Uploaded image for project: 'ZooKeeper'
  1. ZooKeeper
  2. ZOOKEEPER-4259

Allow AdminServer to force https

    XMLWordPrintableJSON

    Details

      Description

      Since portunification (ZOOKEEPER-3371), AdminServer supports https. But there is no way to disable http and allow https only. It is my understanding, that to be FIPS compliant, only https is allowed. This is one reason it is good to have such a feature.

      To enable https currently, we need to set these parameters in zoo.cfg:

      ssl.quorum.keyStore.location=/tmp/zookeeper/keystore.jks
      ssl.quorum.keyStore.password=password
      ssl.quorum.trustStore.location=/tmp/zookeeper/truststore.jks
      ssl.quorum.trustStore.password=password
      
      admin.portUnification=true
      

      I generated keystore and truststore with the following commands:

      #create test/dev keystore/truststore (ZK runs only on localhost)
      keytool -genkeypair -alias zk.dev -keyalg RSA -keysize 2048 -dname "cn=zk.dev" -keypass password -keystore /tmp/zookeeper/keystore.jks -ext san=dns:localhost -storepass password
      
      keytool -exportcert -alias zk.dev -keystore /tmp/zookeeper/keystore.jks -file /tmp/zookeeper/zk.dev.cer -rfc
      
      keytool -keystore /tmp/zookeeper/truststore.jks -storepass password -importcert -alias zk.dev -file /tmp/zookeeper/zk.dev.cer
      
      #check
      keytool -list -v -keystore /tmp/zookeeper/truststore.jks
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                nkalmar Norbert Kalmár
                Reporter:
                nkalmar Norbert Kalmár
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 2h
                  2h