[OPENDJ-6238] Proxy profile: still allows to use rsConnectionSecurity:none whilst use-mutual-tls is true Created: 26/Apr/19  Updated: 14/Nov/19  Resolved: 06/May/19

Status: Done
Project: OpenDJ
Component/s: proxy, setup
Affects Version/s: 7.0.0
Fix Version/s: 7.0.0

Type: Bug Priority: Major
Reporter: carole forel Assignee: Cedric Tran-Xuan
Resolution: Fixed Votes: 0
Labels: Verified

Issue Links:
is required by OPENDJ-6241 Doc: Mention support for mutual TLS b... Done
Epic Link: Bugs 7.0
Story Points: 1
QA Assignee: Michal Severin


Found with rev 054825e4d76

With the ds-proxy-profile, the use-mutual-tls is set to true by default.
Setting up this profile should forbid to use rsConnectionSecurity:none

./PROXY1/opendj/setup --profile ds-proxy-server  --set ds-proxy-server/rsConnectionSecurity:none* --set ds-proxy-server/replicationServers:"nameserver.example.com:4448" --set ds-proxy-server/primaryGroupId:"1" --set ds-proxy-server/rsBindDn:"uid=admin" --set ds-proxy-server/rsBindPassword:"password" --set ds-proxy-server/proxyUserBindPassword:"password" --trustAll  -h nameserver.example.com -p 1392 -D "uid=admin" -w password --adminConnectorPort 4447 --monitorUserDn "uid=Monitor" --monitorUserPassword password  -O 

Validating parameters..... Done
Configuring certificates..... Done
Configuring server..... Done
Configuring profile DS proxy server..... Done

To see basic server status and configuration, you can launch

To reproduce and have all the servers set up and configured, you can use:

./run-pybot.py -n -v -s proxy_group.ReplicationDiscovery -t Verify_Preferred_Group_Id_Is_Chosen opendj

Comment by Cedric Tran-Xuan [ 30/Apr/19 ]

Since by default, the profile of proxy-server is configured to use mutual tls, we can simply remove the value none as possible values for ds-proxy-server/rsConnectionSecurity.
In this case, this would imply some doc changes in the install guide (docs/ds/7/install-guide/#setup-proxy) for setting up a proxy server with static discovery mechanism. Indeed, we use in this case a fake configuration with ds-proxy-server/rsConnectionSecurity set to none
cc Mark Craig

Comment by Matthew Swift [ 06/May/19 ]

carole forel - this is ready for testing.

Comment by Michal Severin [ 09/May/19 ]

Verified on 7.0.0-SNAPSHOT revision ecf5922b1d3

Generated at Sat Nov 28 23:23:09 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.