geode-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Liron Ben Ari <Liron.Ben...@amdocs.com>
Subject RE: trying to implement SSL configuration
Date Wed, 20 Jun 2018 15:46:11 GMT
Hi ,
Well , I managed!! All my processes are talking with SSL configuration (hip hip Horay ☺)
I figure out – that I need client authentication and server authentication in the server
certificate EKU , and that I need a single  depth hierarchy ,
I am not sure it will be the case when I wil need to implement it in the customer site…

Does anyone have id why it was used like this?


Last question…
I am trying to configure the gfsh to connect to my locator.
I’ve added to the connect command the needed properties…


${GEMFIRE_HOME}/bin/gfsh -e "connect --locator=192.168.2.100[1028] --use-ssl  --security-properties-file=$GF_SERVER_DIR/properties/gemfire.sec.properties

I can see that he is able to connect to the locator – but I see that it is trying to connect
to the manager without success.
Does anyone know if I need to add another certificate or key for the manager?


1) Executing - connect --locator=192.168.2.100[1028] --use-ssl  --security-properties-file=/users/xpiwrk1/GemFire/Server/properties/gemfire.sec.properties

Connecting to Locator at [host=192.168.2.100, port=1028] ..
Connecting to Manager at [host=eaasrt, port=1029] ..
Could not connect to : [host=eaasrt, port=1029]. Failed to retrieve RMIServer stub: javax.naming.CommunicationException
[Root exception is java.rmi.ConnectIOException: error during JRMP connection establishment;
nested exception is:
        javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure]



Thank you so much!!!
From: Ernest Burghardt [mailto:eburghardt@pivotal.io]
Sent: Tuesday, June 12, 2018 7:27 PM
To: user@geode.apache.org
Cc: Udo Kohlmeyer <ukohlmeyer@pivotal.io>; dev@geode.apache.org; Gregory Vortman <Gregory.Vortman@Amdocs.com>;
Vladi Polonsky <Vladi.Polonsky@Amdocs.com>; Alon Bar-Lev <Alon.BarLev@amdocs.com>
Subject: Re: trying to implement SSL configuration

Hello,

For "native" C++ interaction have a look at geode-native/cppcache/integration-test/testThinClientSSL
This should provide an example of connecting with SSL enabled...

EB

On Tue, Jun 12, 2018 at 2:48 AM, Liron Ben Ari <Liron.BenAri@amdocs.com<mailto:Liron.BenAri@amdocs.com>>
wrote:

We check  - the PKCS12 works  - (as  we saw it in the s_client)
It looks like the server did not found  a valid certificate...

Maybe you have a working example? When the client is native c++?

Thanks!!

-----Original Message-----
From: Liron Ben Ari
Sent: Tuesday, June 12, 2018 11:25 AM
To: Udo Kohlmeyer <ukohlmeyer@pivotal.io<mailto:ukohlmeyer@pivotal.io>>; dev@geode.apache.org<mailto:dev@geode.apache.org>;
user@geode.apache.org<mailto:user@geode.apache.org>
Cc: Gregory Vortman <Gregory.Vortman@Amdocs.com<mailto:Gregory.Vortman@Amdocs.com>>;
Vladi Polonsky <Vladi.Polonsky@Amdocs.com<mailto:Vladi.Polonsky@Amdocs.com>>;
Alon Bar-Lev <Alon.BarLev@amdocs.com<mailto:Alon.BarLev@amdocs.com>>
Subject: RE: trying to implement SSL configuration

Hi ,
Thanks you for the quick respond.
So according to the link you send, the keystore type is jks as well.
I will try  and update...
But according the client configuration (I found this document for it: http://pubs.vmware.com/vfabric53/topic/com.vmware.ICbase/PDF/vfabric-gemfire-nc-ug-7.0.1.pdf)

The  keystore for the native client should be in PEM format.



-----Original Message-----
From: Udo Kohlmeyer [mailto:ukohlmeyer@pivotal.io<mailto:ukohlmeyer@pivotal.io>]
Sent: Tuesday, June 12, 2018 1:49 AM
To: dev@geode.apache.org<mailto:dev@geode.apache.org>; Liron Ben Ari <Liron.BenAri@amdocs.com<mailto:Liron.BenAri@amdocs.com>>;
user@geode.apache.org<mailto:user@geode.apache.org>
Cc: Gregory Vortman <Gregory.Vortman@Amdocs.com<mailto:Gregory.Vortman@Amdocs.com>>;
Vladi Polonsky <Vladi.Polonsky@Amdocs.com<mailto:Vladi.Polonsky@Amdocs.com>>;
Alon Bar-Lev <Alon.BarLev@amdocs.com<mailto:Alon.BarLev@amdocs.com>>
Subject: Re: trying to implement SSL configuration

Hi there,

Have you tried the following?

https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/index.html

I have not tried to use a PKCS12 keystore type. Was there a particular reason why you are
using it? Could you try with a JKS?

--Udo

On 6/11/18 03:31, Liron Ben Ari wrote:
> Hello team.
> I am trying to move my Client server to work with SSL as part of Security POC we are
running .
> I was moving on GEODE documents  (there are a lot! :)) and there was a lot of different
options...
>
>
>
> This is the configuration  I used:
>
> I've generated Keystore & certificate using a private tool (that uses
> the openssl + Keytools)
>
> For client:
>   A file containing PEM encoded X.509 certificate and PEM encoded
> PKCS#8 encrypted private key For server:
> PKCS#12  - this part works
> as we could see openssl s_client to return the chain
>
>
>
> On the gemfire.proerties file - I used:
>
> ssl-enabled-components=all
> ssl-protocols=any
> ssl-ciphers=SSL_RSA_WITH_NULL_SHA       //I've tries both option (empty as well)
> ssl-keystore-type=PKCS12
> ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA/pki/private/server4.p12
> ssl-keystore-password=changeme
> ssl-truststore-type=JKS
> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.jks
> ssl-truststore-password=changeit
>
>
>
> on the Client Side I used the PEM format:
> gfcpp1.properties:
> ssl-enabled=true
> ssl-keystore=/tmp/server4.pem
> ssl-keystore-password=changeme
> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.pem
>
>
> this is the error I am getting from the server when client is trying to connect  (locator):
> [info 2018/06/11 11:46:40.907 IDT eaasrt-locator <locator request
> thread[16]> tid=0x55] Exception in processing request from
> 192.168.2.100
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
>          at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>          at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
>          at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
>          at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
>          at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1906)
>          at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:233)
>          at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
>          at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
>          at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
>          at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
>          at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
>          at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
>          at org.apache.geode.internal.net<http://org.apache.geode.internal.net>.SocketCreator.configureServerSSLSocket(SocketCreator.java:1013)
>          at org.apache.geode.distributed.internal.tcpserver.TcpServer.lambda$processRequest$0(TcpServer.java:366)
>          at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>          at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>          at java.lang.Thread.run(Thread.java:748)
> Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
>          at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
>          at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
>          at sun.security.validator.Validator.validate(Validator.java:260)
>          at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
>          at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:227)
>          at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:118)
>          at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1888)
>          ... 12 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
>          at
> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBui
> lder.java:141)
> :
>
> this are the errors I am getting from the client:
>
> ACE_SSL (45715|140151217246912) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140147953735424) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140148921374464) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140148896196352) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140148004091648) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140147978913536) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140148398352128) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140148373174016) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown
>
>
>
>
>
>
> Any help will be appreciated !!
>
> Thanks.
>
>
> This message and the information contained herein is proprietary and
> confidential and subject to the Amdocs policy statement,
>
> you may review at https://www.amdocs.com/about/email-disclaimer
> <https://www.amdocs.com/about/email-disclaimer>
>

This message and the information contained herein is proprietary and confidential and subject
to the Amdocs policy statement,

you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>

This message and the information contained herein is proprietary and confidential and subject
to the Amdocs policy statement,

you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message