Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-6706

Changes to Fabric8 gateway SSL properties do not take immediate effect

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • fuse-6.x-GA
    • jboss-fuse-6.3
    • Fabric8 v1
    • None
    • % %
    • Hide

      1. Create a default java keystore at /home/kevin/keystore.jks, with all passwords set to "changeit"
      2. Install Fuse 6.3.0
      3. fabric::create
      4. container-create-child root gateway
      5. Edit the gateway-mq profile so that io.fabric8.gateway.detecting.properties looks as follows:

      # configures the protocol detecting gateway
      port=61616
      httpEnabled=true
      openWireEnabled=true
      stompEnabled=true
      mqttEnabled=true
      amqpEnabled=true
      sslEnabled=true
      keyStoreURL=file:/home/kevin/keystore.jks
      keyPassword = changeit
      keyStorePassword = changeit
      trustStoreURL=file:/home/kevin/keystore.jks
      trustStorePassword = changeit
      defaultVirtualHost=default
      zooKeeperPath=/fabric/registry/clusters/amq
      loadBalancerType=roundrobin
      stickyLoadBalancerCacheSize=10000
      

      6. container-add-profile gateway gateway-mq
      7. Test that the gateway accepts SSL connections using a simple Java test client, with the JVM configured to use keystore.jks as its keystore and trust store:

      $ java -Djavax.net.ssl.trustStore=/home/kevin/keystore.jks -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.keyStore=/home/kevin/keystore.jks -Djavax.net.ssl.keyStorePassword=changeit -jar target/amqutil-0.1.0-jar-with-dependencies.jar produce --url ssl://localhost:61616
      

      8. Change the keystore and truststore passwords in the gateway-mq profile
      9. Note that the client still works. Although logging shows that the gateway is re-initializing, the new passwords have not been read.

      Show
      1. Create a default java keystore at /home/kevin/keystore.jks, with all passwords set to "changeit" 2. Install Fuse 6.3.0 3. fabric::create 4. container-create-child root gateway 5. Edit the gateway-mq profile so that io.fabric8.gateway.detecting.properties looks as follows: # configures the protocol detecting gateway port=61616 httpEnabled= true openWireEnabled= true stompEnabled= true mqttEnabled= true amqpEnabled= true sslEnabled= true keyStoreURL=file:/home/kevin/keystore.jks keyPassword = changeit keyStorePassword = changeit trustStoreURL=file:/home/kevin/keystore.jks trustStorePassword = changeit defaultVirtualHost= default zooKeeperPath=/fabric/registry/clusters/amq loadBalancerType=roundrobin stickyLoadBalancerCacheSize=10000 6. container-add-profile gateway gateway-mq 7. Test that the gateway accepts SSL connections using a simple Java test client, with the JVM configured to use keystore.jks as its keystore and trust store: $ java -Djavax.net.ssl.trustStore=/home/kevin/keystore.jks -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.keyStore=/home/kevin/keystore.jks -Djavax.net.ssl.keyStorePassword=changeit -jar target/amqutil-0.1.0-jar-with-dependencies.jar produce --url ssl: //localhost:61616 8. Change the keystore and truststore passwords in the gateway-mq profile 9. Note that the client still works. Although logging shows that the gateway is re-initializing, the new passwords have not been read.

      The Fabric8 gateway supports SSL termination, and has a mechanism to define certificate properties:

      sslEnabled=true
      keyStoreURL=file:/home/kevin/keystore.jks
      keyPassword = changeit
      keyStorePassword = changeit
      trustStoreURL=file:/home/kevin/keystore.jks
      trustStorePassword = changeit
      

      Changing these properties appears from the logging to cause the gateway to refresh its configuration; but, in fact, no changes to the SSL configuration are actually effected. It is necessary to restart the gateway.

              pantinor@redhat.com Paolo Antinori
              rhn-support-kboone Kevin Boone
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: