Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ISPN-13080 Infnispan SSL encryption and certificate authorization tutorial #126

Merged
merged 1 commit into from Jul 9, 2021
Merged

ISPN-13080 Infnispan SSL encryption and certificate authorization tutorial #126

merged 1 commit into from Jul 9, 2021

Conversation

wfink
Copy link
Contributor

@wfink wfink commented Jun 18, 2021
edited

Tutorial with self created keystores
https://issues.redhat.com/browse/ISPN-13123

@karesti karesti requested a review from oraNod June 29, 2021 13:12
oraNod
oraNod requested changes Jul 2, 2021
View reviewed changes
Copy link
Contributor

@oraNod oraNod left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@wfink Can you please take a look at wfink#1 ?

@oraNod oraNod requested review from pruivo and ryanemerson July 2, 2021 11:35
@wfink wfink force-pushed the ISPN-13080/SSL branch 2 times, most recently from 486a60c to afaef51 Compare July 5, 2021 11:57
oraNod
oraNod reviewed Jul 5, 2021
View reviewed changes
security/tls-authorization/README.adoc Outdated Show resolved Hide resolved
security/tls-authorization/README.adoc Outdated Show resolved Hide resolved
security/tls-authorization/README.adoc Show resolved Hide resolved
security/tls-authorization/README.adoc Show resolved Hide resolved
security/tls-authorization/README.adoc Show resolved Hide resolved
@pruivo
Copy link
Member

pruivo commented Jul 6, 2021
edited

my thoughts:

  • too many manual steps.
  1. The scripts can be executed from maven (i.e. mvn package generates whatever it needs)
  2. create an infinispan.xml for each test case and the cache required
  3. the only manual step should be to copy all certificates and infinispan.xmls to server/conf (create a script to help? copy-configuration.sh)
  4. the user can start the server with ./bin/server.sh -c <config-name> where <config-name> depends on the test to run.
  • Scripts should not ask for passwords :) Use -keypass my_secret_pass where required to avoid prompt for passwords

@wfink
Copy link
Contributor Author

wfink commented Jul 6, 2021

my thoughts:

* too many manual steps.

provide infinispan.xml could restrict the use as it might fail if the user start a different version of infinispan.
Creating the config manually give more practice.
Also there are some steps where the certificats are modified during the different steps to show the behavior and possible errors

@pruivo
Copy link
Member

pruivo commented Jul 6, 2021

the infinispan version is not a problem since we have a branch for each version.

@karesti
Copy link
Contributor

karesti commented Jul 6, 2021

@wfink needs rebase

@wfink
Copy link
Contributor Author

wfink commented Jul 6, 2021

I'm about to fix some minor issues and integrate Pedro's comments.
I'll rebase then

@pruivo
Copy link
Member

pruivo commented Jul 6, 2021

@wfink my changes are in a separate branch: 98b1759

  • mvn package generates the certificates (no password prompts)
  • mvn clean removes the certificates
  • to run the tutorial, use mvn exec:exec@run

use whatever you like 👍

@wfink wfink force-pushed the ISPN-13080/SSL branch 2 times, most recently from eec7c62 to 26e10f8 Compare July 8, 2021 11:32
oraNod
oraNod requested changes Jul 8, 2021
View reviewed changes
security/tls-authorization/README.adoc Outdated Show resolved Hide resolved
security/tls-authorization/README.adoc Outdated Show resolved Hide resolved
security/tls-authorization/README.adoc
$ export TEST=SIMPLEAUTH && mvn exec:exec@run
----
. Check that put and get succeeds both times as Client1 and Client2 certificates are used.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got this exception in logs:

ISPN005003: Exception reported java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'Subject with principal(s): [anonymous, CN=Client2, OU=Infinispan, O=JBoss, L=Red Hat, InetAddressPrincipal [address=127.0.0.1/127.0.0.1]]' lacks 'WRITE' permission

If this is expected, we should explain to users.

@oraNod
Copy link
Contributor

oraNod commented Jul 8, 2021

@wfink I ran all the examples successfully and, overall, it was a much easier process with Pedro's changes. There are a few nits for clarity in some comments. Can you apply the changes or would you prefer if I sent another commit?

@wfink wfink force-pushed the ISPN-13080/SSL branch 2 times, most recently from 61554da to bf23b5d Compare July 9, 2021 14:31
@oraNod oraNod self-requested a review July 9, 2021 14:56
oraNod
oraNod approved these changes Jul 9, 2021
View reviewed changes
Copy link
Contributor

@oraNod oraNod left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks for the hard work on this one @wfink

@oraNod oraNod merged commit b4cb51d into infinispan:main Jul 9, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pruivo pruivo pruivo left review comments

@oraNod oraNod oraNod approved these changes

@ryanemerson ryanemerson Awaiting requested review from ryanemerson

Assignees
No one assigned
Labels
Needs Rebase
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@wfink @pruivo @karesti @oraNod