-
Story
-
Resolution: Done
-
Medium
-
None
PM-Mapper - Make certificate dependencies configurable
If the following cert/trust are not available, the application fails to startup. Need to support non-TLS mode as configuration option and k8s service definition updated to remove https.
key_store_path: /opt/app/pm-mapper/etc/cert/cert.jks key_store_pass_path: /opt/app/pm-mapper/etc/cert/jks.pass trust_store_path: /opt/app/pm-mapper/etc/cert/trust.jks trust_store_pass_path: /opt/app/pm-mapper/etc/cert/trust.pass
Note: This has dependency on DCAEGEN2-3032 for dmaap interfaces switch to unauthenticated
(Updated 02/07/2022)
Per SECCOM recommendation from TonyLHansen
The security guidelines are that it's okay to have a path that goes to an insecure mode, but it must be EXPLICITLY configured. That is, the default case is always secure, and a lack of information to support that is an error condition, unless that explicit configuration is added.
For PM-Mapper, following property can be used to control TLS; default "true" when set to true (or if property is missing) - application should default to TLS mode. And if the certificates are missing/null application startup failure is expected (Exception must be thrown)
enable_tls: true
When enable_tls is set to false, then application do not check for certificates and supports non-TLS mode.
- is blocked by
-
DCAEGEN2-3032 Migrate PM-Mapper to use unauthenticated topic
- Closed