flink-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tzu-Li (Gordon) Tai" <tzuli...@apache.org>
Subject Re: In-transit Data Encryption in EMR
Date Sun, 11 Jun 2017 14:05:35 GMT
Hi Vinay,

Apologies for the inactivity on this thread, I was occupied with some critical fixes for 1.3.1.

1. Can anyone please explain me how do you test if SSL is working correctly ? Currently I
am just relying on the logs.

AFAIK, if any of the SSL configuration settings are enabled (*.ssl.enabled) and your job is
running fine, then everything should be functioning.

2. Wild Card is not working with the keytool command, can you please let me know what is the
issue with the following command:

The wildcard option only works for wildcarding subdomains.
For example, SAN=*.domain.com

On 9 June 2017 at 4:33:46 PM, vinay patil (vinay18.patil@gmail.com) wrote:

Hi Guys,

Can anyone please provide me solution to my queries.

On Jun 8, 2017 11:30 PM, "Vinay Patil" <[hidden email]> wrote:
Hi Guys,

I am able to setup SSL correctly, however the following command  does not work correctly
and results in the error I had mailed earlier
flink run -m yarn-cluster -yt deploy-keys/ TestJob.jar

Few Doubts: 
1. Can anyone please explain me how do you test if SSL is working correctly ? Currently I
am just relying on the logs.

2. Wild Card is not working with the keytool command, can you please let me know what is the
issue with the following command:

keytool -genkeypair -alias ca -keystore: -ext SAN=dns:node1.* 


Regards,
Vinay Patil

On Mon, Jun 5, 2017 at 8:43 PM, vinay patil [via Apache Flink User Mailing List archive.]
<[hidden email]> wrote:
Hi Gordon,

The yarn session gets created when I try to run the following command:
yarn-session.sh -n 4 -s 2 -jm 1024 -tm 3000 -d --ship deploy-keys/

However when I try to access the Job Manager UI, it gives me exception as :
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path
building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target

I am able to see the Job Manager UI  when I imported the CA certificate to java truststore
on EMR master node :
keytool -keystore /etc/alternatives/jre/lib/security/cacerts -importcert -alias FLINKSSL -file
ca.cer


Does this mean that SSL is configured correctly ? I can see in the Job Manager configurations
and also in th e logs. Is there any other way to verify ?

Also the keystore and truststore  password should be masked in the logs which is not case.

2017-06-05 14:51:31,135 INFO  org.apache.flink.configuration.GlobalConfiguration      
     - Loading configuration property: security.ssl.enabled, true
2017-06-05 14:51:31,136 INFO  org.apache.flink.configuration.GlobalConfiguration      
     - Loading configuration property: security.ssl.keystore, deploy-keys/ca.keystore
2017-06-05 14:51:31,136 INFO  org.apache.flink.configuration.GlobalConfiguration      
     - Loading configuration property: security.ssl.keystore-password, password
2017-06-05 14:51:31,136 INFO  org.apache.flink.configuration.GlobalConfiguration      
     - Loading configuration property: security.ssl.key-password, password
2017-06-05 14:51:31,136 INFO  org.apache.flink.configuration.GlobalConfiguration      
     - Loading configuration property: security.ssl.truststore, deploy-keys/ca.truststore
2017-06-05 14:51:31,136 INFO  org.apache.flink.configuration.GlobalConfiguration      
     - Loading configuration property: security.ssl.truststore-password, password


Regards,
Vinay Patil


If you reply to this email, your message will be added to the discussion below:
http://apache-flink-user-mailing-list-archive.2336050.n4.nabble.com/In-transit-Data-Encryption-in-EMR-tp13455p13490.html
To start a new topic under Apache Flink User Mailing List archive., email [hidden email]
To unsubscribe from Apache Flink User Mailing List archive., click here.
NAML


View this message in context: Re: In-transit Data Encryption in EMR
Sent from the Apache Flink User Mailing List archive. mailing list archive at Nabble.com.

Mime
View raw message