-
Notifications
You must be signed in to change notification settings - Fork 7.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ZOOKEEPER-3950: Add support for BCFKS key/trust store format #1480
Conversation
FYI: I need to create a separate PR for the branch-3.6 (can not be a clean cherry-pick, due to the junit5 upgrade on the master branch) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
I am not sure we should tell about 3.6.3 in the docs, as we are not sure if we are going to release 3.6.3 before 3.7.0.
Probably saying "The format VCFKS is supported as well in this ZooKeeper version" will be easier
thanks for the quick review! what about being more specific and saying: "The format VCFKS is supported from ZooKeeper versions 3.6.3 and 3.7.0" ? |
works for me |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, can be merged from my side, I left 2 nits/improvements that I left to you to consider.
zookeeper-server/src/main/java/org/apache/zookeeper/common/BCFKSFileLoader.java
Outdated
Show resolved
Hide resolved
LGTM, thanks @symat for the changes. |
great, thank you @eolivelli and @nkalmar for your comments, I'll merge the PR to the master branch and submit a separate PR for branch-3.6 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm.
thanks! |
This PR is the same as #1480 on the master branch, only the unit tests needed to be changed back from junit5 to junit4. The BCFKS key store format is widely used in the industry, as it provides an open source alternative if someone has to use FIPS compliant key stores due to some regulatory constraints. Currently in the ZooKeeper java client, only PEM, JKS and PEM12 is supported. I extend the list of supported key store formats with BCFKS. I also tested this patch on a real FIPS compliant cluster, having the appropriate java security configs, security providers and also running a RedHat-based Linux distro (Centos 7.8) with FIPS mode enabled. I tested both the client and the quorum SSL too. If someone wants to test this patch, and the keystore/truststore file names are not ending with ".bckfs", then (beside the usual SSL configs) make sure to also set the following parameters in the zoo.cfg: ``` ssl.keyStore.type=bcfks ssl.trustStore.type=bcfks ssl.quorum.keyStore.type=bcfks ssl.quorum.trustStore.type=bcfks ``` and also provide the following parameters for the command line java client: ``` -Dzookeeper.ssl.keyStore.type=bcfks -Dzookeeper.ssl.trustStore.type=bcfks ``` This patch doesn't contain any modification for the c-client (that can be handled with a separate Jira, but I don't plan to work on that part right now). Author: Mate Szalay-Beko <symat@apache.org> Reviewers: Norbert Kalmar <nkalmar@apache.org> Closes #1482 from symat/zookeeper-3950-branch-3.6
…ch 3.5 Backporting ZOOKEEPER-3950 to branch-3.5. This is a cherry-pick from apache#1482, also included checkstyle fix from apache#1516. This PR is basically the same as apache#1480 on the master branch, only the unit tests needed to be changed back from junit5 to junit4. The BCFKS key store format is widely used in the industry, as it provides an open source alternative if someone has to use FIPS compliant key stores due to some regulatory constraints. Currently in the ZooKeeper java client, only PEM, JKS and PEM12 is supported. I extend the list of supported key store formats with BCFKS. I also tested this patch on a real FIPS compliant cluster, having the appropriate java security configs, security providers and also running a RedHat-based Linux distro (Centos 7.8) with FIPS mode enabled. I tested both the client and the quorum SSL too. If someone wants to test this patch, and the keystore/truststore file names are not ending with ".bckfs", then (beside the usual SSL configs) make sure to also set the following parameters in the zoo.cfg: ``` ssl.keyStore.type=bcfks ssl.trustStore.type=bcfks ssl.quorum.keyStore.type=bcfks ssl.quorum.trustStore.type=bcfks ``` and also provide the following parameters for the command line java client: ``` -Dzookeeper.ssl.keyStore.type=bcfks -Dzookeeper.ssl.trustStore.type=bcfks ``` This patch doesn't contain any modification for the c-client (that can be handled with a separate Jira, but I don't plan to work on that part right now).
…ch 3.5 Backporting ZOOKEEPER-3950 to branch-3.5. This is a cherry-pick from apache#1482, also included checkstyle fix from apache#1516. This PR is basically the same as apache#1480 on the master branch, only the unit tests needed to be changed back from junit5 to junit4. The BCFKS key store format is widely used in the industry, as it provides an open source alternative if someone has to use FIPS compliant key stores due to some regulatory constraints. Currently in the ZooKeeper java client, only PEM, JKS and PEM12 is supported. I extend the list of supported key store formats with BCFKS. I also tested this patch on a real FIPS compliant cluster, having the appropriate java security configs, security providers and also running a RedHat-based Linux distro (Centos 7.8) with FIPS mode enabled. I tested both the client and the quorum SSL too. If someone wants to test this patch, and the keystore/truststore file names are not ending with ".bckfs", then (beside the usual SSL configs) make sure to also set the following parameters in the zoo.cfg: ``` ssl.keyStore.type=bcfks ssl.trustStore.type=bcfks ssl.quorum.keyStore.type=bcfks ssl.quorum.trustStore.type=bcfks ``` and also provide the following parameters for the command line java client: ``` -Dzookeeper.ssl.keyStore.type=bcfks -Dzookeeper.ssl.trustStore.type=bcfks ``` This patch doesn't contain any modification for the c-client (that can be handled with a separate Jira, but I don't plan to work on that part right now).
…ch 3.5 Backporting ZOOKEEPER-3950 to branch-3.5. This is a cherry-pick from #1482, also included checkstyle fix from #1516. This PR is basically the same as #1480 on the master branch, only the unit tests needed to be changed back from junit5 to junit4. The BCFKS key store format is widely used in the industry, as it provides an open source alternative if someone has to use FIPS compliant key stores due to some regulatory constraints. Currently in the ZooKeeper java client, only PEM, JKS and PEM12 is supported. I extend the list of supported key store formats with BCFKS. I also tested this patch on a real FIPS compliant cluster, having the appropriate java security configs, security providers and also running a RedHat-based Linux distro (Centos 7.8) with FIPS mode enabled. I tested both the client and the quorum SSL too. If someone wants to test this patch, and the keystore/truststore file names are not ending with ".bckfs", then (beside the usual SSL configs) make sure to also set the following parameters in the zoo.cfg: ``` ssl.keyStore.type=bcfks ssl.trustStore.type=bcfks ssl.quorum.keyStore.type=bcfks ssl.quorum.trustStore.type=bcfks ``` and also provide the following parameters for the command line java client: ``` -Dzookeeper.ssl.keyStore.type=bcfks -Dzookeeper.ssl.trustStore.type=bcfks ``` This patch doesn't contain any modification for the c-client (that can be handled with a separate Jira, but I don't plan to work on that part right now). Author: Mate Szalay-Beko <symat@apache.org> Reviewers: Norbert Kalmar <nkalmar@apache.org>, Andor Molnar <andor@apache.org> Closes #1815 from symat/ZOOKEEPER-4468
The BCFKS key store format is widely used in the industry, as it provides an open source alternative if someone has to use FIPS compliant key stores due to some regulatory constraints. Currently in the ZooKeeper java client, only PEM, JKS and PEM12 is supported. I extend the list of supported key store formats with BCFKS. I also tested this patch on a real FIPS compliant cluster, having the appropriate java security configs, security providers and also running a RedHat-based Linux distro (Centos 7.8) with FIPS mode enabled. I tested both the client and the quorum SSL too. If someone wants to test this patch, and the keystore/truststore file names are not ending with ".bckfs", then (beside the usual SSL configs) make sure to also set the following parameters in the zoo.cfg: ``` ssl.keyStore.type=bcfks ssl.trustStore.type=bcfks ssl.quorum.keyStore.type=bcfks ssl.quorum.trustStore.type=bcfks ``` and also provide the following parameters for the command line java client: ``` -Dzookeeper.ssl.keyStore.type=bcfks -Dzookeeper.ssl.trustStore.type=bcfks ``` This patch doesn't contain any modification for the c-client (that can be handled with a separate Jira, but I don't plan to work on that part right now). Author: Mate Szalay-Beko <symat@apache.org> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Norbert Kalmar <nkalmar@apache.org>, Andor Molnar <andor@apache.org> Closes apache#1480 from symat/zookeeper-3950
The BCFKS key store format is widely used in the industry, as it provides an open source alternative if someone has to use FIPS compliant key stores due to some regulatory constraints. Currently in the ZooKeeper java client, only PEM, JKS and PEM12 is supported. I extend the list of supported key store formats with BCFKS. I also tested this patch on a real FIPS compliant cluster, having the appropriate java security configs, security providers and also running a RedHat-based Linux distro (Centos 7.8) with FIPS mode enabled. I tested both the client and the quorum SSL too. If someone wants to test this patch, and the keystore/truststore file names are not ending with ".bckfs", then (beside the usual SSL configs) make sure to also set the following parameters in the zoo.cfg: ``` ssl.keyStore.type=bcfks ssl.trustStore.type=bcfks ssl.quorum.keyStore.type=bcfks ssl.quorum.trustStore.type=bcfks ``` and also provide the following parameters for the command line java client: ``` -Dzookeeper.ssl.keyStore.type=bcfks -Dzookeeper.ssl.trustStore.type=bcfks ``` This patch doesn't contain any modification for the c-client (that can be handled with a separate Jira, but I don't plan to work on that part right now). Author: Mate Szalay-Beko <symat@apache.org> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Norbert Kalmar <nkalmar@apache.org>, Andor Molnar <andor@apache.org> Closes apache#1480 from symat/zookeeper-3950
The BCFKS key store format is widely used in the industry, as it provides an open source alternative if someone has to use FIPS compliant key stores due to some regulatory constraints. Currently in the ZooKeeper java client, only PEM, JKS and PEM12 is supported. I extend the list of supported key store formats with BCFKS. I also tested this patch on a real FIPS compliant cluster, having the appropriate java security configs, security providers and also running a RedHat-based Linux distro (Centos 7.8) with FIPS mode enabled. I tested both the client and the quorum SSL too. If someone wants to test this patch, and the keystore/truststore file names are not ending with ".bckfs", then (beside the usual SSL configs) make sure to also set the following parameters in the zoo.cfg: ``` ssl.keyStore.type=bcfks ssl.trustStore.type=bcfks ssl.quorum.keyStore.type=bcfks ssl.quorum.trustStore.type=bcfks ``` and also provide the following parameters for the command line java client: ``` -Dzookeeper.ssl.keyStore.type=bcfks -Dzookeeper.ssl.trustStore.type=bcfks ``` This patch doesn't contain any modification for the c-client (that can be handled with a separate Jira, but I don't plan to work on that part right now). Author: Mate Szalay-Beko <symat@apache.org> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Norbert Kalmar <nkalmar@apache.org>, Andor Molnar <andor@apache.org> Closes apache#1480 from symat/zookeeper-3950
The BCFKS key store format is widely used in the industry, as it provides an open source alternative if someone has to use FIPS compliant key stores due to some regulatory constraints. Currently in the ZooKeeper java client, only PEM, JKS and PEM12 is supported. I extend the list of supported key store formats with BCFKS. I also tested this patch on a real FIPS compliant cluster, having the appropriate java security configs, security providers and also running a RedHat-based Linux distro (Centos 7.8) with FIPS mode enabled. I tested both the client and the quorum SSL too. If someone wants to test this patch, and the keystore/truststore file names are not ending with ".bckfs", then (beside the usual SSL configs) make sure to also set the following parameters in the zoo.cfg: ``` ssl.keyStore.type=bcfks ssl.trustStore.type=bcfks ssl.quorum.keyStore.type=bcfks ssl.quorum.trustStore.type=bcfks ``` and also provide the following parameters for the command line java client: ``` -Dzookeeper.ssl.keyStore.type=bcfks -Dzookeeper.ssl.trustStore.type=bcfks ``` This patch doesn't contain any modification for the c-client (that can be handled with a separate Jira, but I don't plan to work on that part right now). Author: Mate Szalay-Beko <symat@apache.org> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Norbert Kalmar <nkalmar@apache.org>, Andor Molnar <andor@apache.org> Closes apache#1480 from symat/zookeeper-3950
This PR is the same as apache#1480 on the master branch, only the unit tests needed to be changed back from junit5 to junit4. The BCFKS key store format is widely used in the industry, as it provides an open source alternative if someone has to use FIPS compliant key stores due to some regulatory constraints. Currently in the ZooKeeper java client, only PEM, JKS and PEM12 is supported. I extend the list of supported key store formats with BCFKS. I also tested this patch on a real FIPS compliant cluster, having the appropriate java security configs, security providers and also running a RedHat-based Linux distro (Centos 7.8) with FIPS mode enabled. I tested both the client and the quorum SSL too. If someone wants to test this patch, and the keystore/truststore file names are not ending with ".bckfs", then (beside the usual SSL configs) make sure to also set the following parameters in the zoo.cfg: ``` ssl.keyStore.type=bcfks ssl.trustStore.type=bcfks ssl.quorum.keyStore.type=bcfks ssl.quorum.trustStore.type=bcfks ``` and also provide the following parameters for the command line java client: ``` -Dzookeeper.ssl.keyStore.type=bcfks -Dzookeeper.ssl.trustStore.type=bcfks ``` This patch doesn't contain any modification for the c-client (that can be handled with a separate Jira, but I don't plan to work on that part right now). Author: Mate Szalay-Beko <symat@apache.org> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Norbert Kalmar <nkalmar@apache.org>, Andor Molnar <andor@apache.org> Closes apache#1482 from symat/zookeeper-3950-branch-3.6 Change-Id: I7cd583f8768e47e1abbab2f5e325767ef24a45b2 (cherry picked from commit 2f9c4a3)
The BCFKS key store format is widely used in the industry, as it provides an open source alternative if someone has to use FIPS compliant key stores due to some regulatory constraints.
Currently in the ZooKeeper java client, only PEM, JKS and PEM12 is supported. I extend the list of supported key store formats with BCFKS.
I also tested this patch on a real FIPS compliant cluster, having the appropriate java security configs, security providers and also running a RedHat-based Linux distro (Centos 7.8) with FIPS mode enabled.
I tested both the client and the quorum SSL too. If someone wants to test this patch, and the keystore/truststore file names are not ending with ".bckfs", then (beside the usual SSL configs) make sure to also set the following parameters in the zoo.cfg:
and also provide the following parameters for the command line java client:
This patch doesn't contain any modification for the c-client (that can be handled with a separate Jira, but I don't plan to work on that part right now).