insight-platform · ksenia-vazhdaeva · Aug 6, 2024 · Jul 31, 2024
diff --git a/benches/config/client_nginx_config.json b/benches/config/client_nginx_config.json
@@ -2,11 +2,11 @@
   "ip": "0.0.0.0",
   "port": 8081,
   "url": "https://nginx:443",
-  "ssl": {
-    "server_certificate": "/etc/certs/ca.crt",
+  "tls": {
+    "root_certificate": "/etc/certs/ca.crt",
     "identity": {
       "certificate": "/etc/certs/client.crt",
-      "certificate_key": "/etc/certs/client.key"
+      "key": "/etc/certs/client.key"
     }
   },
   "in_stream": {

diff --git a/benches/config/client_ssl_config.json → benches/config/client_tls_config.json b/benches/config/client_ssl_config.json → benches/config/client_tls_config.json
@@ -2,11 +2,11 @@
   "ip": "0.0.0.0",
   "port": 8081,
   "url": "https://media-gateway-server:8080",
-  "ssl": {
-    "server_certificate": "/etc/certs/ca.crt",
+  "tls": {
+    "root_certificate": "/etc/certs/ca.crt",
     "identity": {
       "certificate": "/etc/certs/client.crt",
-      "certificate_key": "/etc/certs/client.key"
+      "key": "/etc/certs/client.key"
     }
   },
   "in_stream": {

diff --git a/benches/config/server_ssl_config.json → benches/config/server_tls_config.json b/benches/config/server_ssl_config.json → benches/config/server_tls_config.json
@@ -1,14 +1,12 @@
 {
   "ip": "0.0.0.0",
   "port": 8080,
-  "ssl": {
+  "tls": {
     "identity": {
       "certificate": "/etc/certs/server.crt",
-      "certificate_key": "/etc/certs/server.key"
+      "key": "/etc/certs/server.key"
     },
-    "client": {
-      "certificate_directory": "/etc/certs/lookup-hash-dir"
-    }
+    "peer_lookup_hash_directory": "/etc/certs/lookup-hash-dir"
   },
   "out_stream": {
     "url": "pub+bind:ipc:///tmp/server",

diff --git a/benches/multi-stream-source.yaml b/benches/multi-stream-source.yaml
@@ -12,7 +12,7 @@ services:
       - 8080:8080
     volumes:
       - /tmp:/tmp
-      - ./config/server_ssl_config.json:/opt/etc/config.json
+      - ./config/server_tls_config.json:/opt/etc/config.json
       - ./ca/certs/server.crt:/etc/certs/server.crt
       - ./ca/certs/server.key:/etc/certs/server.key
       - ./ca/lookup-hash-dir:/etc/certs/lookup-hash-dir
@@ -29,7 +29,7 @@ services:
       - media-gateway-server
     volumes:
       - /tmp:/tmp
-      - ./config/client_ssl_config.json:/opt/etc/config.json
+      - ./config/client_tls_config.json:/opt/etc/config.json
       - ./ca/ca.crt:/etc/certs/ca.crt
       - ./ca/certs/client.crt:/etc/certs/client.crt
       - ./ca/certs/client.key:/etc/certs/client.key

diff --git a/docs/source/cookbook/1_tls.rst b/docs/source/cookbook/1_tls.rst
@@ -25,20 +25,18 @@ Self-signed server certificates
 .. code-block:: json
     :caption: server
 
-    "ssl": {
-        "server": {
+    "tls": {
+        "identity": {
             "certificate": "server.crt",
-            "certificate_key": "server.key"
+            "key": "server.key"
         }
     }
 
 .. code-block:: json
     :caption: client
 
-    "ssl": {
-        "server": {
-            "certificate": "server.crt"
-        }
+    "tls": {
+        "root_certificate": "server.crt"
     }
 
 Signed by a private CA server certificates
@@ -53,20 +51,18 @@ Signed by a private CA server certificates
 .. code-block:: json
     :caption: server
 
-    "ssl": {
-        "server": {
+    "tls": {
+        "identity": {
             "certificate": "server.crt",
-            "certificate_key": "server.key"
+            "key": "server.key"
         }
     }
 
 .. code-block:: json
     :caption: client
 
-    "ssl": {
-        "server": {
-            "certificate": "ca.crt"
-        }
+    "tls": {
+        "root_certificate": "ca.crt"
     }
 
 Signed by a public CA server certificates
@@ -79,10 +75,10 @@ Signed by a public CA server certificates
 .. code-block:: json
     :caption: server
 
-    "ssl": {
-        "server": {
+    "tls": {
+        "identity": {
             "certificate": "server.crt",
-            "certificate_key": "server.key"
+            "key": "server.key"
         }
     }
 
@@ -97,23 +93,23 @@ The server uses a store with trusted X509 certificates to verify peer certificat
 
 ``ca.crl`` is a file with CRL in PEM format.
 
-``/opt/etc/store`` is a directory with CA certificates and CRLs.
+``/opt/etc/certs/lookup-hash-dir`` is a directory with CA certificates and CRLs.
 
 To add a new certificate and corresponding CRL
 
 .. code-block:: bash
 
     CA_HASH=$(openssl x509 -in ca.crt -subject_hash -noout)
 
-    cp ca.crt "/opt/etc/store/$CA_HASH.0"
+    cp ca.crt "/opt/etc/certs/lookup-hash-dir/$CA_HASH.0"
 
     CRL_HASH=$(openssl crl -in ca.crl -hash -noout)
 
-    cp ca.crl "/opt/etc/store/$CRL_HASH.r0"
+    cp ca.crl "/opt/etc/certs/lookup-hash-dir/$CRL_HASH.r0"
 
 To enable client certificate authentication in Media Gateway update both server and client configuration.
 
-``/opt/etc/store`` is a directory with CA certificates and CRLs.
+``/opt/etc/certs/lookup-hash-dir`` is a directory with CA certificates and CRLs.
 
 ``client.crt`` is a file with a client certificate in PEM format.
 
@@ -122,25 +118,19 @@ To enable client certificate authentication in Media Gateway update both server
 .. code-block:: json
     :caption: server
 
-    "ssl": {
-        "server": {
-            // see HTTPS section
-        },
-        "client": {
-            "certificate_directory": "/opt/etc/store"
-        }
+    "tls": {
+        // see HTTPS section
+        "peer_lookup_hash_directory" : "/opt/etc/certs/lookup-hash-dir"
     }
 
 .. code-block:: json
     :caption: client
 
-    "ssl": {
-        "server": {
-            // see HTTPS section
-        },
-        "client": {
+    "tls": {
+        // see HTTPS section
+        "identity": {
             "certificate": "client.crt",
-            "certificate_key": "client.key"
+            "key": "client.key"
         }
     }
 
@@ -284,9 +274,9 @@ To generate a server certificate signed by CA with a simple subject name and DNS
 
 .. code-block:: bash
 
-    openssl genpkey -algorithm RSA -out server.key
+    openssl genpkey -algorithm RSA -out certs/server.key
 
-    openssl req -new -key server.key -out server.csr -subj "/CN=server.example.com"
+    openssl req -new -key certs/server.key -out certs/server.csr -subj "/CN=server.example.com"
 
     openssl ca -config ca.conf -in certs/server.csr -out certs/server.crt -extfile <(echo 'basicConstraints=CA:FALSE
     nsComment="OpenSSL Generated Certificate"
@@ -329,17 +319,17 @@ To prepare certificates signed by the CA for `X509_LOOKUP_hash_dir method <https
 
 .. code-block:: bash
 
-    mkdir certs/client
+    mkdir lookup-hash-dir
 
     CA_HASH=$(openssl x509 -in ca.crt -subject_hash -noout)
 
-    cp ca.crt "certs/client/$CA_HASH.0"
+    cp ca.crt "lookup-hash-dir/$CA_HASH.0"
 
     openssl ca -config ca.conf -gencrl -out crl/ca.crl
 
     CRL_HASH=$(openssl crl -in crl/ca.crl -hash -noout)
 
-    cp crl/ca.crl "certs/client/$CRL_HASH.r0"
+    cp crl/ca.crl "lookup-hash-dir/$CRL_HASH.r0"
 
 A filename has the form ``hash.N`` for a certificate and the form ``hash.rN`` for a CRL where N is a sequence number that starts at zero, and is incremented consecutively for each certificate or CRL with the same hash value.
 
@@ -356,6 +346,6 @@ To revoke a client certificate signed by the CA
 
     CRL_HASH=$(openssl crl -in crl/ca.crl -hash -noout)
 
-    cp crl/ca.crl "certs/client/$CRL_HASH.r1"
+    cp crl/ca.crl "lookup-hash-dir/$CRL_HASH.r1"
 
 ⚠️ The sequence number N in the filename of the form ``hash.rN`` must be increased each time.
diff --git a/docs/source/cookbook/2_basic_auth.rst b/docs/source/cookbook/2_basic_auth.rst
@@ -40,7 +40,7 @@ To generate certificates signed by a private CA
     openssl genpkey -algorithm RSA -out certs/server.key
 
     # Generate server CSR with SAN
-    openssl req -new -key certs/server.key -out certs/server.csr -subj "/CN=localhost"
+    openssl req -new -key certs/server.key -out certs/server.csr -subj "/CN=etcd-server"
 
     # Generate server certificate signed by the CA with IP address subject alternative name
     openssl x509 -req -days 365 -in certs/server.csr -CA certs/ca.crt -CAkey certs/ca.key -CAcreateserial -out certs/server.crt -extfile <(echo "subjectAltName=IP:127.0.0.1,IP:${HOST_IP}")
@@ -49,7 +49,7 @@ To generate certificates signed by a private CA
     openssl genpkey -algorithm RSA -out certs/client.key
 
     # Generate client CSR with SAN
-    openssl req -new -key certs/client.key -out certs/client.csr -subj "/CN=localhost"
+    openssl req -new -key certs/client.key -out certs/client.csr -subj "/CN=etcd-client"
 
     # Generate client certificate signed by the CA
     openssl x509 -req -days 365 -in certs/client.csr -CA certs/ca.crt -CAkey certs/ca.key -CAcreateserial -out certs/client.crt
@@ -75,14 +75,14 @@ To start etcd
 
     docker run -d \
         -p $ETCD_PORT:2379 \
-        -e ETCD_TRUSTED_CA_FILE=/etc/etcd-ssl/ca.crt \
-        -e ETCD_CERT_FILE=/etc/etcd-ssl/server.crt \
-        -e ETCD_KEY_FILE=/etc/etcd-ssl/server.key \
+        -e ETCD_TRUSTED_CA_FILE=/etc/certs/ca.crt \
+        -e ETCD_CERT_FILE=/etc/certs/server.crt \
+        -e ETCD_KEY_FILE=/etc/certs/server.key \
         -e ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379 \
         -e ETCD_ADVERTISE_CLIENT_URLS=https://0.0.0.0:$ETCD_PORT \
         -e ETCD_CLIENT_CERT_AUTH=true \
         -e ETCD_ROOT_PASSWORD=$ETCD_ROOT_PASSWORD \
-        -v $(pwd)/certs:/etc/etcd-ssl \
+        -v $(pwd)/certs:/etc/certs \
         --name etcd \
         $ETCD_IMAGE
 
@@ -210,12 +210,12 @@ To store data with a password `password1` for a user with the name `user1` in et
 .. code-block:: bash
 
     docker run -it --rm \
-        -v $(pwd)/certs:/etc/etcd-ssl \
+        -v $(pwd)/certs:/etc/certs \
         $ETCD_IMAGE \
         etcdctl \
-        --cacert /etc/etcd-ssl/ca.crt \
-        --cert /etc/etcd-ssl/client.crt \
-        --key /etc/etcd-ssl/client.key \
+        --cacert /etc/certs/ca.crt \
+        --cert /etc/certs/client.crt \
+        --key /etc/certs/client.key \
         --user=root:$ETCD_ROOT_PASSWORD \
         --endpoints https://$HOST_IP:$ETCD_PORT \
         put \
@@ -246,10 +246,10 @@ The configuration below does not contain TLS settings for simplicity. For produc
                         \"password\": \"etcd-password\"
                     },
                     \"tls\": {
-                        \"server_certificate\": \"/etc/etcd-ssl/ca.crt\",
+                        \"root_certificate\": \"/etc/certs/ca.crt\",
                         \"identity\": {
-                            \"certificate\": \"/etc/etcd-ssl/client.crt\",
-                            \"certificate_key\": \"/etc/etcd-ssl/client.key\"
+                            \"certificate\": \"/etc/certs/client.crt\",
+                            \"key\": \"/etc/certs/client.key\"
                         }
                     },
                     \"path\": \"/users\",
@@ -323,7 +323,7 @@ To start Media Gateway server with the prepared configuration
     docker run -d \
         -v $(pwd)/media-gateway-server.json:/opt/etc/custom_config.json \
         -v $(pwd)/$MEDIA_GATEWAY_DATA_DIR:/etc/media-gateway \
-        -v $(pwd)/certs:/etc/etcd-ssl \
+        -v $(pwd)/certs:/etc/certs \
         -p $MEDIA_GATEWAY_PORT:8080 \
         --name media-gateway-server \
         ghcr.io/insight-platform/media-gateway-server-x86:latest \
@@ -335,7 +335,7 @@ To start Media Gateway server with the prepared configuration
     docker run -d \
         -v $(pwd)/media-gateway-server.json:/opt/etc/custom_config.json \
         -v $(pwd)/$MEDIA_GATEWAY_DATA_DIR:/etc/media-gateway \
-        -v $(pwd)/certs:/etc/etcd-ssl \
+        -v $(pwd)/certs:/etc/certs \
         -p $MEDIA_GATEWAY_PORT:8080 \
         --name media-gateway-server \
         ghcr.io/insight-platform/media-gateway-server-arm64:latest \
@@ -367,12 +367,12 @@ Add a new user `user2` with a password `password2` and send a request using it t
 .. code-block:: bash
 
     docker run -it --rm \
-        -v $(pwd)/certs:/etc/etcd-ssl \
+        -v $(pwd)/certs:/etc/certs \
         $ETCD_IMAGE \
         etcdctl \
-        --cacert /etc/etcd-ssl/ca.crt \
-        --cert /etc/etcd-ssl/client.crt \
-        --key /etc/etcd-ssl/client.key  \
+        --cacert /etc/certs/ca.crt \
+        --cert /etc/certs/client.crt \
+        --key /etc/certs/client.key  \
         --user=root:$ETCD_ROOT_PASSWORD \
         --endpoints https://$HOST_IP:$ETCD_PORT \
         put \
@@ -386,12 +386,12 @@ Change the password for the user `user2` to `password` and send a request using
 .. code-block:: bash
 
     docker run -it --rm \
-        -v $(pwd)/certs:/etc/etcd-ssl \
+        -v $(pwd)/certs:/etc/certs \
         $ETCD_IMAGE \
         etcdctl \
-        --cacert /etc/etcd-ssl/ca.crt \
-        --cert /etc/etcd-ssl/client.crt \
-        --key /etc/etcd-ssl/client.key \
+        --cacert /etc/certs/ca.crt \
+        --cert /etc/certs/client.crt \
+        --key /etc/certs/client.key \
         --user=root:$ETCD_ROOT_PASSWORD \
         --endpoints https://$HOST_IP:$ETCD_PORT \
         put \
@@ -417,4 +417,4 @@ Remove certificates, a configuration file and the data directory
 
 .. code-block:: bash
 
-    sudo rm -rf certs media-gateway-server.json $MEDIA_GATEWAY_DATA_DIR
+    rm -rf certs media-gateway-server.json $MEDIA_GATEWAY_DATA_DIR