knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kris...@apache.org
Subject svn commit: r1855785 - in /knox: site/ site/books/knox-1-3-0/ trunk/books/1.3.0/
Date Mon, 18 Mar 2019 18:33:01 GMT
Author: krisden
Date: Mon Mar 18 18:33:00 2019
New Revision: 1855785

URL: http://svn.apache.org/viewvc?rev=1855785&view=rev
Log:
KNOX-1818 - Update documentation with KNOX-1812 and KNOX-1111 configurable truststore information
(Robert Levas via Kevin Risden)

Modified:
    knox/site/books/knox-1-3-0/user-guide.html
    knox/site/index.html
    knox/site/issue-management.html
    knox/site/licenses.html
    knox/site/mailing-lists.html
    knox/site/project-info.html
    knox/site/team.html
    knox/trunk/books/1.3.0/book.md
    knox/trunk/books/1.3.0/book_service-details.md
    knox/trunk/books/1.3.0/config.md
    knox/trunk/books/1.3.0/config_mutual_authentication_ssl.md

Modified: knox/site/books/knox-1-3-0/user-guide.html
URL: http://svn.apache.org/viewvc/knox/site/books/knox-1-3-0/user-guide.html?rev=1855785&r1=1855784&r2=1855785&view=diff
==============================================================================
--- knox/site/books/knox-1-3-0/user-guide.html (original)
+++ knox/site/books/knox-1-3-0/user-guide.html Mon Mar 18 18:33:00 2019
@@ -130,6 +130,7 @@
       <li><a href="#Elasticsearch">Elasticsearch</a></li>
       <li><a href="#Common+Service+Config">Common Service Config</a></li>
       <li><a href="#Default+Service+HA+support">Default Service HA support</a></li>
+      <li><a href="#TLS/SSL+Certificate+Trust">TLS/SSL Certificate Trust</a></li>
     </ul>
   </li>
   <li><a href="#UI+Service+Details">UI Service Details</a></li>
@@ -761,13 +762,18 @@ https://{gateway-host}:{gateway-port}/{g
       <td><code>false</code></td>
     </tr>
     <tr>
+      <td><code>gateway.truststore.password.alias</code></td>
+      <td>OPTIONAL Alias for the password to the truststore file holding the trusted
client certificates. NOTE: An alias with the provided name should be created using <code>knoxcli.sh
create-alias</code> inorder to provide the password; else the master secret will be
used.</td>
+      <td><code>gateway-truststore-password</code></td>
+    </tr>
+    <tr>
       <td><code>gateway.truststore.path</code></td>
       <td>Location of the truststore for client certificates to be trusted</td>
-      <td><code>gateway.jks</code></td>
+      <td><code>null</code></td>
     </tr>
     <tr>
       <td><code>gateway.truststore.type</code></td>
-      <td>Indicates the type of truststore</td>
+      <td>Indicates the type of truststore at the path declared in <code>gateway.truststore.path</code></td>
       <td><code>JKS</code></td>
     </tr>
     <tr>
@@ -781,21 +787,36 @@ https://{gateway-host}:{gateway-port}/{g
       <td><code>254</code></td>
     </tr>
     <tr>
-      <td><code>gateway.httpclient.maxConnections</code></td>
-      <td>The maximum number of connections that a single HttpClient will maintain
to a single host:port.</td>
-      <td><code>32</code></td>
-    </tr>
-    <tr>
       <td><code>gateway.httpclient.connectionTimeout</code></td>
       <td>The amount of time to wait when attempting a connection. The natural unit
is milliseconds, but a &lsquo;s&rsquo; or &lsquo;m&rsquo; suffix may be used
for seconds or minutes respectively.</td>
       <td><code>20s</code></td>
     </tr>
     <tr>
+      <td><code>gateway.httpclient.maxConnections</code></td>
+      <td>The maximum number of connections that a single HttpClient will maintain
to a single host:port.</td>
+      <td><code>32</code></td>
+    </tr>
+    <tr>
       <td><code>gateway.httpclient.socketTimeout</code></td>
       <td>The amount of time to wait for data on a socket before aborting the connection.
The natural unit is milliseconds, but a &lsquo;s&rsquo; or &lsquo;m&rsquo;
suffix may be used for seconds or minutes respectively.</td>
       <td><code>20s</code></td>
     </tr>
     <tr>
+      <td><code>gateway.httpclient.truststore.password.alias</code></td>
+      <td>OPTIONAL Alias for the password to the truststore file holding the trusted
service certificates. NOTE: An alias with the provided name should be created using <code>knoxcli.sh
create-alias</code> inorder to provide the password; else the master secret will be
used.</td>
+      <td><code>gateway-httpclient-truststore-password</code></td>
+    </tr>
+    <tr>
+      <td><code>gateway.httpclient.truststore.path</code></td>
+      <td>Location of the truststore for service certificates to be trusted</td>
+      <td><code>null</code></td>
+    </tr>
+    <tr>
+      <td><code>gateway.httpclient.truststore.type</code></td>
+      <td>Indicates the type of truststore at the path declared in <code>gateway.httpclient.truststore.path</code></td>
+      <td><code>JKS</code></td>
+    </tr>
+    <tr>
       <td><code>gateway.httpserver.requestBuffer</code></td>
       <td>The size of the HTTP server request buffer in bytes</td>
       <td><code>16384</code></td>
@@ -5213,22 +5234,26 @@ APACHE_HOME/bin/apachectl -k stop
     </tr>
     <tr>
       <td>gateway.truststore.path </td>
-      <td>Fully qualified path to the trust store to use. Default is the gateway.jks.</td>
+      <td>Fully qualified path to the trust store to use. Default is the keystore used
to hold the Gateway&rsquo;s identity. See <code>gateway.tls.keystore.path</code>.</td>
     </tr>
     <tr>
       <td>gateway.truststore.type </td>
       <td>Keystore type of the trust store. Default is JKS. </td>
     </tr>
     <tr>
+      <td>gateway.truststore.password.alias </td>
+      <td>Alias for the password to the trust store.</td>
+    </tr>
+    <tr>
       <td>gateway.trust.all.certs </td>
       <td>Allows for all certificates to be trusted. Default is false.</td>
     </tr>
   </tbody>
 </table>
-<p>By only indicating that it is needed with <code>gateway.client.auth.needed</code>,
the <code>{GATEWAY_HOME}/data/security/keystores/gateway.jks</code> keystore is
used. This is the identity keystore for the server and can also be used as the truststore.
We can specify the path to a dedicated truststore via <code>gateway.truststore.path</code>.
If the truststore password is different from the gateway master secret then it can be set
using</p>
-<pre><code>knoxcli.sh create-alias gateway-truststore-password --value {pwd}

+<p>By only indicating that it is needed with <code>gateway.client.auth.needed</code>,
the keystore identified by <code>gateway.tls.keystore.path</code> is used. By
default this is <code>{GATEWAY_HOME}/data/security/keystores/gateway.jks</code>.
This is the identity keystore for the server, which can also be used as the truststore. To
use a dedicated truststore, <code>gateway.truststore.path</code> may be set to
the absolute path of the truststore file.<br/>The type of truststore file should be
set using <code>gateway.truststore.type</code>; else, JKS will be assumed.<br/>If
the truststore password is different from the Gateway&rsquo;s master secret then it can
be set using</p>
+<pre><code>knoxcli.sh create-alias {password-alias} --value {pwd} 
 </code></pre>
-<p>Otherwise, the master secret will be used. If the truststore is not a JKS type then
it can be set via <code>gateway.truststore.type</code>.</p>
+<p>The password alias name (<code>{password-alias}</code>) is set using
<code>gateway.truststore.password.alias</code>; else, the alias name of &ldquo;gateway-truststore-password&rdquo;
should be used.<br/>If a password is not found using the provided (or default) alias
name, then the Gateway&rsquo;s master secret will be used.</p>
 <h2><a id="TLS+Client+Certificate+Provider">TLS Client Certificate Provider</a>
<a href="#TLS+Client+Certificate+Provider"><img src="markbook-section-link.png"/></a></h2>
 <p>The TLS client certificate authentication provider enables establishing the user
based on the client provided TLS certificate. The user will be the DN from the certificate.
This provider requires that the gateway is configured to require client authentication with
either <code>gateway.client.auth.wanted</code> or <code>gateway.client.auth.needed</code>
( <a href="#Mutual+Authentication+with+SSL">Mutual Authentication with SSL</a>
).</p>
 <h3><a id="Configuration">Configuration</a> <a href="#Configuration"><img
src="markbook-section-link.png"/></a></h3>
@@ -8288,6 +8313,38 @@ curl -i -k -u username:password -H &quot
 
  {&quot;acknowledged&quot;:true}
 </code></pre>
+<h3><a id="TLS/SSL+Certificate+Trust">TLS/SSL Certificate Trust</a> <a
href="#TLS/SSL+Certificate+Trust"><img src="markbook-section-link.png"/></a></h3>
+<p>When the Gateway dispatches requests to a configured service using TLS/SSL, that
service&rsquo;s certificate must be trusted inorder for the connection to succeed. To
do this, the Gateway checks a configured trust store for the service&rsquo;s certificate
or the certificate of the CA that issued that certificate. </p>
+<p>If not explicitly set, the Gateway will use its configured identity keystore as
the trust store. By default, this keystore is located at <code>{GATEWAY_HOME}/data/security/keystores/gateway.jks</code>;
however, a custom identity keystore may be set in the gateway-site.xml file. See <code>gateway.tls.keystore.password.alias</code>,
<code>gateway.tls.keystore.path</code>, and <code>gateway.tls.keystore.type</code>.
</p>
+<p>The trust store is configured at the Gatway-level. There is no support to set a
different trust store per service. To use a specific trust store, the following configuration
elements may be set in the gateway-site.xml file:</p>
+<table>
+  <thead>
+    <tr>
+      <th>Configuration Element </th>
+      <th>Description </th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td>gateway.httpclient.truststore.path </td>
+      <td>Fully qualified path to the trust store to use. Default is the keystore used
to hold the Gateway&rsquo;s identity. See <code>gateway.tls.keystore.path</code>.</td>
+    </tr>
+    <tr>
+      <td>gateway.httpclient.truststore.type </td>
+      <td>Keystore type of the trust store. Default is JKS. </td>
+    </tr>
+    <tr>
+      <td>gateway.httpclient.truststore.password.alias </td>
+      <td>Alias for the password to the trust store.</td>
+    </tr>
+  </tbody>
+</table>
+<p>If <code>gateway.httpclient.truststore.path</code> is not set, the keystore
used to hold the Gateway&rsquo;s identity will be used as the trust store. </p>
+<p>However, if <code>gateway.httpclient.truststore.path</code> is set,
it is expected that <code>gateway.httpclient.truststore.type</code> and <code>gateway.httpclient.truststore.password.alias</code>
are set appropriately. If <code>gateway.httpclient.truststore.type</code> is not
set, the Gateway will assume the trust store is a JKS file. If <code>gateway.httpclient.truststore.password.alias</code>
is not set, the Gateway will assume the alias name is &ldquo;gateway-httpclient-truststore-password&rdquo;.
In any case, if the trust store password is different from the Gateway&rsquo;s master
secret then it can be set using</p>
+<pre><code>knoxcli.sh create-alias {password-alias} --value {pwd} 
+</code></pre>
+<p>If a password is not found using the provided (or default) alias name, then the
Gateway&rsquo;s master secret will be used.</p>
+<p>All topologies deployed within the Gateway instance will use the configured trust
store to verify a service&rsquo;s identity. </p>
 <h3><a id="Service+Test+API">Service Test API</a> <a href="#Service+Test+API"><img
src="markbook-section-link.png"/></a></h3>
 <p>The gateway supports a Service Test API that can be used to test Knox&rsquo;s
ability to connect to each of the different Hadoop services via a simple HTTP GET request.
To be able to access this API, one must add the following lines into the topology for which
you wish to run the service test.</p>
 <pre><code>&lt;service&gt;

Modified: knox/site/index.html
URL: http://svn.apache.org/viewvc/knox/site/index.html?rev=1855785&r1=1855784&r2=1855785&view=diff
==============================================================================
--- knox/site/index.html (original)
+++ knox/site/index.html Mon Mar 18 18:33:00 2019
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 from src/site/markdown/index.md at
2019-03-14
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 from src/site/markdown/index.md at
2019-03-18
  | Rendered using Apache Maven Fluido Skin 1.7
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20190314" />
+    <meta name="Date-Revision-yyyymmdd" content="20190318" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Knox Gateway &#x2013; Announcing Apache Knox 1.2.0!</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.7.min.css" />
@@ -40,7 +40,7 @@
 
       <div id="breadcrumbs">
         <ul class="breadcrumb">
-        <li id="publishDate">Last Published: 2019-03-14</li>
+        <li id="publishDate">Last Published: 2019-03-18</li>
         </ul>
       </div>
       <div class="row-fluid">

Modified: knox/site/issue-management.html
URL: http://svn.apache.org/viewvc/knox/site/issue-management.html?rev=1855785&r1=1855784&r2=1855785&view=diff
==============================================================================
--- knox/site/issue-management.html (original)
+++ knox/site/issue-management.html Mon Mar 18 18:33:00 2019
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 from org.apache.maven.plugins:maven-project-info-reports-plugin:3.0.0:issue-management
at 2019-03-14
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 from org.apache.maven.plugins:maven-project-info-reports-plugin:3.0.0:issue-management
at 2019-03-18
  | Rendered using Apache Maven Fluido Skin 1.7
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20190314" />
+    <meta name="Date-Revision-yyyymmdd" content="20190318" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Knox Gateway &#x2013; Issue Management</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.7.min.css" />
@@ -40,7 +40,7 @@
 
       <div id="breadcrumbs">
         <ul class="breadcrumb">
-        <li id="publishDate">Last Published: 2019-03-14</li>
+        <li id="publishDate">Last Published: 2019-03-18</li>
         </ul>
       </div>
       <div class="row-fluid">

Modified: knox/site/licenses.html
URL: http://svn.apache.org/viewvc/knox/site/licenses.html?rev=1855785&r1=1855784&r2=1855785&view=diff
==============================================================================
--- knox/site/licenses.html (original)
+++ knox/site/licenses.html Mon Mar 18 18:33:00 2019
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 from org.apache.maven.plugins:maven-project-info-reports-plugin:3.0.0:licenses
at 2019-03-14
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 from org.apache.maven.plugins:maven-project-info-reports-plugin:3.0.0:licenses
at 2019-03-18
  | Rendered using Apache Maven Fluido Skin 1.7
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20190314" />
+    <meta name="Date-Revision-yyyymmdd" content="20190318" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Knox Gateway &#x2013; Project Licenses</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.7.min.css" />
@@ -40,7 +40,7 @@
 
       <div id="breadcrumbs">
         <ul class="breadcrumb">
-        <li id="publishDate">Last Published: 2019-03-14</li>
+        <li id="publishDate">Last Published: 2019-03-18</li>
         </ul>
       </div>
       <div class="row-fluid">

Modified: knox/site/mailing-lists.html
URL: http://svn.apache.org/viewvc/knox/site/mailing-lists.html?rev=1855785&r1=1855784&r2=1855785&view=diff
==============================================================================
--- knox/site/mailing-lists.html (original)
+++ knox/site/mailing-lists.html Mon Mar 18 18:33:00 2019
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 from org.apache.maven.plugins:maven-project-info-reports-plugin:3.0.0:mailing-lists
at 2019-03-14
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 from org.apache.maven.plugins:maven-project-info-reports-plugin:3.0.0:mailing-lists
at 2019-03-18
  | Rendered using Apache Maven Fluido Skin 1.7
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20190314" />
+    <meta name="Date-Revision-yyyymmdd" content="20190318" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Knox Gateway &#x2013; Project Mailing Lists</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.7.min.css" />
@@ -40,7 +40,7 @@
 
       <div id="breadcrumbs">
         <ul class="breadcrumb">
-        <li id="publishDate">Last Published: 2019-03-14</li>
+        <li id="publishDate">Last Published: 2019-03-18</li>
         </ul>
       </div>
       <div class="row-fluid">

Modified: knox/site/project-info.html
URL: http://svn.apache.org/viewvc/knox/site/project-info.html?rev=1855785&r1=1855784&r2=1855785&view=diff
==============================================================================
--- knox/site/project-info.html (original)
+++ knox/site/project-info.html Mon Mar 18 18:33:00 2019
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 from org.apache.maven.plugins:maven-site-plugin:3.7.1:CategorySummaryDocumentRenderer
at 2019-03-14
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 from org.apache.maven.plugins:maven-site-plugin:3.7.1:CategorySummaryDocumentRenderer
at 2019-03-18
  | Rendered using Apache Maven Fluido Skin 1.7
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20190314" />
+    <meta name="Date-Revision-yyyymmdd" content="20190318" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Knox Gateway &#x2013; Project Information</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.7.min.css" />
@@ -40,7 +40,7 @@
 
       <div id="breadcrumbs">
         <ul class="breadcrumb">
-        <li id="publishDate">Last Published: 2019-03-14</li>
+        <li id="publishDate">Last Published: 2019-03-18</li>
         </ul>
       </div>
       <div class="row-fluid">

Modified: knox/site/team.html
URL: http://svn.apache.org/viewvc/knox/site/team.html?rev=1855785&r1=1855784&r2=1855785&view=diff
==============================================================================
--- knox/site/team.html (original)
+++ knox/site/team.html Mon Mar 18 18:33:00 2019
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 from org.apache.maven.plugins:maven-project-info-reports-plugin:3.0.0:team
at 2019-03-14
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 from org.apache.maven.plugins:maven-project-info-reports-plugin:3.0.0:team
at 2019-03-18
  | Rendered using Apache Maven Fluido Skin 1.7
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20190314" />
+    <meta name="Date-Revision-yyyymmdd" content="20190318" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Knox Gateway &#x2013; Project Team</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.7.min.css" />
@@ -40,7 +40,7 @@
 
       <div id="breadcrumbs">
         <ul class="breadcrumb">
-        <li id="publishDate">Last Published: 2019-03-14</li>
+        <li id="publishDate">Last Published: 2019-03-18</li>
         </ul>
       </div>
       <div class="row-fluid">

Modified: knox/trunk/books/1.3.0/book.md
URL: http://svn.apache.org/viewvc/knox/trunk/books/1.3.0/book.md?rev=1855785&r1=1855784&r2=1855785&view=diff
==============================================================================
--- knox/trunk/books/1.3.0/book.md (original)
+++ knox/trunk/books/1.3.0/book.md Mon Mar 18 18:33:00 2019
@@ -103,6 +103,7 @@
     * #[Elasticsearch]
     * #[Common Service Config]
     * #[Default Service HA support]
+    * #[TLS/SSL Certificate Trust]
 * #[UI Service Details]
 * #[Admin UI]
 * #[Limitations]

Modified: knox/trunk/books/1.3.0/book_service-details.md
URL: http://svn.apache.org/viewvc/knox/trunk/books/1.3.0/book_service-details.md?rev=1855785&r1=1855784&r2=1855785&view=diff
==============================================================================
--- knox/trunk/books/1.3.0/book_service-details.md (original)
+++ knox/trunk/books/1.3.0/book_service-details.md Mon Mar 18 18:33:00 2019
@@ -94,4 +94,5 @@ Therefore each request via cURL will res
 <<service_avatica.md>>
 <<service_livy.md>>
 <<service_elasticsearch.md>>
+<<service_ssl_certificate_trust.md>>
 <<service_service_test.md>>

Modified: knox/trunk/books/1.3.0/config.md
URL: http://svn.apache.org/viewvc/knox/trunk/books/1.3.0/config.md?rev=1855785&r1=1855784&r2=1855785&view=diff
==============================================================================
--- knox/trunk/books/1.3.0/config.md (original)
+++ knox/trunk/books/1.3.0/config.md Mon Mar 18 18:33:00 2019
@@ -121,14 +121,18 @@ Property    | Description | Default
 `gateway.frontend.url`|The URL that should be used during rewriting so that it can rewrite
the URLs with the correct "frontend" URL|none
 `gateway.xforwarded.enabled`|Indicates whether support for some X-Forwarded-* headers is
enabled|`true`
 `gateway.trust.all.certs`|Indicates whether all presented client certs should establish trust|`false`
-`gateway.client.auth.needed`|Indicates whether clients are required to establish a trust
relationship with client certificates|`false`  
-`gateway.truststore.path`|Location of the truststore for client certificates to be trusted|`gateway.jks`

-`gateway.truststore.type`|Indicates the type of truststore|`JKS`
+`gateway.client.auth.needed`|Indicates whether clients are required to establish a trust
relationship with client certificates|`false`
+`gateway.truststore.password.alias`|OPTIONAL Alias for the password to the truststore file
holding the trusted client certificates. NOTE: An alias with the provided name should be created
using `knoxcli.sh create-alias` inorder to provide the password; else the master secret will
be used.|`gateway-truststore-password`
+`gateway.truststore.path`|Location of the truststore for client certificates to be trusted|`null`
+`gateway.truststore.type`|Indicates the type of truststore at the path declared in `gateway.truststore.path`|`JKS`
 `gateway.jdk.tls.ephemeralDHKeySize`|`jdk.tls.ephemeralDHKeySize`, is defined to customize
the ephemeral DH key sizes. The minimum acceptable DH key size is 1024 bits, except for exportable
cipher suites or legacy mode (`jdk.tls.ephemeralDHKeySize=legacy`)|`2048`
 `gateway.threadpool.max`|The maximum concurrent requests the server will process. The default
is 254. Connections beyond this will be queued.|`254`
-`gateway.httpclient.maxConnections`|The maximum number of connections that a single HttpClient
will maintain to a single host:port.|`32`
 `gateway.httpclient.connectionTimeout`|The amount of time to wait when attempting a connection.
The natural unit is milliseconds, but a 's' or 'm' suffix may be used for seconds or minutes
respectively.| `20s`
+`gateway.httpclient.maxConnections`|The maximum number of connections that a single HttpClient
will maintain to a single host:port.|`32`
 `gateway.httpclient.socketTimeout`|The amount of time to wait for data on a socket before
aborting the connection. The natural unit is milliseconds, but a 's' or 'm' suffix may be
used for seconds or minutes respectively.| `20s`
+`gateway.httpclient.truststore.password.alias`|OPTIONAL Alias for the password to the truststore
file holding the trusted service certificates. NOTE: An alias with the provided name should
be created using `knoxcli.sh create-alias` inorder to provide the password; else the master
secret will be used.|`gateway-httpclient-truststore-password`
+`gateway.httpclient.truststore.path`|Location of the truststore for service certificates
to be trusted|`null`
+`gateway.httpclient.truststore.type`|Indicates the type of truststore at the path declared
in `gateway.httpclient.truststore.path`|`JKS`
 `gateway.httpserver.requestBuffer`|The size of the HTTP server request buffer in bytes|`16384`
 `gateway.httpserver.requestHeaderBuffer`|The size of the HTTP server request header buffer
in bytes|`8192`
 `gateway.httpserver.responseBuffer`|The size of the HTTP server response buffer in bytes|`32768`

Modified: knox/trunk/books/1.3.0/config_mutual_authentication_ssl.md
URL: http://svn.apache.org/viewvc/knox/trunk/books/1.3.0/config_mutual_authentication_ssl.md?rev=1855785&r1=1855784&r2=1855785&view=diff
==============================================================================
--- knox/trunk/books/1.3.0/config_mutual_authentication_ssl.md (original)
+++ knox/trunk/books/1.3.0/config_mutual_authentication_ssl.md Mon Mar 18 18:33:00 2019
@@ -26,14 +26,18 @@ The following table describes the config
 | Configuration Element                          | Description                          
                    |
 | -----------------------------------------------|-----------------------------------------------------------|
 | gateway.client.auth.needed                     | True\|False - indicating the need for
client authentication. Default is False.|
-| gateway.truststore.path                        | Fully qualified path to the trust store
to use. Default is the gateway.jks.|
+| gateway.truststore.path                        | Fully qualified path to the trust store
to use. Default is the keystore used to hold the Gateway's identity.  See `gateway.tls.keystore.path`.|
 | gateway.truststore.type                        | Keystore type of the trust store. Default
is JKS.         |
+| gateway.truststore.password.alias              | Alias for the password to the trust store.|
 | gateway.trust.all.certs                        | Allows for all certificates to be trusted.
Default is false.|
 
-By only indicating that it is needed with `gateway.client.auth.needed`, the `{GATEWAY_HOME}/data/security/keystores/gateway.jks`
keystore is used. This is the identity keystore for the server and can also be used as the
truststore.
-We can specify the path to a dedicated truststore via `gateway.truststore.path`. If the truststore
password is different from the gateway master secret then it can be set using
+By only indicating that it is needed with `gateway.client.auth.needed`, the keystore identified
by `gateway.tls.keystore.path` is used.  By default this is `{GATEWAY_HOME}/data/security/keystores/gateway.jks`.

+This is the identity keystore for the server, which can also be used as the truststore.
+To use a dedicated truststore, `gateway.truststore.path` may be set to the absolute path
of the truststore file.  
+The type of truststore file should be set using `gateway.truststore.type`; else, JKS will
be assumed.  
+If the truststore password is different from the Gateway's master secret then it can be set
using
 
-    knoxcli.sh create-alias gateway-truststore-password --value {pwd} 
+    knoxcli.sh create-alias {password-alias} --value {pwd} 
   
-Otherwise, the master secret will be used.
-If the truststore is not a JKS type then it can be set via `gateway.truststore.type`.
+The password alias name (`{password-alias}`) is set using `gateway.truststore.password.alias`;
else, the alias name of "gateway-truststore-password" should be used.  
+If a password is not found using the provided (or default) alias name, then the Gateway's
master secret will be used.



Mime
View raw message