User specific X.509 certificates for Hops TLS

Description

In the current implementation all Hops superusers share the same X.509 certificate when they make an RPC request. This is problematic as we can't identify users by their certificate's CN.

The proposal is for each login user there will be a separate X.509 certificate signed by Hops CA and it's own private key. The cryptographic material will reside in a well known directory and will have the form:

  • {USERNAME}__kstore.jks

  • {USERNAME}__tstore.jks

  • {USERNAME}__passwd

HopsSSLSocketFactory depending on the login name would read the appropriate keystores, instead of reading ssl-server.xml

This requires changes in Chef cookbooks too to generate per-user certificates.

Assignee

Antonios Kouzoupis

Reporter

Antonios Kouzoupis

Labels

None

Fix versions

Affects versions

Priority

Medium
Configure