Open montge opened 7 years ago
biemond
commented
7 years ago Hi,
we know this and that's why we only support development mode. We don't have any plans to supports certificates or production mode ,that's why we didn't implement this . If we will support production mode, we will also support certificates on the nodemanager
thanks
montge
commented
7 years ago We should probably revisit this discussion. We are noticing with the new patches to Java 6 and 7 that remove weak cyphers that this is an issue. Basically when you turn on JSSE with the later versions of Java (at least 6u141 and 7u131) if you don't have your own certificates implemented the SSL communication fails. Is this something that your team will consider code if we fix the issue (at least from setting the properties file)?
Currently while the nodemanager.properties allow enabling and disabling of SecureListener, it does not provide support for a custom trust store or Identities. Ideally we would be able to have a encrypted databag that has the key file (PEM format), a certificate (PEM format), as well as trusted chain (for generating the actual identity), as well as trusted CA's (PEM format). And that would be used to generate the appropriate configuration.
At minimum it would be good to support a 'shared' certificate that has SubjectAlternativeNames for DNS entires for all machines in a cluster. At best supporting individual certs for each machine (nice to have, as that can get complicated really quickly.)
Our current workaround is to add the valid certs in DemoTrusted into our custom trust file on the Admin Server.