Uploaded image for project: 'Apache Ozone'
  1. Apache Ozone
  2. HDDS-7335 Certificate renewal and revocation related cleanup
  3. HDDS-7398

Implement a cleaner logic that removes old certs from the SCM DB

    XMLWordPrintableJSON

Details

    Description

      While automatic certificate rotation is not implemented, there is a manual procedure that needs to follow to renew the certificates in an Ozone cluster.
      This procedure in simple steps:

      • stop the service
      • remove old key and certificate material from the metadata folders
      • remove the omCertSerialID and scmCertSerialID fields from the respecitve service's VERSION file
      • start the service

      During this process though, the old certificate is not cleared from the rocksDB of SCM.
      The aim here is to implement a tool from CLI that enables the removal of the old certificates, best may be if this tool can remove the certificates that are already expired only, so that there are no possibility to unwillingly remove certificates from the DB that are still in use. Automation will be done for the rest, and with this eventually all old certificates can be cleared.

      Attachments

        Issue Links

          links to

          Web Link GitHub Pull Request #3972

          Activity

            People

              sgal Szabolcs Gál
              pifta István Fajth
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: