Hot reloading of SSL certificates in gremlin-server
Hey. I'm trying to understand how SSL/TLS certificates are handled in TinkerPop.Based on this code (https://github.com/apache/tinkerpop/blob/9627b78bcf38a0faf6a94dcd8ae3b80390d837f7/gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/AbstractChannelizer.java#L324-L354), keystore files (certificates) are loaded once, on Channelizer initialization.
This would mean that a Channel keeps using the same certificate for its lifespan and, assuming they are long-lived, I imagine this could be an issue if users want to refresh their certificates often.
Would there be a way to reload those certicates (e.g. periodically, on file change)?
If not, would you have a suggested approach that would make sense to contribute?
As an example, grpc-java, which is also based on Netty, offers this solution: https://github.com/grpc/grpc-java/pull/8175/
Thanks!
GitHub
This pull request adds the following classes to io.grpc.util:
an AdvancedTlsX509TrustManager that supports
reloading root certificates from the file system or memory
disabling host name verificat...
an AdvancedTlsX509TrustManager that supports
reloading root certificates from the file system or memory
disabling host name verificat...
GitHub
Apache TinkerPop - a graph computing framework. Contribute to apache/tinkerpop development by creating an account on GitHub.
Solution
It might be worth taking a look at this solution someone created which uses scheduled file based change detection https://github.com/Hakky54/java-tutorials/blob/main/instant-server-ssl-reloading-with-netty/netty-server/README.md
GitHub
A repository containing different java tutorials - Hakky54/java-tutorials
A repository containing different java tutorials - Hakky54/java-tutorials
Apache TinkerPop is an open source graph computing framework and the home of the Gremlin graph query language.
1,376Members
Resources
Was this page helpful?
