apache · moresandeep · Mar 31, 2026 · Mar 27, 2026 · Mar 31, 2026
diff --git a/gateway-docker/src/main/resources/docker/gateway-entrypoint.sh b/gateway-docker/src/main/resources/docker/gateway-entrypoint.sh
@@ -102,6 +102,9 @@ saveAlias gateway_database_user "${DATABASE_CONNECTION_USER}"
 saveAlias gateway_database_password "${DATABASE_CONNECTION_PASSWORD}"
 saveAlias gateway_database_ssl_truststore_password "${DATABASE_CONNECTION_TRUSTSTORE_PASSWORD}"
 
+# RemoteAuthProvider truststore password
+saveAlias rap_truststore_password "${RAP_TRUSTSTORE_PASSWORD}"
+
 if [[ -n ${KNOX_TOKEN_HASH_KEY} ]]
 then
   saveAlias knox.token.hash.key "${KNOX_TOKEN_HASH_KEY}"

diff --git a/gateway-provider-security-authc-remote/pom.xml b/gateway-provider-security-authc-remote/pom.xml
@@ -58,6 +58,11 @@
             <artifactId>log4j-api</artifactId>
         </dependency>
 
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+        </dependency>
+
         <dependency>
             <groupId>org.apache.knox</groupId>
             <artifactId>gateway-test-utils</artifactId>

diff --git a/...-security-authc-remote/src/main/java/org/apache/knox/gateway/filter/RemoteAuthFilter.java b/...-security-authc-remote/src/main/java/org/apache/knox/gateway/filter/RemoteAuthFilter.java
@@ -19,6 +19,7 @@
 
 import com.google.common.cache.Cache;
 import com.google.common.cache.CacheBuilder;
+import org.apache.commons.lang3.StringUtils;
 import org.apache.knox.gateway.RemoteAuthMessages;
 import org.apache.knox.gateway.audit.api.Action;
 import org.apache.knox.gateway.audit.api.ActionOutcome;
@@ -76,7 +77,7 @@ public class RemoteAuthFilter implements Filter {
   static final String DEFAULT_CONFIG_USER_HEADER = "X-Knox-Actor-ID";
   static final String DEFAULT_CONFIG_GROUP_HEADER = "X-Knox-Actor-Groups-*";
   static final String CONFIG_TRUSTSTORE_PATH = REMOTE_AUTH + "truststore.path";
-  static final String CONFIG_TRUSTSTORE_PASSWORD = REMOTE_AUTH + "truststore.password";
+  static final String CONFIG_TRUSTSTORE_PASSWORD_ALIAS = REMOTE_AUTH + "truststore.password.alias";
   static final String CONFIG_TRUSTSTORE_TYPE = REMOTE_AUTH + "truststore.type";
   static final String DEFAULT_TRUSTSTORE_TYPE = "JKS";
   static final String WILDCARD = "*";
@@ -138,7 +139,7 @@ public void init(FilterConfig filterConfig) throws ServletException {
 
   private void buildTrustStore(FilterConfig filterConfig) throws ServletException {
     String truststorePath = filterConfig.getInitParameter(CONFIG_TRUSTSTORE_PATH);
-    String truststorePassword = filterConfig.getInitParameter(CONFIG_TRUSTSTORE_PASSWORD);
+    String truststorePasswordAlias = filterConfig.getInitParameter(CONFIG_TRUSTSTORE_PASSWORD_ALIAS);
     String truststoreType = filterConfig.getInitParameter(CONFIG_TRUSTSTORE_TYPE);
     if (truststoreType == null || truststoreType.isEmpty()) {
       truststoreType = DEFAULT_TRUSTSTORE_TYPE;
@@ -150,18 +151,12 @@ private void buildTrustStore(FilterConfig filterConfig) throws ServletException
       GatewayServices services = (GatewayServices) context.getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE);
       if (services != null) {
         try {
-          final AliasService aliasService =  services.getService(ServiceType.ALIAS_SERVICE);
+          String truststorePassword = null;
           if (truststorePath != null && !truststorePath.isEmpty()) {
-            if (truststorePassword == null || truststorePassword.isEmpty()) {
-              // let's check for an alias given the intent to specify a truststore path
-              char[] passChars = aliasService.getPasswordFromAliasForCluster(topologyName,
-                      CONFIG_TRUSTSTORE_PASSWORD, false);
-              if (passChars != null) {
-                truststorePassword = new String(passChars);
-              }
-              if (truststorePassword == null || truststorePassword.isEmpty()) {
-                truststorePassword = new String(aliasService.getPasswordFromAliasForGateway(CONFIG_TRUSTSTORE_PASSWORD));
-              }
+            final AliasService aliasService =  services.getService(ServiceType.ALIAS_SERVICE);
+            truststorePassword = getTruststorePassword(aliasService, truststorePasswordAlias, topologyName);
+            if (StringUtils.isBlank(truststorePassword)) {
+              truststorePassword = getTruststorePassword(aliasService, truststorePasswordAlias, AliasService.NO_CLUSTER_NAME);
             }
           }
           KeystoreService keystoreService = services.getService(ServiceType.KEYSTORE_SERVICE);
@@ -177,6 +172,14 @@ private void buildTrustStore(FilterConfig filterConfig) throws ServletException
     }
   }
 
+  private String getTruststorePassword(final AliasService aliasService, final String truststorePasswordAlias, final String topologyName) throws AliasServiceException {
+    if (StringUtils.isNotBlank(truststorePasswordAlias)) {
+      final char[] truststorePasswordAliasChars = aliasService.getPasswordFromAliasForCluster(topologyName, truststorePasswordAlias, false);
+      return truststorePasswordAliasChars ==  null ? null : new String(truststorePasswordAliasChars);
+    }
+    return null;
+  }
+
   private KeyStore getTrustStore(String truststorePath, String truststoreType, String truststorePassword,
                                  KeystoreService keystoreService) throws IOException {
     KeyStore truststore = null;

diff --git a/...urity-authc-remote/src/test/java/org/apache/knox/gateway/filter/RemoteAuthFilterTest.java b/...urity-authc-remote/src/test/java/org/apache/knox/gateway/filter/RemoteAuthFilterTest.java
@@ -158,7 +158,7 @@ private void setUp(String trustStorePath, String trustStorePass, String trustSto
 
         // Trust store config
         EasyMock.expect(filterConfigMock.getInitParameter(RemoteAuthFilter.CONFIG_TRUSTSTORE_PATH)).andReturn(trustStorePath).anyTimes();
-        EasyMock.expect(filterConfigMock.getInitParameter(RemoteAuthFilter.CONFIG_TRUSTSTORE_PASSWORD)).andReturn(trustStorePass).anyTimes();
+        EasyMock.expect(filterConfigMock.getInitParameter(RemoteAuthFilter.CONFIG_TRUSTSTORE_PASSWORD_ALIAS)).andReturn(trustStorePass).anyTimes();
         EasyMock.expect(filterConfigMock.getInitParameter(RemoteAuthFilter.CONFIG_TRUSTSTORE_TYPE)).andReturn(trustStoreType).anyTimes();
 
         // Only replay the mocks that won't need additional expectations
@@ -411,7 +411,7 @@ public void testSuccessfulHttpsRequestWithTrustStore() throws Exception {
 
         // Set up aliasService expectations for password resolution
         EasyMock.expect(aliasServiceMock.getPasswordFromAliasForCluster("test-topology",
-                RemoteAuthFilter.CONFIG_TRUSTSTORE_PASSWORD, false))
+                RemoteAuthFilter.CONFIG_TRUSTSTORE_PASSWORD_ALIAS, false))
                 .andReturn("trustpass".toCharArray())
                 .anyTimes();