[OPENDJ-6238] Proxy profile: still allows to use rsConnectionSecurity:none whilst use-mutual-tls is true Created: 26/Apr/19  Updated: 14/Nov/19  Resolved: 06/May/19

Status: Done
Project: OpenDJ
Component/s: proxy, setup
Affects Version/s: 7.0.0
Fix Version/s: 7.0.0

Type: Bug Priority: Major
Reporter: carole forel Assignee: Cedric Tran-Xuan
Resolution: Fixed Votes: 0
Labels: Verified

Issue Links:
Depends
is required by OPENDJ-6241 Doc: Mention support for mutual TLS b... Done
Epic Link: Bugs 7.0
Story Points: 1
QA Assignee: Michal Severin

 Description   

Found with rev 054825e4d76

With the ds-proxy-profile, the use-mutual-tls is set to true by default.
Setting up this profile should forbid to use rsConnectionSecurity:none

./PROXY1/opendj/setup --profile ds-proxy-server  --set ds-proxy-server/rsConnectionSecurity:none* --set ds-proxy-server/replicationServers:"nameserver.example.com:4448" --set ds-proxy-server/primaryGroupId:"1" --set ds-proxy-server/rsBindDn:"uid=admin" --set ds-proxy-server/rsBindPassword:"password" --set ds-proxy-server/proxyUserBindPassword:"password" --trustAll  -h nameserver.example.com -p 1392 -D "uid=admin" -w password --adminConnectorPort 4447 --monitorUserDn "uid=Monitor" --monitorUserPassword password  -O 

Validating parameters..... Done
Configuring certificates..... Done
Configuring server..... Done
Configuring profile DS proxy server..... Done

To see basic server status and configuration, you can launch
/local/GIT/pyforge/results/20190426-161811/proxy_group/ReplicationDiscovery/PROXY1/opendj/bin/status

To reproduce and have all the servers set up and configured, you can use:

./run-pybot.py -n -v -s proxy_group.ReplicationDiscovery -t Verify_Preferred_Group_Id_Is_Chosen opendj


 Comments   
Comment by Cedric Tran-Xuan [ 30/Apr/19 ]

Since by default, the profile of proxy-server is configured to use mutual tls, we can simply remove the value none as possible values for ds-proxy-server/rsConnectionSecurity.
In this case, this would imply some doc changes in the install guide (docs/ds/7/install-guide/#setup-proxy) for setting up a proxy server with static discovery mechanism. Indeed, we use in this case a fake configuration with ds-proxy-server/rsConnectionSecurity set to none
cc Mark Craig

Comment by Matthew Swift [ 06/May/19 ]

carole forel - this is ready for testing.

Comment by Michal Severin [ 09/May/19 ]

Verified on 7.0.0-SNAPSHOT revision ecf5922b1d3

Generated at Sat Nov 28 23:23:09 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.