[SERVER-74791] Add override server parameter for X.509 clusterMembershipExtension Created: 13/Mar/23  Updated: 31/Mar/23  Resolved: 31/Mar/23

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Major - P3
Reporter: Varun Ravichandran Assignee: Backlog - Security Team
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to SERVER-74996 Add override server parameter for X.5... Closed
Assigned Teams:
Server Security
Sprint: Security 2023-04-03
Participants:

 Description   

SERVER-74999 introduces a new configuration option that can be used to specify the value for a custom X.509 extension that client certificates must have in order to be considered peer servers. Customers may wish to rotate their certificates containing new values for the extension or even to switch between clusterMembershipExtension and the subject name attributes matching feature provided in SERVER-74989.

In order to support updates to this configuration option without downtime, this ticket will introduce a new server parameter that can be used to override the config option for clusterMembershipExtension. When set, clients presenting certificates with either the config option or the server parameter extension values will be accepted as peer nodes.

The ticket will also add test cases similar to the one detailed in SERVER-74996 to show how the server parameter can be used to update extensions or switch between subject name attribute matching and extensions.


Generated at Thu Feb 08 06:28:32 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.