Project

General

Profile

Task #8859

Modify portal component to reload cached certificates when renewed on disk

Added by Chris Jones almost 3 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
d1_portal
Target version:
-
Start date:
2020-02-29
Due date:
% Done:

100%

Story Points:
Sprint:

Description

The Coordinating Node's SSL certificates get renewed approximately every three months through Let's Encrypt. This presents a problem for Metacat-based Member Nodes and the Metacat component of the CN because they both rely on the d1_portal component's TokenGenerator. This class is a singleton pattern, and the publicKey and privateKey class variables are essentially cached in memory due to the singleton instance. When the Let's Encrypt certificates renew on disk, the in-memory versions remain, and authentication fails when the CN Tomcat restarts (loading the new certs), but the various MN Tomcat instances don't restart, and continue using the old certificate. This is true for the reverse scenario too, when the MNs restart, but the CN hasn't yet.

To avoid this fragile scenario where we must coordinate restarts (certainly not scalable), modify the TokenGenerator to reload the SSL certificates when they change on disk so the in-memory version is up-to-date. Also, when a TokenGenerator.getSession(token) fails, reload the certificates from disk to ensure we are using up-to-date certificates.

Test this with Metacat installations that have also been updated with the new d1_portal jar file.

History

#1 Updated by Chris Jones over 2 years ago

  • % Done changed from 0 to 100
  • Status changed from New to Closed

This is complete. The TokenGenerator will now reload the certificate when there is a change, or when an authentication token fails to verify.

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 14.8 MB)