Mailing-List: contact user-help@flink.apache.org; run by ezmlm
Precedence: bulk
Date: Sun, 11 Jun 2017 16:05:35 +0200
From: "Tzu-Li (Gordon) Tai" <tzulitai@apache.org>
To: vinay patil <vinay18.patil@gmail.com>, user@flink.apache.org
Message-ID: <etPan.593d4e2f.6f5ca2a.110@apache.org>
In-Reply-To: <CAMpYU5R71w2yKt+mX4ffgRaY4Wmm6_NuVXPeUo8hVw+xC6ZxLg@mail.gmail.com>
References: <1496406135048-13455.post@n4.nabble.com>
 <CAC27z=P1nZoRZ9duziqO16KXwJQ1_AGa=PdcJRijMv=G=ZYiPA@mail.gmail.com>
 <CAMpYU5SBqd1q1Z+k1a4vCsVC+r-6z4Q2520PEGKLB6JPOLJ7Hw@mail.gmail.com>
 <etPan.593542f3.5ed595e4.1625d@apache.org>
 <1496673141950-13489.post@n4.nabble.com>
 <1496675583562-13490.post@n4.nabble.com>
 <CAMpYU5R71w2yKt+mX4ffgRaY4Wmm6_NuVXPeUo8hVw+xC6ZxLg@mail.gmail.com>
Subject: Re: In-transit Data Encryption in EMR
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="593d4e2f_5f5c06a1_110"
archived-at: Sun, 11 Jun 2017 14:05:43 -0000

--593d4e2f_5f5c06a1_110
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Hi Vinay,

Apologies for the inactivity on this thread, I was occupied with some cri=
tical fixes for 1.3.1.

1. Can anyone please explain me how do you test if SSL is working correct=
ly =3F Currently I am just relying on the logs.

A=46AIK, if any of the SSL configuration settings are enabled (*.ssl.enab=
led) and your job is running fine, then everything should be functioning.=


2. Wild Card is not working with the keytool command, can you please let =
me know what is the issue with the following command:

The wildcard option only works for wildcarding subdomains.
=46or example, SAN=3D*.domain.com

On 9 June 2017 at 4:33:46 PM, vinay patil (vinay18.patil=40gmail.com) wro=
te:

Hi Guys,

Can anyone please provide me solution to my queries.

On Jun 8, 2017 11:30 PM, =22Vinay Patil=22 <=5Bhidden email=5D> wrote:
Hi Guys,

I am able to setup SSL correctly, however the following command =C2=A0doe=
s not work correctly and results in the error I had mailed earlier
flink run -m yarn-cluster -yt deploy-keys/ TestJob.jar

=46ew Doubts:=C2=A0
1. Can anyone please explain me how do you test if SSL is working correct=
ly =3F Currently I am just relying on the logs.

2. Wild Card is not working with the keytool command, can you please let =
me know what is the issue with the following command:

keytool -genkeypair -alias ca -keystore: -ext SAN=3Ddns:node1.*=C2=A0


Regards,
Vinay Patil

On Mon, Jun 5, 2017 at 8:43 PM, vinay patil =5Bvia Apache =46link User Ma=
iling List archive.=5D <=5Bhidden email=5D> wrote:
Hi Gordon,

The yarn session gets created when I try to run the following command:
yarn-session.sh -n 4 -s 2 -jm 1024 -tm 3000 -d --ship deploy-keys/

However when I try to access the Job Manager UI, it gives me exception as=
 :
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorExce=
ption: PKIX path building failed: sun.security.provider.certpath.SunCertP=
athBuilderException: unable to find valid certification path to requested=
 target

I am able to see the Job Manager UI =C2=A0when I imported the CA certific=
ate to java truststore on EMR master node :
keytool -keystore /etc/alternatives/jre/lib/security/cacerts -importcert =
-alias =46LINKSSL -file ca.cer


Does this mean that SSL is configured correctly =3F I can see in the Job =
Manager configurations and also in th e logs. Is there any other way to v=
erify =3F

Also the keystore and truststore =C2=A0password should be masked in the l=
ogs which is not case.

2017-06-05 14:51:31,135 IN=46O =C2=A0org.apache.flink.configuration.Globa=
lConfiguration =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0- Loading configu=
ration property: security.ssl.enabled, true
2017-06-05 14:51:31,136 IN=46O =C2=A0org.apache.flink.configuration.Globa=
lConfiguration =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0- Loading configu=
ration property: security.ssl.keystore, deploy-keys/ca.keystore
2017-06-05 14:51:31,136 IN=46O =C2=A0org.apache.flink.configuration.Globa=
lConfiguration =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0- Loading configu=
ration property: security.ssl.keystore-password, password
2017-06-05 14:51:31,136 IN=46O =C2=A0org.apache.flink.configuration.Globa=
lConfiguration =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0- Loading configu=
ration property: security.ssl.key-password, password
2017-06-05 14:51:31,136 IN=46O =C2=A0org.apache.flink.configuration.Globa=
lConfiguration =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0- Loading configu=
ration property: security.ssl.truststore, deploy-keys/ca.truststore
2017-06-05 14:51:31,136 IN=46O =C2=A0org.apache.flink.configuration.Globa=
lConfiguration =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0- Loading configu=
ration property: security.ssl.truststore-password, password


Regards,
Vinay Patil


If you reply to this email, your message will be added to the discussion =
below:
http://apache-flink-user-mailing-list-archive.2336050.n4.nabble.com/In-tr=
ansit-Data-Encryption-in-EMR-tp13455p13490.html
To start a new topic under Apache =46link User Mailing List archive., ema=
il =5Bhidden email=5D
To unsubscribe from Apache =46link User Mailing List archive., click here=
.
NAML


View this message in context: Re: In-transit Data Encryption in EMR
Sent from the Apache =46link User Mailing List archive. mailing list arch=
ive at Nabble.com.

--593d4e2f_5f5c06a1_110
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

<html><head><style>body=7Bfont-family:Helvetica,Arial;font-size:13px=7D</=
style></head><body style=3D=22word-wrap: break-word; -webkit-nbsp-mode: s=
pace; -webkit-line-break: after-white-space;=22><div id=3D=22bloop=5Fcust=
omfont=22 style=3D=22font-family:Helvetica,Arial;font-size:13px; color: r=
gba(0,0,0,1.0); margin: 0px; line-height: auto;=22>Hi Vinay,</div><div id=
=3D=22bloop=5Fcustomfont=22 style=3D=22font-family:Helvetica,Arial;font-s=
ize:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;=22><br>=
</div><div id=3D=22bloop=5Fcustomfont=22 style=3D=22font-family:Helvetica=
,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: =
auto;=22>Apologies for the inactivity on this thread, I was occupied with=
 some critical fixes for 1.3.1.</div><div id=3D=22bloop=5Fcustomfont=22 s=
tyle=3D=22font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1=
.0); margin: 0px; line-height: auto;=22><br></div><div id=3D=22bloop=5Fcu=
stomfont=22 style=3D=22font-family:Helvetica,Arial;font-size:13px; color:=
 rgba(0,0,0,1.0); margin: 0px; line-height: auto;=22><blockquote type=3D=22=
cite=22 class=3D=22clean=5Fbq=22><div class=3D=22gmail=5Fextra=22><div cl=
ass=3D=22gmail=5Fquote=22><blockquote class=3D=22gmail=5Fquote=22 style=3D=
=22padding-right: 1em; padding-left: 1ex; margin-left: 0.8ex; border-left=
-width: 1px; border-left-color: rgb(204, 204, 204);=22><div dir=3D=22ltr=22=
>1. Can anyone please explain me how do you test if SSL is working correc=
tly =3F Currently I am just relying on the logs.</div></blockquote></div>=
</div></blockquote></div> <div><br></div><div>A=46AIK, if any of the SSL =
configuration settings are enabled (*.ssl.enabled) and your job is runnin=
g fine, then everything should be functioning.</div><div><br></div><block=
quote type=3D=22cite=22 class=3D=22clean=5Fbq=22><div class=3D=22gmail=5F=
extra=22><div class=3D=22gmail=5Fquote=22><blockquote class=3D=22gmail=5F=
quote=22 style=3D=22padding-right: 1em; padding-left: 1ex; margin-left: 0=
.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204);=22><=
div dir=3D=22ltr=22>2. Wild Card is not working with the keytool command,=
 can you please let me know what is the issue with the following command:=
</div></blockquote></div></div></blockquote> <div class=3D=22bloop=5Fsign=
=22 id=3D=22bloop=5Fsign=5F1497189377701920000=22></div><div class=3D=22b=
loop=5Fsign=22 id=3D=22bloop=5Fsign=5F1497189377701920000=22><br></div><d=
iv class=3D=22bloop=5Fsign=22 id=3D=22bloop=5Fsign=5F1497189377701920000=22=
>The wildcard option only works for wildcarding subdomains.</div><div cla=
ss=3D=22bloop=5Fsign=22 id=3D=22bloop=5Fsign=5F1497189377701920000=22>=46=
or example, SAN=3D*.<a href=3D=22http://domain.com=22>domain.com</a></div=
> <br><p class=3D=22airmail=5Fon=22>On 9 June 2017 at 4:33:46 PM, vinay p=
atil (<a href=3D=22mailto:vinay18.patil=40gmail.com=22>vinay18.patil=40gm=
ail.com</a>) wrote:</p> <blockquote type=3D=22cite=22 class=3D=22clean=5F=
bq=22><span><div><div></div><div>


<title></title>


<div dir=3D=22auto=22>Hi Guys,
<div dir=3D=22auto=22><br></div>
<div dir=3D=22auto=22>Can anyone please provide me solution to my
queries.</div>
</div>
<div class=3D=22gmail=5Fextra=22><br>
<div class=3D=22gmail=5Fquote=22>On Jun 8, 2017 11:30 PM, =22Vinay Patil=22=

&lt;<a href=3D=22/user/SendEmail.jtp=3Ftype=3Dnode&amp;node=3D13609&amp;i=
=3D0=22 target=3D=22=5Ftop=22 rel=3D=22nofollow=22 link=3D=22external=22>=
=5Bhidden email=5D</a>&gt;
wrote:<br type=3D=22attribution=22>
<blockquote style=3D=22border-left:2px solid =23CCCCCC;padding:0 1em; mar=
gin:0 0 0 .8ex;border-left:1px =23ccc solid;padding-left:1ex=22 class=3D=22=
gmail=5Fquote=22>
<div dir=3D=22ltr=22>Hi Guys,<br>
<br>
I am able to setup SSL correctly, however the following command
&nbsp;does not work correctly and results in the error I had mailed
earlier
<div>
<pre style=3D=22box-sizing:border-box;overflow:auto;font-family:Menlo,&qu=
ot;Lucida Console&quot;,monospace;font-size:12px;padding:9.5px;margin-top=
:0px;margin-bottom:10px;line-height:1.42857;color:rgb(51,51,51);word-brea=
k:break-all;word-wrap:break-word;background:rgb(247,247,247);border:none;=
border-radius:4px=22><code style=3D=22box-sizing:border-box;font-family:M=
enlo,&quot;Lucida Console&quot;,monospace;font-size:inherit;padding:0px;c=
olor:inherit;background:transparent;border-radius:0px;white-space:pre-wra=
p=22>flink run -m yarn-cluster -yt deploy-keys/ TestJob.jar</code></pre><=
/div>
<div><br></div>
<div>=46ew Doubts:&nbsp;</div>
<div>1. Can anyone please explain me how do you test if SSL is
working correctly =3F Currently I am just relying on the logs.</div>
<div><br></div>
<div>2. Wild Card is not working with the keytool command, can you
please let me know what is the issue with the following
command:</div>
<div><span style=3D=22background-color:transparent;color:inherit;font-fam=
ily:Menlo,&quot;Lucida Console&quot;,monospace;font-size:inherit;white-sp=
ace:pre-wrap=22>
keytool -genkeypair -alias ca -</span><span style=3D=22color:rgb(51,51,51=
);font-family:&quot;Helvetica Neue&quot;,Helvetica,Arial,sans-serif;font-=
size:14px=22>keystore:
-ext SAN=3Ddns:node1.*&nbsp;</span><br></div>
<div><br></div>
</div>
<div class=3D=22gmail=5Fextra=22><br clear=3D=22all=22>
<div>
<div class=3D=22m=5F3512357571141401803gmail=5Fsignature=22 data-smartmai=
l=3D=22gmail=5Fsignature=22>
<div dir=3D=22ltr=22>
<div>
<div dir=3D=22ltr=22><font color=3D=22=23000000=22>Regards,</font>
<div><font color=3D=22=23000000=22>Vinay Patil</font></div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class=3D=22gmail=5Fquote=22>On Mon, Jun 5, 2017 at 8:43 PM, vinay
patil =5Bvia Apache =46link User Mailing List archive.=5D <span dir=3D=22=
ltr=22>&lt;<a href=3D=22/user/SendEmail.jtp=3Ftype=3Dnode&amp;node=3D1360=
9&amp;i=3D1=22 target=3D=22=5Ftop=22 rel=3D=22nofollow=22 link=3D=22exter=
nal=22>=5Bhidden email=5D</a>&gt;</span>
wrote:<br>
<blockquote style=3D=22border-left:2px solid =23CCCCCC;padding:0 1em; mar=
gin:0 0 0 .8ex;border-left:1px =23ccc solid;padding-left:1ex=22 class=3D=22=
gmail=5Fquote=22>Hi Gordon,<br>
<br>
The yarn session gets created when I try to run the following
command:<br>
yarn-session.sh -n 4 -s 2 -jm 1024 -tm 3000 -d --ship
deploy-keys/<br>
<br>
However when I try to access the Job Manager UI, it gives me
exception as :<br>
javax.net.ssl.SSLHandshakeExce<wbr>ption:
sun.security.validator.Validat<wbr>orException: PKIX path
building failed:
sun.security.provider.certpath<wbr>.SunCertPathBuilderException:
unable to find valid certification path to requested target<br>
<br>
I am able to see the Job Manager UI &nbsp;when I imported the CA
certificate to java truststore on EMR master node :<br>
keytool -keystore /etc/alternatives/jre/lib/secu<wbr>rity/cacerts
-importcert -alias =46LINKSSL -file ca.cer<br>
<br>
<br>
Does this mean that SSL is configured correctly =3F I can see in the
Job Manager configurations and also in th e logs. Is there any
other way to verify =3F<br>
<br>
Also the keystore and truststore &nbsp;password should be masked in
the logs which is not case.<br>
<br>
<i><b>2017-06-05 14:51:31,135 IN=46O
&nbsp;org.apache.flink.configuratio<wbr>n.GlobalConfiguration
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;- Loading configuration
property: security.ssl.enabled, true<br>
2017-06-05 14:51:31,136 IN=46O
&nbsp;org.apache.flink.configuratio<wbr>n.GlobalConfiguration
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;- Loading configuration
property: security.ssl.keystore, deploy-keys/ca.keystore<br>
2017-06-05 14:51:31,136 IN=46O
&nbsp;org.apache.flink.configuratio<wbr>n.GlobalConfiguration
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;- Loading configuration
property: security.ssl.keystore-password<wbr>, password<br>
2017-06-05 14:51:31,136 IN=46O
&nbsp;org.apache.flink.configuratio<wbr>n.GlobalConfiguration
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;- Loading configuration
property: security.ssl.key-password, password<br>
2017-06-05 14:51:31,136 IN=46O
&nbsp;org.apache.flink.configuratio<wbr>n.GlobalConfiguration
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;- Loading configuration
property: security.ssl.truststore, deploy-keys/ca.truststore<br>
2017-06-05 14:51:31,136 IN=46O
&nbsp;org.apache.flink.configuratio<wbr>n.GlobalConfiguration
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;- Loading configuration
property: security.ssl.truststore-passwo<wbr>rd,
password</b></i><br>
<br>
<br>
Regards,<br>
Vinay Patil<br>
<br>
<br>
<hr noshade=3D=22noshade=22 size=3D=221=22 color=3D=22=23CCCCCC=22>
<div style=3D=22color:=23444;font:12px tahoma,geneva,helvetica,arial,sans=
-serif=22>
<div style=3D=22font-weight:bold=22><span>If you reply to this email,
your message will be added to the discussion below:</span></div>
<a href=3D=22http://apache-flink-user-mailing-list-archive.2336050.n4.nab=
ble.com/In-transit-Data-Encryption-in-EMR-tp13455p13490.html=22 target=3D=
=22=5Fblank=22 rel=3D=22nofollow=22 link=3D=22external=22>http://apache-f=
link-user-maili<wbr>ng-list-archive.2336050.n4.<wbr>nabble.com/In-transit=
-Data-Enc<wbr>ryption-in-EMR-tp13455p13490.<wbr>html</a></div>
<div class=3D=22m=5F3512357571141401803HOEnZb=22>
<div class=3D=22m=5F3512357571141401803h5=22>
<div style=3D=22color:=23666;font:11px tahoma,geneva,helvetica,arial,sans=
-serif;margin-top:.4em;line-height:1.5em=22>
To start a new topic under Apache =46link User Mailing List archive.,
email <a href=3D=22/user/SendEmail.jtp=3Ftype=3Dnode&amp;node=3D13609&amp=
;i=3D2=22 target=3D=22=5Ftop=22 rel=3D=22nofollow=22 link=3D=22external=22=
>=5Bhidden email=5D</a><br>
To unsubscribe from Apache =46link User Mailing List archive.,
<a href=3D=22=22 target=3D=22=5Fblank=22 rel=3D=22nofollow=22 link=3D=22e=
xternal=22>click
here</a>.<br>
<a href=3D=22http://apache-flink-user-mailing-list-archive.2336050.n4.nab=
ble.com/template/NamlServlet.jtp=3Fmacro=3Dmacro=5Fviewer&amp;id=3Dinstan=
t=5Fhtml%21nabble%3Aemail.naml&amp;base=3Dnabble.naml.namespaces.BasicNam=
espace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.=
NodeNamespace&amp;breadcrumbs=3Dnotify=5Fsubscribers%21nabble%3Aemail.nam=
l-instant=5Femails%21nabble%3Aemail.naml-send=5Finstant=5Femail%21nabble%=
3Aemail.naml=22 rel=3D=22nofollow=22 style=3D=22font:9px serif=22 target=3D=
=22=5Fblank=22 link=3D=22external=22>NAML</a></div>
</div>
</div>
</blockquote>
</div>
<br></div>
</blockquote>
</div>
</div>
<br>
<hr align=3D=22left=22 width=3D=22300=22>
View this message in context: <a href=3D=22http://apache-flink-user-maili=
ng-list-archive.2336050.n4.nabble.com/In-transit-Data-Encryption-in-EMR-t=
p13455p13609.html=22>
Re: In-transit Data Encryption in EMR</a><br>
Sent from the <a href=3D=22http://apache-flink-user-mailing-list-archive.=
2336050.n4.nabble.com/=22>
Apache =46link User Mailing List archive. mailing list archive</a> at
Nabble.com.<br>


</div></div></span></blockquote></body></html>
--593d4e2f_5f5c06a1_110--