WHY: Cloud Foundry provides ability to rotate certs pretty frequently. By default the certs are rotated every day and change be changed to rotate every hour. Which creates a issue with Java applications. This rotation is essential to provide a strong security stance on client applications.
WHAT: Today Geode client applications, when establishing a TLS connection to the servers requires a path to the certificate, since these files would be changing we need a mechanism in Geode which will watch for these changes and use the new certs without causing service disruption.
Some options to consider
- Cloud Foundry has a lib which watches for changes to these certs (which are in pem format)and converts them and creates inmemory objects of TrustStore and KeyStore. If we have a mechanism in Geode to pass these objects instead of path to them, we might have a solution. Also, these objects gets updates after rotation so the geode code needs to consider that as well.
- Geode can develop its own capability to watch for change on the files and convert them to right format using OpenSSL and create files and pass them in. Update these file everytime someone updates the certs
- Geode starts accepting pem files and watches them directly for changes.
Key Outcomes to watch for:
1. Provide ability to rotate cert easily without downtime.