AMBARI-12518: Support CA signed certificates for 2-way SSL : Make truststore file and keystore/truststore types configurable (jluniya)

ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java

@@ -96,6 +96,9 @@ public class Configuration {
   public static final String SRVR_CSR_NAME_KEY = "security.server.csr_name";
   public static final String SRVR_KEY_NAME_KEY = "security.server.key_name";
   public static final String KSTR_NAME_KEY = "security.server.keystore_name";
+  public static final String KSTR_TYPE_KEY = "security.server.keystore_type";
+  public static final String TSTR_NAME_KEY = "security.server.truststore_name";
+  public static final String TSTR_TYPE_KEY = "security.server.truststore_type";
   public static final String SRVR_CRT_PASS_FILE_KEY = "security.server.crt_pass_file";
   public static final String SRVR_CRT_PASS_KEY = "security.server.crt_pass";
   public static final String SRVR_CRT_PASS_LEN_KEY = "security.server.crt_pass.len";
@@ -117,6 +120,9 @@ public class Configuration {
   public static final String CLIENT_API_SSL_PORT_KEY = "client.api.ssl.port";
   public static final String CLIENT_API_SSL_KSTR_DIR_NAME_KEY = "client.api.ssl.keys_dir";
   public static final String CLIENT_API_SSL_KSTR_NAME_KEY = "client.api.ssl.keystore_name";
+  public static final String CLIENT_API_SSL_KSTR_TYPE_KEY = "client.api.ssl.keystore_type";
+  public static final String CLIENT_API_SSL_TSTR_NAME_KEY = "client.api.ssl.truststore_name";
+  public static final String CLIENT_API_SSL_TSTR_TYPE_KEY = "client.api.ssl.truststore_type";
   public static final String CLIENT_API_SSL_CRT_NAME_KEY = "client.api.ssl.cert_name";
   public static final String CLIENT_API_SSL_CRT_PASS_FILE_NAME_KEY = "client.api.ssl.cert_pass_file";
   public static final String CLIENT_API_SSL_CRT_PASS_KEY = "client.api.ssl.crt_pass";
@@ -207,7 +213,17 @@ public class Configuration {
   public static final String SRVR_KEY_NAME_DEFAULT = "ca.key";
   public static final String SRVR_CSR_NAME_DEFAULT = "ca.csr";
   public static final String KSTR_NAME_DEFAULT = "keystore.p12";
+  public static final String KSTR_TYPE_DEFAULT = "PKCS12";
+  // By default self-signed certificates are used and we can use keystore as truststore in PKCS12 format
+  // When CA signed certificates are used truststore should be created in JKS format (truststore.jks)
+  public static final String TSTR_NAME_DEFAULT = "keystore.p12";
+  public static final String TSTR_TYPE_DEFAULT = "PKCS12";
   public static final String CLIENT_API_SSL_KSTR_NAME_DEFAULT = "https.keystore.p12";
+  public static final String CLIENT_API_SSL_KSTR_TYPE_DEFAULT = "PKCS12";
+  // By default self-signed certificates are used and we can use keystore as truststore in PKCS12 format
+  // When CA signed certificates are used truststore should be created in JKS format (truststore.jks)
+  public static final String CLIENT_API_SSL_TSTR_NAME_DEFAULT = "https.keystore.p12";
+  public static final String CLIENT_API_SSL_TSTR_TYPE_DEFAULT = "PKCS12";
   public static final String CLIENT_API_SSL_CRT_PASS_FILE_NAME_DEFAULT = "https.pass.txt";
   public static final String CLIENT_API_SSL_KEY_NAME_DEFAULT = "https.key";
   public static final String CLIENT_API_SSL_CRT_NAME_DEFAULT = "https.crt";
@@ -532,6 +548,12 @@ public class Configuration {
       SRVR_CSR_NAME_KEY, SRVR_CSR_NAME_DEFAULT));
     configsMap.put(KSTR_NAME_KEY, properties.getProperty(
         KSTR_NAME_KEY, KSTR_NAME_DEFAULT));
+    configsMap.put(KSTR_TYPE_KEY, properties.getProperty(
+        KSTR_TYPE_KEY, KSTR_TYPE_DEFAULT));
+    configsMap.put(TSTR_NAME_KEY, properties.getProperty(
+        TSTR_NAME_KEY, TSTR_NAME_DEFAULT));
+    configsMap.put(TSTR_TYPE_KEY, properties.getProperty(
+        TSTR_TYPE_KEY, TSTR_TYPE_DEFAULT));
     configsMap.put(SRVR_CRT_PASS_FILE_KEY, properties.getProperty(
         SRVR_CRT_PASS_FILE_KEY, SRVR_CRT_PASS_FILE_DEFAULT));
     configsMap.put(PASSPHRASE_ENV_KEY, properties.getProperty(
@@ -551,6 +573,12 @@ public class Configuration {
       CLIENT_API_SSL_KSTR_DIR_NAME_KEY, configsMap.get(SRVR_KSTR_DIR_KEY)));
     configsMap.put(CLIENT_API_SSL_KSTR_NAME_KEY, properties.getProperty(
       CLIENT_API_SSL_KSTR_NAME_KEY, CLIENT_API_SSL_KSTR_NAME_DEFAULT));
+    configsMap.put(CLIENT_API_SSL_KSTR_TYPE_KEY, properties.getProperty(
+        CLIENT_API_SSL_KSTR_TYPE_KEY, CLIENT_API_SSL_KSTR_TYPE_DEFAULT));
+    configsMap.put(CLIENT_API_SSL_TSTR_NAME_KEY, properties.getProperty(
+        CLIENT_API_SSL_TSTR_NAME_KEY, CLIENT_API_SSL_TSTR_NAME_DEFAULT));
+    configsMap.put(CLIENT_API_SSL_TSTR_TYPE_KEY, properties.getProperty(
+        CLIENT_API_SSL_TSTR_TYPE_KEY, CLIENT_API_SSL_TSTR_TYPE_DEFAULT));
     configsMap.put(CLIENT_API_SSL_CRT_PASS_FILE_NAME_KEY, properties.getProperty(
       CLIENT_API_SSL_CRT_PASS_FILE_NAME_KEY, CLIENT_API_SSL_CRT_PASS_FILE_NAME_DEFAULT));
     configsMap.put(CLIENT_API_SSL_KEY_NAME_KEY, properties.getProperty(

ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java

@@ -316,25 +316,27 @@ public class AmbariServer {
       Map<String, String> configsMap = configs.getConfigsMap();
       String keystore = configsMap.get(Configuration.SRVR_KSTR_DIR_KEY) +
           File.separator + configsMap.get(Configuration.KSTR_NAME_KEY);
+      String truststore = configsMap.get(Configuration.SRVR_KSTR_DIR_KEY) +
+          File.separator + configsMap.get(Configuration.TSTR_NAME_KEY);
       String srvrCrtPass = configsMap.get(Configuration.SRVR_CRT_PASS_KEY);
       sslConnectorTwoWay.setKeystore(keystore);
-      sslConnectorTwoWay.setTruststore(keystore);
+      sslConnectorTwoWay.setTruststore(truststore);
       sslConnectorTwoWay.setPassword(srvrCrtPass);
       sslConnectorTwoWay.setKeyPassword(srvrCrtPass);
       sslConnectorTwoWay.setTrustPassword(srvrCrtPass);
-      sslConnectorTwoWay.setKeystoreType("PKCS12");
-      sslConnectorTwoWay.setTruststoreType("PKCS12");
+      sslConnectorTwoWay.setKeystoreType(configsMap.get(Configuration.KSTR_TYPE_KEY));
+      sslConnectorTwoWay.setTruststoreType(configsMap.get(Configuration.TSTR_TYPE_KEY));
       sslConnectorTwoWay.setNeedClientAuth(configs.getTwoWaySsl());
 
       //SSL Context Factory
       SslContextFactory contextFactoryOneWay = new SslContextFactory(true);
       contextFactoryOneWay.setKeyStorePath(keystore);
-      contextFactoryOneWay.setTrustStore(keystore);
+      contextFactoryOneWay.setTrustStore(truststore);
       contextFactoryOneWay.setKeyStorePassword(srvrCrtPass);
       contextFactoryOneWay.setKeyManagerPassword(srvrCrtPass);
       contextFactoryOneWay.setTrustStorePassword(srvrCrtPass);
-      contextFactoryOneWay.setKeyStoreType("PKCS12");
-      contextFactoryOneWay.setTrustStoreType("PKCS12");
+      contextFactoryOneWay.setKeyStoreType(configsMap.get(Configuration.KSTR_TYPE_KEY));
+      contextFactoryOneWay.setTrustStoreType(configsMap.get(Configuration.TSTR_TYPE_KEY));
       contextFactoryOneWay.setNeedClientAuth(false);
       disableInsecureProtocols(contextFactoryOneWay);
 
@@ -427,6 +429,8 @@ public class AmbariServer {
       if (configs.getApiSSLAuthentication()) {
         String httpsKeystore = configsMap.get(Configuration.CLIENT_API_SSL_KSTR_DIR_NAME_KEY) +
           File.separator + configsMap.get(Configuration.CLIENT_API_SSL_KSTR_NAME_KEY);
+        String httpsTruststore = configsMap.get(Configuration.CLIENT_API_SSL_KSTR_DIR_NAME_KEY) +
+            File.separator + configsMap.get(Configuration.CLIENT_API_SSL_TSTR_NAME_KEY);
         LOG.info("API SSL Authentication is turned on. Keystore - " + httpsKeystore);
 
         String httpsCrtPass = configsMap.get(Configuration.CLIENT_API_SSL_CRT_PASS_KEY);
@@ -436,12 +440,12 @@ public class AmbariServer {
         SslSelectChannelConnector sapiConnector = new SslSelectChannelConnector(contextFactoryApi);
         sapiConnector.setPort(configs.getClientSSLApiPort());
         sapiConnector.setKeystore(httpsKeystore);
-        sapiConnector.setTruststore(httpsKeystore);
+        sapiConnector.setTruststore(httpsTruststore);
         sapiConnector.setPassword(httpsCrtPass);
         sapiConnector.setKeyPassword(httpsCrtPass);
         sapiConnector.setTrustPassword(httpsCrtPass);
-        sapiConnector.setKeystoreType("PKCS12");
-        sapiConnector.setTruststoreType("PKCS12");
+        sapiConnector.setKeystoreType(configsMap.get(Configuration.CLIENT_API_SSL_KSTR_TYPE_KEY));
+        sapiConnector.setTruststoreType(configsMap.get(Configuration.CLIENT_API_SSL_KSTR_TYPE_KEY));
         sapiConnector.setMaxIdleTime(configs.getConnectionMaxIdleTime());
         apiConnector = sapiConnector;
       }

ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java

@@ -158,8 +158,23 @@ public class ConfigurationTest {
     Assert.assertFalse(conf.getConfigsMap().get(Configuration.SRVR_CRT_NAME_KEY).
       equals(conf.getConfigsMap().get(Configuration.CLIENT_API_SSL_CRT_NAME_KEY)));
 
+    Assert.assertEquals("keystore.p12", conf.getConfigsMap().get(
+        Configuration.KSTR_NAME_KEY));
+    Assert.assertEquals("PKCS12", conf.getConfigsMap().get(
+        Configuration.KSTR_TYPE_KEY));
+    Assert.assertEquals("keystore.p12", conf.getConfigsMap().get(
+        Configuration.TSTR_NAME_KEY));
+    Assert.assertEquals("PKCS12", conf.getConfigsMap().get(
+        Configuration.TSTR_TYPE_KEY));
+
     Assert.assertEquals("https.keystore.p12", conf.getConfigsMap().get(
       Configuration.CLIENT_API_SSL_KSTR_NAME_KEY));
+    Assert.assertEquals("PKCS12", conf.getConfigsMap().get(
+        Configuration.CLIENT_API_SSL_KSTR_TYPE_KEY));
+    Assert.assertEquals("https.keystore.p12", conf.getConfigsMap().get(
+        Configuration.CLIENT_API_SSL_TSTR_NAME_KEY));
+    Assert.assertEquals("PKCS12", conf.getConfigsMap().get(
+        Configuration.CLIENT_API_SSL_TSTR_TYPE_KEY));
     Assert.assertEquals(passFile.getName(), conf.getConfigsMap().get(
       Configuration.CLIENT_API_SSL_CRT_PASS_FILE_NAME_KEY));
     Assert.assertEquals(password, conf.getConfigsMap().get(Configuration.CLIENT_API_SSL_CRT_PASS_KEY));