Bug 1038857

Summary: Enable SSLCACertificateFile on the Node to Facilitate SSL Mutual Auth
Product: OpenShift Container Platform Reporter: Keith Robertson <kroberts>
Component: RFEAssignee: jofernan
Status: CLOSED DUPLICATE QA Contact:
Severity: high Docs Contact:
Priority: medium    
Version: 2.0.0CC: agoldste, ansilva, bleanhar, dvarga, jkeck, jmoran, libra-onpremise-devel, lmeyer, lphiri
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Other   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-13 15:46:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1038853    
Bug Blocks: 1042924    

Description Keith Robertson 2013-12-06 00:14:34 UTC 
Description of problem:
Due to the fact that Openshift terminates SSL connections at the node level and not at the gear level, SSL mutual authentication is impossible without additional user level controls to the node level Apache VirtualHost.

Users need the ability to install CA certificates so that *clients* can be authenticated.  In an Apache proxy this is accomplished via the  SSLCACertificateFile mod_ssl setting[1].

This bug requests that the 'SSL Certificate' section of the administrator console be enhanced such that CA certificates can be uploaded for a particular gear.


[1] http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacertificatefile

Version-Release number of selected component (if applicable):
1.2 and 2.0

How reproducible:
Always

Expected results:
Users have the ability to make the necessary settings for SSL mutual auth.


Additional info:
BZ1038853
Comment 2 Luke Meyer 2014-05-13 15:46:34 UTC 
Expect that this will be rolled into any client cert verification implementation. Consolidating into one RFE.

*** This bug has been marked as a duplicate of bug 1038853 ***