ZOOKEEPER-3950: Add support for BCFKS key/trust store format #1482
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nkalmar
approved these changes
Oct 6, 2020
|
thanks for checking, I'm going to merge it (the tests locally and on CI passed as well) |
asfgit
pushed a commit
that referenced
this pull request
Oct 6, 2020
This PR is the same as #1480 on the master branch, only the unit tests needed to be changed back from junit5 to junit4. The BCFKS key store format is widely used in the industry, as it provides an open source alternative if someone has to use FIPS compliant key stores due to some regulatory constraints. Currently in the ZooKeeper java client, only PEM, JKS and PEM12 is supported. I extend the list of supported key store formats with BCFKS. I also tested this patch on a real FIPS compliant cluster, having the appropriate java security configs, security providers and also running a RedHat-based Linux distro (Centos 7.8) with FIPS mode enabled. I tested both the client and the quorum SSL too. If someone wants to test this patch, and the keystore/truststore file names are not ending with ".bckfs", then (beside the usual SSL configs) make sure to also set the following parameters in the zoo.cfg: ``` ssl.keyStore.type=bcfks ssl.trustStore.type=bcfks ssl.quorum.keyStore.type=bcfks ssl.quorum.trustStore.type=bcfks ``` and also provide the following parameters for the command line java client: ``` -Dzookeeper.ssl.keyStore.type=bcfks -Dzookeeper.ssl.trustStore.type=bcfks ``` This patch doesn't contain any modification for the c-client (that can be handled with a separate Jira, but I don't plan to work on that part right now). Author: Mate Szalay-Beko <symat@apache.org> Reviewers: Norbert Kalmar <nkalmar@apache.org> Closes #1482 from symat/zookeeper-3950-branch-3.6
symat
added a commit
to symat/zookeeper
that referenced
this pull request
Feb 11, 2022
…ch 3.5 Backporting ZOOKEEPER-3950 to branch-3.5. This is a cherry-pick from apache#1482, also included checkstyle fix from apache#1516. This PR is basically the same as apache#1480 on the master branch, only the unit tests needed to be changed back from junit5 to junit4. The BCFKS key store format is widely used in the industry, as it provides an open source alternative if someone has to use FIPS compliant key stores due to some regulatory constraints. Currently in the ZooKeeper java client, only PEM, JKS and PEM12 is supported. I extend the list of supported key store formats with BCFKS. I also tested this patch on a real FIPS compliant cluster, having the appropriate java security configs, security providers and also running a RedHat-based Linux distro (Centos 7.8) with FIPS mode enabled. I tested both the client and the quorum SSL too. If someone wants to test this patch, and the keystore/truststore file names are not ending with ".bckfs", then (beside the usual SSL configs) make sure to also set the following parameters in the zoo.cfg: ``` ssl.keyStore.type=bcfks ssl.trustStore.type=bcfks ssl.quorum.keyStore.type=bcfks ssl.quorum.trustStore.type=bcfks ``` and also provide the following parameters for the command line java client: ``` -Dzookeeper.ssl.keyStore.type=bcfks -Dzookeeper.ssl.trustStore.type=bcfks ``` This patch doesn't contain any modification for the c-client (that can be handled with a separate Jira, but I don't plan to work on that part right now).
symat
added a commit
to symat/zookeeper
that referenced
this pull request
Feb 11, 2022
…ch 3.5 Backporting ZOOKEEPER-3950 to branch-3.5. This is a cherry-pick from apache#1482, also included checkstyle fix from apache#1516. This PR is basically the same as apache#1480 on the master branch, only the unit tests needed to be changed back from junit5 to junit4. The BCFKS key store format is widely used in the industry, as it provides an open source alternative if someone has to use FIPS compliant key stores due to some regulatory constraints. Currently in the ZooKeeper java client, only PEM, JKS and PEM12 is supported. I extend the list of supported key store formats with BCFKS. I also tested this patch on a real FIPS compliant cluster, having the appropriate java security configs, security providers and also running a RedHat-based Linux distro (Centos 7.8) with FIPS mode enabled. I tested both the client and the quorum SSL too. If someone wants to test this patch, and the keystore/truststore file names are not ending with ".bckfs", then (beside the usual SSL configs) make sure to also set the following parameters in the zoo.cfg: ``` ssl.keyStore.type=bcfks ssl.trustStore.type=bcfks ssl.quorum.keyStore.type=bcfks ssl.quorum.trustStore.type=bcfks ``` and also provide the following parameters for the command line java client: ``` -Dzookeeper.ssl.keyStore.type=bcfks -Dzookeeper.ssl.trustStore.type=bcfks ``` This patch doesn't contain any modification for the c-client (that can be handled with a separate Jira, but I don't plan to work on that part right now).
asfgit
pushed a commit
that referenced
this pull request
Feb 11, 2022
…ch 3.5 Backporting ZOOKEEPER-3950 to branch-3.5. This is a cherry-pick from #1482, also included checkstyle fix from #1516. This PR is basically the same as #1480 on the master branch, only the unit tests needed to be changed back from junit5 to junit4. The BCFKS key store format is widely used in the industry, as it provides an open source alternative if someone has to use FIPS compliant key stores due to some regulatory constraints. Currently in the ZooKeeper java client, only PEM, JKS and PEM12 is supported. I extend the list of supported key store formats with BCFKS. I also tested this patch on a real FIPS compliant cluster, having the appropriate java security configs, security providers and also running a RedHat-based Linux distro (Centos 7.8) with FIPS mode enabled. I tested both the client and the quorum SSL too. If someone wants to test this patch, and the keystore/truststore file names are not ending with ".bckfs", then (beside the usual SSL configs) make sure to also set the following parameters in the zoo.cfg: ``` ssl.keyStore.type=bcfks ssl.trustStore.type=bcfks ssl.quorum.keyStore.type=bcfks ssl.quorum.trustStore.type=bcfks ``` and also provide the following parameters for the command line java client: ``` -Dzookeeper.ssl.keyStore.type=bcfks -Dzookeeper.ssl.trustStore.type=bcfks ``` This patch doesn't contain any modification for the c-client (that can be handled with a separate Jira, but I don't plan to work on that part right now). Author: Mate Szalay-Beko <symat@apache.org> Reviewers: Norbert Kalmar <nkalmar@apache.org>, Andor Molnar <andor@apache.org> Closes #1815 from symat/ZOOKEEPER-4468
anmolnar
pushed a commit
to anmolnar/zookeeper
that referenced
this pull request
May 21, 2024
This PR is the same as apache#1480 on the master branch, only the unit tests needed to be changed back from junit5 to junit4. The BCFKS key store format is widely used in the industry, as it provides an open source alternative if someone has to use FIPS compliant key stores due to some regulatory constraints. Currently in the ZooKeeper java client, only PEM, JKS and PEM12 is supported. I extend the list of supported key store formats with BCFKS. I also tested this patch on a real FIPS compliant cluster, having the appropriate java security configs, security providers and also running a RedHat-based Linux distro (Centos 7.8) with FIPS mode enabled. I tested both the client and the quorum SSL too. If someone wants to test this patch, and the keystore/truststore file names are not ending with ".bckfs", then (beside the usual SSL configs) make sure to also set the following parameters in the zoo.cfg: ``` ssl.keyStore.type=bcfks ssl.trustStore.type=bcfks ssl.quorum.keyStore.type=bcfks ssl.quorum.trustStore.type=bcfks ``` and also provide the following parameters for the command line java client: ``` -Dzookeeper.ssl.keyStore.type=bcfks -Dzookeeper.ssl.trustStore.type=bcfks ``` This patch doesn't contain any modification for the c-client (that can be handled with a separate Jira, but I don't plan to work on that part right now). Author: Mate Szalay-Beko <symat@apache.org> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Norbert Kalmar <nkalmar@apache.org>, Andor Molnar <andor@apache.org> Closes apache#1482 from symat/zookeeper-3950-branch-3.6 Change-Id: I7cd583f8768e47e1abbab2f5e325767ef24a45b2 (cherry picked from commit 2f9c4a3)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is the same as #1480 on the master branch, only the unit tests needed to be changed back from junit5 to junit4.
The BCFKS key store format is widely used in the industry, as it provides an open source alternative if someone has to use FIPS compliant key stores due to some regulatory constraints.
Currently in the ZooKeeper java client, only PEM, JKS and PEM12 is supported. I extend the list of supported key store formats with BCFKS.
I also tested this patch on a real FIPS compliant cluster, having the appropriate java security configs, security providers and also running a RedHat-based Linux distro (Centos 7.8) with FIPS mode enabled.
I tested both the client and the quorum SSL too. If someone wants to test this patch, and the keystore/truststore file names are not ending with ".bckfs", then (beside the usual SSL configs) make sure to also set the following parameters in the zoo.cfg:
and also provide the following parameters for the command line java client:
This patch doesn't contain any modification for the c-client (that can be handled with a separate Jira, but I don't plan to work on that part right now).