...
inter.worker.key.generation.algorithm
- Purpose: the algorithm used to generate session keys
Type:
string- Default:
"HmacSHA256"
- Importance: low
inter.worker.key.size
- Purpose: the size of generated session keys, in bits; if null, the default key size for the generation algorithm will be used (see the KeyGenerator Javadocs; specifically: "In case the client does not explicitly initialize the KeyGenerator (via a call to an
init
method), each provider must supply (and document) a default initialization.") - Type: int
- Default:
null
- Importance: low
- Purpose: the size of generated session keys, in bits; if null, the default key size for the generation algorithm will be used (see the KeyGenerator Javadocs; specifically: "In case the client does not explicitly initialize the KeyGenerator (via a call to an
inter.worker.key.ttl.ms
- Purpose: how often to force a rotation of the internal key used for request validation, or
0
if forced rotation should never occur - Type: long
- Default:
3600000
(one hour) - Importance: low
- Purpose: how often to force a rotation of the internal key used for request validation, or
inter.worker.signature.algorithm
- Purpose: the algorithm to use to sign internal requests when sent from a follower worker to the leader
- Type: string
- Default:
"HmacSHA256"
- Importance: low
inter.worker.verification.algorithms
- Purpose: a list of supported algorithms for verifying internal requests that are received by the leader from a follower. This list must include the value provided for the
internalinter.requestworker.signature.algorithm
property - Type: list
- Default:
"HmacSHA256"
- Importance: low
- Purpose: a list of supported algorithms for verifying internal requests that are received by the leader from a follower. This list must include the value provided for the
...
Periodically (with frequency dictated by the internalinter.requestworker.key.rotationttl.interval.ms
property), the leader will compute a new session key and distribute it to the cluster.
The default algorithm used to sign requests will be HmacSHA256
; this algorithm is guaranteed to be supported on all implementations of the Java Platform (source). However, users will be able to configure their cluster to use other algorithms with the internalinter.requestworker.signature.algorithm
property if, for example, the default is not suitable for compliance with an existing security standard.
Similarly, the default algorithm used to generate request keys will also be HmacSHA256
; again, this algorithm is guaranteed to be supported on all implementations of the Java Platform (source). And again, users will be able to configure their cluster to use other algorithms or keys of a different size with the internalinter.requestworker.key.generation.algorithm
and internalinter.requestworker.key.size
properties, respectively.
...
When a request is received by the leader, the request signature algorithm described by the X-Connect-Request-Signature-Algorithm
header will be used to sign the request body and the resulting signature will be checked against the contents of the X-Connect-Authorization
header. If the contents do not match, or the request signature algorithm is not in the list of permitted algorithms controlled by the internalinter.requestworker.verification.algorithms
property, the request will be rejected.
...