diff --git a/CHANGES.md b/CHANGES.md index 41c559b25..440bd7934 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -15,6 +15,7 @@ * Add metric for failed and succeeded repair tasks - Issue #295 * Remove deprecated v1 REST interface * Migrate to datastax driver-4.14.1 - Issue #269 +* Add PEM format support - Issue #300 ## Version 3.0.0 diff --git a/application/src/main/java/com/ericsson/bss/cassandra/ecchronos/application/ReloadingCertificateHandler.java b/application/src/main/java/com/ericsson/bss/cassandra/ecchronos/application/ReloadingCertificateHandler.java index f87a3b5c3..a2419dcce 100644 --- a/application/src/main/java/com/ericsson/bss/cassandra/ecchronos/application/ReloadingCertificateHandler.java +++ b/application/src/main/java/com/ericsson/bss/cassandra/ecchronos/application/ReloadingCertificateHandler.java @@ -17,14 +17,17 @@ import com.datastax.oss.driver.api.core.metadata.EndPoint; import com.ericsson.bss.cassandra.ecchronos.application.config.TLSConfig; import com.ericsson.bss.cassandra.ecchronos.connection.CertificateHandler; +import io.netty.buffer.ByteBufAllocator; +import io.netty.handler.ssl.SslContext; +import io.netty.handler.ssl.SslContextBuilder; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import javax.net.ssl.KeyManagerFactory; -import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLParameters; import javax.net.ssl.TrustManagerFactory; +import java.io.File; import java.io.FileInputStream; import java.io.IOException; import java.io.InputStream; @@ -35,6 +38,7 @@ import java.security.NoSuchAlgorithmException; import java.security.UnrecoverableKeyException; import java.security.cert.CertificateException; +import java.util.Arrays; import java.util.concurrent.atomic.AtomicReference; import java.util.function.Supplier; @@ -55,17 +59,18 @@ public final SSLEngine newSslEngine(final EndPoint remoteEndpoint) { Context context = getContext(); TLSConfig tlsConfig = context.getTlsConfig(); - SSLContext sslContext = context.getSSLContext(); + SslContext sslContext = context.getSSLContext(); SSLEngine sslEngine; if (remoteEndpoint != null) { InetSocketAddress socketAddress = (InetSocketAddress) remoteEndpoint.resolve(); - sslEngine = sslContext.createSSLEngine(socketAddress.getHostName(), socketAddress.getPort()); + sslEngine = sslContext.newEngine(ByteBufAllocator.DEFAULT, socketAddress.getHostName(), + socketAddress.getPort()); } else { - sslEngine = sslContext.createSSLEngine(); + sslEngine = sslContext.newEngine(ByteBufAllocator.DEFAULT); } sslEngine.setUseClientMode(true); @@ -118,7 +123,7 @@ public void close() throws Exception protected static final class Context { private final TLSConfig tlsConfig; - private final SSLContext sslContext; + private final SslContext sslContext; Context(final TLSConfig aTLSConfig) throws NoSuchAlgorithmException, IOException, UnrecoverableKeyException, CertificateException, KeyStoreException, KeyManagementException @@ -137,26 +142,44 @@ boolean sameConfig(final TLSConfig aTLSConfig) return this.tlsConfig.equals(aTLSConfig); } - SSLContext getSSLContext() + SslContext getSSLContext() { return sslContext; } } - protected static SSLContext createSSLContext(final TLSConfig tlsConfig) throws IOException, + protected static SslContext createSSLContext(TLSConfig tlsConfig) throws IOException, NoSuchAlgorithmException, KeyStoreException, CertificateException, - UnrecoverableKeyException, - KeyManagementException + UnrecoverableKeyException { - SSLContext sslContext = SSLContext.getInstance(tlsConfig.getProtocol()); - KeyManagerFactory keyManagerFactory = getKeyManagerFactory(tlsConfig); - TrustManagerFactory trustManagerFactory = getTrustManagerFactory(tlsConfig); - sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null); + SslContextBuilder builder = SslContextBuilder.forClient(); - return sslContext; + if (tlsConfig.getCertificate().isPresent() && + tlsConfig.getCertificatePrivateKey().isPresent() && + tlsConfig.getTrustCertificate().isPresent()) + { + File certificateFile = new File(tlsConfig.getCertificate().get()); + File certificatePrivateKeyFile = new File(tlsConfig.getCertificatePrivateKey().get()); + File trustCertificateFile = new File(tlsConfig.getTrustCertificate().get()); + + builder.keyManager(certificateFile, certificatePrivateKeyFile); + builder.trustManager(trustCertificateFile); + } + else + { + KeyManagerFactory keyManagerFactory = getKeyManagerFactory(tlsConfig); + TrustManagerFactory trustManagerFactory = getTrustManagerFactory(tlsConfig); + builder.keyManager(keyManagerFactory); + builder.trustManager(trustManagerFactory); + } + if (tlsConfig.getCipher_suites().isPresent()) + { + builder.ciphers(Arrays.asList(tlsConfig.getCipher_suites().get())); + } + return builder.protocols(tlsConfig.getProtocols()).build(); } protected static KeyManagerFactory getKeyManagerFactory(final TLSConfig tlsConfig) throws IOException, diff --git a/application/src/main/java/com/ericsson/bss/cassandra/ecchronos/application/config/TLSConfig.java b/application/src/main/java/com/ericsson/bss/cassandra/ecchronos/application/config/TLSConfig.java index c294ac5d8..271031e36 100644 --- a/application/src/main/java/com/ericsson/bss/cassandra/ecchronos/application/config/TLSConfig.java +++ b/application/src/main/java/com/ericsson/bss/cassandra/ecchronos/application/config/TLSConfig.java @@ -32,6 +32,10 @@ public class TLSConfig private String truststore; private String truststore_password; + private String certificate; + private String certificate_private_key; + private String trust_certificate; + private String protocol; private String algorithm; private String store_type; @@ -89,11 +93,46 @@ public final void setTruststore_password(final String truststorePassword) this.truststore_password = truststorePassword; } + public Optional getCertificate() + { + return Optional.ofNullable(certificate); + } + + public void setCertificate(String certificate) + { + this.certificate = certificate; + } + + public Optional getCertificatePrivateKey() + { + return Optional.ofNullable(certificate_private_key); + } + + public void setCertificate_private_key(String certificate_private_key) + { + this.certificate_private_key = certificate_private_key; + } + + public Optional getTrustCertificate() + { + return Optional.ofNullable(trust_certificate); + } + + public void setTrust_certificate(String trust_certificate) + { + this.trust_certificate = trust_certificate; + } + public final String getProtocol() { return protocol; } + public final String[] getProtocols() + { + return protocol.split(","); + } + public final void setProtocol(final String aProtocol) { this.protocol = aProtocol; @@ -167,6 +206,9 @@ public final boolean equals(final Object o) && Objects.equals(keystore_password, tlsConfig.keystore_password) && Objects.equals(truststore, tlsConfig.truststore) && Objects.equals(truststore_password, tlsConfig.truststore_password) + && Objects.equals(certificate, tlsConfig.certificate) + && Objects.equals(certificate_private_key, tlsConfig.certificate_private_key) + && Objects.equals(trust_certificate, tlsConfig.trust_certificate) && Objects.equals(protocol, tlsConfig.protocol) && Objects.equals(algorithm, tlsConfig.algorithm) && Objects.equals(store_type, tlsConfig.store_type) @@ -176,8 +218,8 @@ public final boolean equals(final Object o) @Override public final int hashCode() { - int result = Objects.hash(enabled, keystore, keystore_password, truststore, truststore_password, protocol, - algorithm, store_type, require_endpoint_verification); + int result = Objects.hash(enabled, keystore, keystore_password, truststore, truststore_password, certificate, + certificate_private_key, trust_certificate, protocol, algorithm, store_type, require_endpoint_verification); result = HASH_SEED * result + Arrays.hashCode(cipher_suites); return result; } diff --git a/application/src/main/resources/application.yml b/application/src/main/resources/application.yml index dd596c690..15d437c25 100644 --- a/application/src/main/resources/application.yml +++ b/application/src/main/resources/application.yml @@ -42,6 +42,11 @@ springdoc: #server: # ssl: # enabled: false +# client-auth: +# enabled-protocols: +# ciphers: +# +# SSL configuration using certificate stores # key-store: # key-store-password: # key-store-type: @@ -50,9 +55,13 @@ springdoc: # trust-store: # trust-store-password: # trust-store-type: -# client-auth: -# enabled-protocols: -# ciphers: # -# Rate at which certificate are reloaded automatically +# SSL configuration using certificates in PEM format +# This configuration takes precedence when certificate store settings are also specified +# Only certificates using RSA algorithm are supported +# certificate: +# certificate-private-key: +# trust-certificate: +# +# Rate at which certificates are reloaded automatically # refresh-rate-in-ms: 60000 \ No newline at end of file diff --git a/application/src/main/resources/security.yml b/application/src/main/resources/security.yml index a8c498252..4d34c66e7 100644 --- a/application/src/main/resources/security.yml +++ b/application/src/main/resources/security.yml @@ -24,6 +24,9 @@ cql: keystore_password: ecchronos truststore: /path/to/truststore truststore_password: ecchronos + certificate: + certificate_private_key: + trust_certificate: protocol: TLSv1.2 algorithm: store_type: JKS diff --git a/application/src/test/java/com/ericsson/bss/cassandra/ecchronos/application/config/TestSecurity.java b/application/src/test/java/com/ericsson/bss/cassandra/ecchronos/application/config/TestSecurity.java index 0e2677b5b..225eb94bd 100644 --- a/application/src/test/java/com/ericsson/bss/cassandra/ecchronos/application/config/TestSecurity.java +++ b/application/src/test/java/com/ericsson/bss/cassandra/ecchronos/application/config/TestSecurity.java @@ -42,6 +42,9 @@ public void testDefault() throws Exception cqlTlsConfig.setKeystore_password("ecchronos"); cqlTlsConfig.setTruststore("/path/to/truststore"); cqlTlsConfig.setTruststore_password("ecchronos"); + cqlTlsConfig.setCertificate(null); + cqlTlsConfig.setCertificate_private_key(null); + cqlTlsConfig.setTrust_certificate(null); cqlTlsConfig.setProtocol("TLSv1.2"); cqlTlsConfig.setAlgorithm(null); cqlTlsConfig.setStore_type("JKS"); @@ -102,4 +105,29 @@ public void testEnabled() throws Exception assertThat(config.getCql().getTls()).isEqualTo(cqlTlsConfig); assertThat(config.getJmx().getTls()).isEqualTo(jmxTlsConfig); } + + @Test + public void testEnabledWithCertificate() throws Exception + { + ClassLoader classLoader = Thread.currentThread().getContextClassLoader(); + File file = new File(classLoader.getResource("enabled_certificate_security.yml").getFile()); + + ObjectMapper objectMapper = new ObjectMapper(new YAMLFactory()); + + Security config = objectMapper.readValue(file, Security.class); + + Credentials expectedCqlCredentials = new Credentials(true, "cqluser", "cqlpassword"); + + TLSConfig cqlTlsConfig = new TLSConfig(); + cqlTlsConfig.setEnabled(true); + cqlTlsConfig.setCertificate("/path/to/cql/certificate"); + cqlTlsConfig.setCertificate_private_key("/path/to/cql/certificate_key"); + cqlTlsConfig.setTrust_certificate("/path/to/cql/certificate_authorities"); + cqlTlsConfig.setProtocol("TLSv1.2"); + cqlTlsConfig.setCipher_suites("VALID_CIPHER_SUITE,VALID_CIPHER_SUITE2"); + cqlTlsConfig.setRequire_endpoint_verification(true); + + assertThat(config.getCql().getCredentials()).isEqualTo(expectedCqlCredentials); + assertThat(config.getCql().getTls()).isEqualTo(cqlTlsConfig); + } } diff --git a/application/src/test/java/com/ericsson/bss/cassandra/ecchronos/application/spring/TestTomcatWebServerCustomizer.java b/application/src/test/java/com/ericsson/bss/cassandra/ecchronos/application/spring/TestTomcatWebServerCustomizer.java index cee91a87d..3613fb5c7 100644 --- a/application/src/test/java/com/ericsson/bss/cassandra/ecchronos/application/spring/TestTomcatWebServerCustomizer.java +++ b/application/src/test/java/com/ericsson/bss/cassandra/ecchronos/application/spring/TestTomcatWebServerCustomizer.java @@ -58,13 +58,8 @@ import static org.assertj.core.api.Assertions.assertThat; -@RunWith (SpringRunner.class) -@SpringBootTest (webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT) -@ContextConfiguration(initializers = TestTomcatWebServerCustomizer.PropertyOverrideContextInitializer.class) -public class TestTomcatWebServerCustomizer +public abstract class TestTomcatWebServerCustomizer { - private static final String SERVER_KEYSTORE = "src/test/resources/server/ks.p12"; - private static final String SERVER_TRUSTSTORE = "src/test/resources/server/ts.p12"; private static final String CLIENT_VALID_PATH = "valid/"; private static final String CLIENT_EXPIRED_PATH = "expired/"; private static final int REFRESH_RATE = 100; @@ -156,14 +151,6 @@ public void initialize(ConfigurableApplicationContext configurableApplicationCon { addInlinedPropertiesToEnvironment(configurableApplicationContext, "server.ssl.enabled=true", - "server.ssl.key-store=" + SERVER_KEYSTORE, - "server.ssl.key-store-password=", - "server.ssl.key-store-type=PKCS12", - "server.ssl.key-alias=cert", - "server.ssl.key-password=", - "server.ssl.trust-store=" + SERVER_TRUSTSTORE, - "server.ssl.trust-store-password=", - "server.ssl.trust-store-type=PKCS12", "server.ssl.client-auth=need", "server.ssl.refresh-rate-in-ms=" + REFRESH_RATE); } diff --git a/application/src/test/java/com/ericsson/bss/cassandra/ecchronos/application/spring/TestTomcatWebServerCustomizerKeystore.java b/application/src/test/java/com/ericsson/bss/cassandra/ecchronos/application/spring/TestTomcatWebServerCustomizerKeystore.java new file mode 100644 index 000000000..770682d29 --- /dev/null +++ b/application/src/test/java/com/ericsson/bss/cassandra/ecchronos/application/spring/TestTomcatWebServerCustomizerKeystore.java @@ -0,0 +1,35 @@ +/* + * Copyright 2022 Telefonaktiebolaget LM Ericsson + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.ericsson.bss.cassandra.ecchronos.application.spring; + +import org.junit.runner.RunWith; +import org.springframework.boot.test.context.SpringBootTest; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.junit4.SpringRunner; + +@RunWith (SpringRunner.class) +@SpringBootTest (webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT, + properties = { + "server.ssl.key-store=src/test/resources/server/ks.p12", + "server.ssl.key-store-password=", + "server.ssl.key-store-type=PKCS12", + "server.ssl.key-alias=cert", + "server.ssl.key-password=", + "server.ssl.trust-store=src/test/resources/server/ts.p12", + "server.ssl.trust-store-password=", + "server.ssl.trust-store-type=PKCS12" + }) +@ContextConfiguration(initializers = TestTomcatWebServerCustomizer.PropertyOverrideContextInitializer.class) +public class TestTomcatWebServerCustomizerKeystore extends TestTomcatWebServerCustomizer {} \ No newline at end of file diff --git a/application/src/test/java/com/ericsson/bss/cassandra/ecchronos/application/spring/TestTomcatWebServerCustomizerPem.java b/application/src/test/java/com/ericsson/bss/cassandra/ecchronos/application/spring/TestTomcatWebServerCustomizerPem.java new file mode 100644 index 000000000..9678ec5e8 --- /dev/null +++ b/application/src/test/java/com/ericsson/bss/cassandra/ecchronos/application/spring/TestTomcatWebServerCustomizerPem.java @@ -0,0 +1,30 @@ +/* + * Copyright 2022 Telefonaktiebolaget LM Ericsson + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.ericsson.bss.cassandra.ecchronos.application.spring; + +import org.junit.runner.RunWith; +import org.springframework.boot.test.context.SpringBootTest; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.junit4.SpringRunner; + +@RunWith (SpringRunner.class) +@SpringBootTest (webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT, + properties = { + "server.ssl.certificate=src/test/resources/server/cert.crt", + "server.ssl.certificate-private-key=src/test/resources/server/key.pem", + "server.ssl.trust-certificate=src/test/resources/server/ca.crt" + }) +@ContextConfiguration(initializers = TestTomcatWebServerCustomizer.PropertyOverrideContextInitializer.class) +public class TestTomcatWebServerCustomizerPem extends TestTomcatWebServerCustomizer {} \ No newline at end of file diff --git a/application/src/test/resources/enabled_certificate_security.yml b/application/src/test/resources/enabled_certificate_security.yml new file mode 100644 index 000000000..1a94688e1 --- /dev/null +++ b/application/src/test/resources/enabled_certificate_security.yml @@ -0,0 +1,28 @@ +# +# Copyright 2022 Telefonaktiebolaget LM Ericsson +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +cql: + credentials: + enabled: true + username: cqluser + password: cqlpassword + tls: + enabled: true + certificate: /path/to/cql/certificate + certificate_private_key: /path/to/cql/certificate_key + trust_certificate: /path/to/cql/certificate_authorities + protocol: TLSv1.2 + cipher_suites: VALID_CIPHER_SUITE,VALID_CIPHER_SUITE2 + require_endpoint_verification: true diff --git a/application/src/test/resources/server/ca.crt b/application/src/test/resources/server/ca.crt new file mode 100644 index 000000000..be4507701 --- /dev/null +++ b/application/src/test/resources/server/ca.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDfzCCAmegAwIBAgIJAIxCCpTWw5+LMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV +BAYTAlRFMQ0wCwYDVQQIDARURVNUMQ0wCwYDVQQHDARURVNUMQ0wCwYDVQQKDARU +RVNUMQ0wCwYDVQQLDARURVNUMQswCQYDVQQDDAJDQTAeFw0yMTAxMjExMTU2MzZa +Fw0yMTAxMjIxMTU2MzZaMFYxCzAJBgNVBAYTAlRFMQ0wCwYDVQQIDARURVNUMQ0w +CwYDVQQHDARURVNUMQ0wCwYDVQQKDARURVNUMQ0wCwYDVQQLDARURVNUMQswCQYD +VQQDDAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJu8/uSP1cp +8nn+W3lazvQSyKEyU2TbuKqiawqFTyjLKEL1DinM5imV8LD42SGuRYoC3k0jTgTc +7HwxqmrP87t4CiYhacF990i79QyBYwo+EPgZ+IC04puBCbP3S45NS6L0sm3E3Vsu +nsvduF+7a+HlmYciV1HYJT7h2j8ZzQCqJ4qMvkkf5E3N2EhkPVenR5A4Y4OwPNS/ +AtZo7bzCgRws4WVKrv5Eo1BhPR82kfrMUCPMxGZwylAU/PTGkkxf84OcQRGW8JT9 +AcebkxTLJbnurQMIwG0yY+b7yli6kbDBxWjTA0X5nFd22WvVYoJEOtJrHsZ4O6zi +FH+oOzyD5IECAwEAAaNQME4wHQYDVR0OBBYEFJTbFa7wd276pUfIWA298r54kZh/ +MB8GA1UdIwQYMBaAFJTbFa7wd276pUfIWA298r54kZh/MAwGA1UdEwQFMAMBAf8w +DQYJKoZIhvcNAQELBQADggEBAHLZMqP01PeD8FdxR3MvH6PlgJmlatYR58aWkRK2 ++wmDY1ZolI3YPVZemRYp4EGU8nj3tk9wALn5Q1CDyU7aZXerSPngekfaNGhFY1tB +cj+6bEY12FxBW2G0kc80rjbMbfLZEpHEdHKwJLosWuNOBWYOdZof4pS9uQUeGJKq +9MYJl/HFf1j7ZOzNoy9220eSz2rEe90aCD5QJZklkUeCK3uxjIxU9SegUn5XD5jj +aKli1AIgnCYbR76TU8xXRtq5CCohhbM21f/SUZQehluupQ9z3UL9MjMXMN+61ejT +skIUYVNCWMEOV23Cc4+JhV6LC6ivJpv9E/Zxh7H/Gyz2Df0= +-----END CERTIFICATE----- diff --git a/application/src/test/resources/server/cert.crt b/application/src/test/resources/server/cert.crt new file mode 100644 index 000000000..2b5a877e7 --- /dev/null +++ b/application/src/test/resources/server/cert.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDLDCCAhQCCQDwyqHW1MWFjjANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJU +RTENMAsGA1UECAwEVEVTVDENMAsGA1UEBwwEVEVTVDENMAsGA1UECgwEVEVTVDEN +MAsGA1UECwwEVEVTVDELMAkGA1UEAwwCQ0EwIBcNMjEwMTIxMTIwNTIwWhgPMjE4 +NTA1MDExMjA1MjBaMFgxCzAJBgNVBAYTAlRFMQ0wCwYDVQQIDARURVNUMQ0wCwYD +VQQHDARURVNUMQ0wCwYDVQQKDARURVNUMQ0wCwYDVQQLDARURVNUMQ0wCwYDVQQD +DARVc2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA57QgmBI5o6VP +pNoio0oCbLbSnXfbfZS/wVZ5ET1QOhr+ZpbZqwpZTt5QbSguFQNMJn0wkISa1Ymf +QBL+SaZHsxGy4SwX0Fs4N0ou1/38iBubSNfl9FZ/3nwYMZ9do5651s8MHbqGcFdY +oHOtdvVuMKDCpUg2bJZHM4UPya35SZBsjCqatA0xrnDBdjXnPVDoj3O/Y+H6D9pT +pcBG2MabMyC+GgAvt5sZIJxbYZNchXHFiML6sPUXoxpC5SbKmj1/Da5veNBbQsXw +C29ofWeM1t0hEtSkaQCSVl1TRCesA9u5AUBfnKnhlzABizRz6Wb/c3jH59GtS2M3 +mBMmOJLfZwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCJ/8Lkh8cR4X0Upmzx+Szv +YdKvmRM/QC6mtsuvI2qPlwHp3BIIafhiE1ziIIV1K+hqKhq2jN8NTSz8rHVDGMQg +Bhna4Cc/sIWNfinRZGlo9ITAiJSsgEXmiSYYQwsNOvDbApZVLOgw44SQ7KhEO9bh +6JUC2ilXA3BLmdyqLQG/ijOdKWBGefO8eL7kZuWQ7kNWywqco72ZjR1woD86JSf4 +2EAO0p4BJ4b8OQ6NlCZZZcQu7tPpwoV4KQ9fgIHS43nwK26T+kKr9PzAVJ8c1S4g +My4HAU6CWj4m479l+ej6y1pt+VN5ahIKLEpyjBB7JSL23940ZPc1D7pKG4MbdpHj +-----END CERTIFICATE----- diff --git a/application/src/test/resources/server/key.pem b/application/src/test/resources/server/key.pem new file mode 100644 index 000000000..40872248a --- /dev/null +++ b/application/src/test/resources/server/key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDntCCYEjmjpU+k +2iKjSgJsttKdd9t9lL/BVnkRPVA6Gv5mltmrCllO3lBtKC4VA0wmfTCQhJrViZ9A +Ev5JpkezEbLhLBfQWzg3Si7X/fyIG5tI1+X0Vn/efBgxn12jnrnWzwwduoZwV1ig +c6129W4woMKlSDZslkczhQ/JrflJkGyMKpq0DTGucMF2Nec9UOiPc79j4foP2lOl +wEbYxpszIL4aAC+3mxkgnFthk1yFccWIwvqw9RejGkLlJsqaPX8Nrm940FtCxfAL +b2h9Z4zW3SES1KRpAJJWXVNEJ6wD27kBQF+cqeGXMAGLNHPpZv9zeMfn0a1LYzeY +EyY4kt9nAgMBAAECggEAHHFbMu/BzZnkbfstF1hldcz3i8cD1aWl6GjiEcCyEX/w +zM0lyT5K+kiGHPA6v++YsHzbslHk4+Ox/d6XApl74bqBd+y+u6AHBZqAp5kRH/Ar +nsSKAPWBWuFm4uiKSSSZ8YmXFisoh6/hPEkW+Sxlq2iAnGOB8tB7yxJBfuNxX5s0 +NU603Tnin1ZUBpgai+IM6Bu4mVWD9VIaN0OvI3qFUg6hlO+liXMglpPMg1n7qFWP +qbKT6HbyeJ28g/TEeu79xFs5NmJGn4fjDT1rQBp1S2HFYlnUYX3aQh7ih5OSoyU4 +xIFVeXYO71/F20GU6h/0kUcu1WqQmIXJh/bXcntGYQKBgQD7KDxEpTvp7uiBq16V +dRQMHLS5vFA+KfO+xsmfiqQgaTWn+sbKBDLIW2oYnPiiQCPeepxPECazH3AmqhBK +7OXlMFkQPhT0pjEfFGxlBuxIbINmnzsTqexcL8t0D8o2f2u4814R5YZpq284mHrD +EJnct8cn+1cSLaaBncv69Vr40QKBgQDsK913L4mXpMW3QDmDvdhYYtDRwLRIRAZ7 +Hbe7B3Byj38Y75zazI6IBV3yu74MdEwGdFIWOigArIQcn1jMwdHmEJjxE9zwoCEI +bMQu6efT7uor25WIXgR31H+2lhWJahgdBSFHKrILtznTIUP6vp3kKmg1yBhHVCON +/I6oX1titwKBgHCjiuP+dvBjhUMiaDj/WQ5VkXf7TMGUbwyQerxioVkn1jiP77eK +SnwxA1QmkhuySGPu+Us8Ix8Samnsu4He3Pv8wvTV4vAV2NHnhvWINVAF2qiboRMg +kjCF/uj+a+IlI1q/SuEb3zxk9mybdfMl7tteUKNNxa8RaiuXaXQTtckBAoGANfi8 +Tt2FQyt7p6o8uperFl/WuuigCpfJJ1+eOlaz4upaMFep7/Kpa/pWAv/Wqb/2E8+H +Zt75f1XthyD/SSPOFRab7RQN/MuLYQKCPvpjaXKC/2zaGmTp/nyIhzB7UYD2a8Nd +XIcsUzMXOuGySF5BdQAf+pJ0wfA/g9ZAv8ey+bcCgYApjzqcWCw9c/DOAdLQPbGX +F+gpz3WoyqWMUQ6/3hpivG8gKGdEMv5ecpfrV9uHEZDPXsbdGAAJC9+nxUh0AQZj +8sYojRi8I6/DfDNj3aLaepTW2jbHEhiHNzaHxoGKV6i1BuuMRcligYRDxwslOxAv +vqeORuYWSWlLMBJc8DWA7g== +-----END PRIVATE KEY----- diff --git a/docs/SETUP.md b/docs/SETUP.md index 7dd344163..5ff320433 100644 --- a/docs/SETUP.md +++ b/docs/SETUP.md @@ -115,7 +115,7 @@ cql: keystore_password: ecchronos truststore: /path/to/truststore truststore_password: ecchronos - protocol: TLSv1.2 + protocol: TLSv1.2,TLSv1.3 algorithm: store_type: JKS cipher_suites: @@ -131,10 +131,32 @@ jmx: keystore_password: ecchronos truststore: /path/to/truststore truststore_password: ecchronos - protocol: TLSv1.2 + protocol: TLSv1.2,TLSv1.3 cipher_suites: ``` +CQL also supports certificates in PEM format. + +``` +cql: + credentials: + enabled: true + username: cassandra + password: cassandra + tls: + enabled: false + certificate: /path/to/certificate + certificate_key: /path/to/certificate_key + certificate_authorities: /path/to/certificate_authorities + protocol: TLSv1.2,TLSv1.3 + cipher_suites: + require_endpoint_verification: false +``` +> **Note** +> +> In case certificate stores and PEM certificates are declared in `conf/security.yml` for CQL, +> PEM certificates takes precedence. + The security parameters can be updated during runtime and will automatically be picked up by ecc. It's possible to override the default connection providers if needed. diff --git a/ecchronos-binary/pom.xml b/ecchronos-binary/pom.xml index ad0737599..1897b7e22 100644 --- a/ecchronos-binary/pom.xml +++ b/ecchronos-binary/pom.xml @@ -104,6 +104,7 @@ MIT License The MIT License (MIT) MIT + MIT-0 Eclipse Public License - v 1.0 EPL 2.0 EDL 1.0 diff --git a/pom.xml b/pom.xml index c0853b9f4..b55d3456f 100644 --- a/pom.xml +++ b/pom.xml @@ -87,7 +87,7 @@ 1.0 1.1.1 3.5 - 2.6.6 + 2.7.2 1.6.8 0.10.0 2.0.2 @@ -623,6 +623,8 @@ limitations under the License. **/*.cql **/*.txt **/*.p12 + **/*.crt + **/*.pem **/pom.xml.tag **/pom.xml.releaseBackup **/*.options