ZOOKEEPER-4468: Backport BCFKS key/trust store format support to branch 3.5 #1815
+337
−49
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ch 3.5 Backporting ZOOKEEPER-3950 to branch-3.5. This is a cherry-pick from apache#1482, also included checkstyle fix from apache#1516. This PR is basically the same as apache#1480 on the master branch, only the unit tests needed to be changed back from junit5 to junit4. The BCFKS key store format is widely used in the industry, as it provides an open source alternative if someone has to use FIPS compliant key stores due to some regulatory constraints. Currently in the ZooKeeper java client, only PEM, JKS and PEM12 is supported. I extend the list of supported key store formats with BCFKS. I also tested this patch on a real FIPS compliant cluster, having the appropriate java security configs, security providers and also running a RedHat-based Linux distro (Centos 7.8) with FIPS mode enabled. I tested both the client and the quorum SSL too. If someone wants to test this patch, and the keystore/truststore file names are not ending with ".bckfs", then (beside the usual SSL configs) make sure to also set the following parameters in the zoo.cfg: ``` ssl.keyStore.type=bcfks ssl.trustStore.type=bcfks ssl.quorum.keyStore.type=bcfks ssl.quorum.trustStore.type=bcfks ``` and also provide the following parameters for the command line java client: ``` -Dzookeeper.ssl.keyStore.type=bcfks -Dzookeeper.ssl.trustStore.type=bcfks ``` This patch doesn't contain any modification for the c-client (that can be handled with a separate Jira, but I don't plan to work on that part right now).
|
这是刘家豪的信箱,已经收到您的信件。
|
nkalmar
approved these changes
Feb 11, 2022
There was a problem hiding this comment.
+1, diffed to https://github.com/apache/zookeeper/pull/1480/files as Máté said, same code change (except tests)
asfgit
pushed a commit
that referenced
this pull request
Feb 11, 2022
…ch 3.5 Backporting ZOOKEEPER-3950 to branch-3.5. This is a cherry-pick from #1482, also included checkstyle fix from #1516. This PR is basically the same as #1480 on the master branch, only the unit tests needed to be changed back from junit5 to junit4. The BCFKS key store format is widely used in the industry, as it provides an open source alternative if someone has to use FIPS compliant key stores due to some regulatory constraints. Currently in the ZooKeeper java client, only PEM, JKS and PEM12 is supported. I extend the list of supported key store formats with BCFKS. I also tested this patch on a real FIPS compliant cluster, having the appropriate java security configs, security providers and also running a RedHat-based Linux distro (Centos 7.8) with FIPS mode enabled. I tested both the client and the quorum SSL too. If someone wants to test this patch, and the keystore/truststore file names are not ending with ".bckfs", then (beside the usual SSL configs) make sure to also set the following parameters in the zoo.cfg: ``` ssl.keyStore.type=bcfks ssl.trustStore.type=bcfks ssl.quorum.keyStore.type=bcfks ssl.quorum.trustStore.type=bcfks ``` and also provide the following parameters for the command line java client: ``` -Dzookeeper.ssl.keyStore.type=bcfks -Dzookeeper.ssl.trustStore.type=bcfks ``` This patch doesn't contain any modification for the c-client (that can be handled with a separate Jira, but I don't plan to work on that part right now). Author: Mate Szalay-Beko <symat@apache.org> Reviewers: Norbert Kalmar <nkalmar@apache.org>, Andor Molnar <andor@apache.org> Closes #1815 from symat/ZOOKEEPER-4468
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backporting ZOOKEEPER-3950 to branch-3.5.
This is a cherry-pick from #1482, also included checkstyle fix from #1516. This PR is basically the same as #1480 on the master branch, only the unit tests needed to be changed back from junit5 to junit4.
The BCFKS key store format is widely used in the industry, as it provides an open source alternative if someone has to use FIPS compliant key stores due to some regulatory constraints.
Currently in the ZooKeeper java client, only PEM, JKS and PEM12 is supported. I extend the list of supported key store formats with BCFKS.
I also tested this patch on a real FIPS compliant cluster, having the appropriate java security configs, security providers and also running a RedHat-based Linux distro (Centos 7.8) with FIPS mode enabled.
I tested both the client and the quorum SSL too. If someone wants to test this patch, and the keystore/truststore file names are not ending with ".bckfs", then (beside the usual SSL configs) make sure to also set the following parameters in the zoo.cfg:
and also provide the following parameters for the command line java client:
This patch doesn't contain any modification for the c-client (that can be handled with a separate Jira, but I don't plan to work on that part right now).