Status

Current-Status: Implemented

Discussion thread:

JIRA:  KNOX-1756

Motivation

The location of the keystore housing the Knox Gateway TLS certificate is hardcoded to <calculated from configs>/keystores/gateway.jks and the certificate alias is hardcoded to “gateway-identity”.  This limits the ability for external management facilities to setup a custom TLS identity for the Knox Gateway. For example, a host-wide, CA-signed, certificate.

Knox has configuration hooks for the following (optional) properties

Note: the calculation for the home directory is inconsistent with the other directory calculations. This inconsistency may be confusing to users and thus should be fixed to be

The path to the Knox Gateway TLS keystore is calculated as

[Security Directory] + [Path Separator] + “keystores” + [Path Separator] + “gateway.jks”

Design

To make it easier to use an externally provided TLS identity, the Knox Gateway should allow the TLS keystore file and alias names to be configurable. The following properties should be made available:

Additional methods for GatewayConfig should be added to improve consistency and prepare for potential changes to signing key related configurations

Note: the calculated values are set so they are backwards compatible with older versions of Knox to ease the upgrading process.

Hardcoded values related to the identity and signing keystore location and relevant alias names should be removed, using the GatewayConfig methods to provide configured or calculated values.  Assumptions that the keystore and key passwords are the master secret should be removed; however, if a password cannot be found via the AliasService, the fallback value should the master secret.