateClient scmCertificateClient = new SCMCertificateClient(new SecurityConfig(conf));
CertificateClient.InitResponse response = scmCertificateClient.init();
Assert.assertEquals(CertificateClient.InitResponse.GETCERT, response);
// Generate cert
KeyPair keyPair = new HDDSKeyGenerator(conf).generateKey();
PKCS10CertificationRequest csr = new CertificateSignRequest.Builder().addDnsName("hadoop.apache.org").addIpAddress("8.8.8.8").setCA(false).setSubject("testCA").setConfiguration(conf).setKey(keyPair).build();
Future<X509CertificateHolder> holder = rootCA.requestCertificate(csr, CertificateApprover.ApprovalType.TESTING_AUTOMATIC, SCM);
Assert.assertTrue(holder.isDone());
X509CertificateHolder certificateHolder = holder.get();
Assert.assertNotNull(certificateHolder);
LocalDate invalidAfterDate = certificateHolder.getNotAfter().toInstant().atZone(ZoneId.systemDefault()).toLocalDate();
LocalDate now = LocalDate.now();
assertEquals(0, invalidAfterDate.compareTo(now.plusDays(3650)));
X509CertificateHolder rootCertHolder = rootCA.getCACertificate();
scmCertificateClient.storeCertificate(CertificateCodec.getPEMEncodedString(rootCertHolder), true, true);
// Write to the location where Default CA Server reads from.
scmCertificateClient.storeCertificate(CertificateCodec.getPEMEncodedString(certificateHolder), true);
CertificateCodec certCodec = new CertificateCodec(new SecurityConfig(conf), scmCertificateClient.getComponentName());
certCodec.writeCertificate(certificateHolder);
// The certificate generated by above cert client will be used by scmCA.
// Now scmCA init should be successful.
CertificateServer scmCA = new DefaultCAServer("scmCA", clusterId, scmId, caStore, new DefaultProfile(), scmCertificateClient.getComponentName());
try {
scmCA.init(new SecurityConfig(conf), INTERMEDIARY_CA);
} catch (Exception e) {
fail("testIntermediaryCA failed during init");
}
}
Also used :
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
DefaultProfile(org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile)
SCMCertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.SCMCertificateClient)
KeyPair(java.security.KeyPair)
HDDSKeyGenerator(org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator)
CertificateCodec(org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec)
LocalDate(java.time.LocalDate)
SCMSecurityException(org.apache.hadoop.hdds.security.exception.SCMSecurityException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
ExecutionException(java.util.concurrent.ExecutionException)
NoSuchProviderException(java.security.NoSuchProviderException)
SCMCertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.SCMCertificateClient)
CertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient)
SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
CertificateSignRequest(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest)
Test(org.junit.Test)
Example 4 with SCMCertificateClient
use of org.apache.hadoop.hdds.security.x509.certificate.client.SCMCertificateClient in project ozone by apache.
the class HASecurityUtils method initializeSecurity.
/**
* Initialize Security which generates public, private key pair and get SCM
* signed certificate and persist to local disk.
* @param scmStorageConfig
* @param conf
* @param scmAddress
* @throws IOException
*/
public static void initializeSecurity(SCMStorageConfig scmStorageConfig, OzoneConfiguration conf, InetSocketAddress scmAddress, boolean primaryscm) throws IOException {
LOG.info("Initializing secure StorageContainerManager.");
CertificateClient certClient = new SCMCertificateClient(new SecurityConfig(conf));
InitResponse response = certClient.init();
LOG.info("Init response: {}", response);
switch(response) {
case SUCCESS:
LOG.info("Initialization successful.");
break;
case GETCERT:
if (!primaryscm) {
getRootCASignedSCMCert(certClient, conf, scmStorageConfig, scmAddress);
} else {
getPrimarySCMSelfSignedCert(certClient, conf, scmStorageConfig, scmAddress);
}
LOG.info("Successfully stored SCM signed certificate.");
break;
case FAILURE:
LOG.error("SCM security initialization failed.");
throw new RuntimeException("OM security initialization failed.");
case RECOVER:
LOG.error("SCM security initialization failed. SCM certificate is " + "missing.");
throw new RuntimeException("SCM security initialization failed.");
default:
LOG.error("SCM security initialization failed. Init response: {}", response);
throw new RuntimeException("SCM security initialization failed.");
}
}
Also used :
SCMCertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.SCMCertificateClient)
CertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient)
SCMCertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.SCMCertificateClient)
InitResponse(org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient.InitResponse)
SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig)
Aggregations
SecurityConfig (org.apache.hadoop.hdds.security.x509.SecurityConfig)3
SCMCertificateClient (org.apache.hadoop.hdds.security.x509.certificate.client.SCMCertificateClient)3
IOException (java.io.IOException)2
CertificateException (java.security.cert.CertificateException)2
DefaultProfile (org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile)2
CertificateClient (org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient)2
UncheckedIOException (java.io.UncheckedIOException)1
KeyPair (java.security.KeyPair)1
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1
NoSuchProviderException (java.security.NoSuchProviderException)1
LocalDate (java.time.LocalDate)1
ExecutionException (java.util.concurrent.ExecutionException)1
SCMException (org.apache.hadoop.hdds.scm.exceptions.SCMException)1
SCMSecurityException (org.apache.hadoop.hdds.security.exception.SCMSecurityException)1
ContainerTokenSecretManager (org.apache.hadoop.hdds.security.token.ContainerTokenSecretManager)1
CertificateServer (org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer)1
DefaultCAServer (org.apache.hadoop.hdds.security.x509.certificate.authority.DefaultCAServer)1
DefaultCAProfile (org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultCAProfile)1
InitResponse (org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient.InitResponse)1
CertificateCodec (org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec)1
