incubator-cassandra-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Carlos Scheidecker <nando....@gmail.com>
Subject Issues with intenode encyrption - Keystore was tampered with, or password was incorrect"
Date Thu, 19 Jun 2014 21:20:16 GMT
Hello,

I am using Cassandra 2.1.0-rc1 and trying to set up internode encryption.

Here's how I have generated the certificates and keystores:

keytool -genkeypair -v -keyalg RSA -keysize 1024 -alias node1 -keystore
node1.keystore -storepass 'mypassword' -dname 'CN=Development' -keypass
'mypassword' -validity 3650

keytool -export -v -alias node1 -file node1.cer -keystore node1.keystore
-storepass 'mypassword'

keytool -import -v -trustcacerts -alias node1 -file node1.cer -keystore
global.truststore -storepass 'mypassword' -noprompt

Now, I have create a folder /etc/cassandra/certs

and copied the certs there: node1.keystore and global.truststore

Set the ownership and permissions of both to chown cassandra:cassandra and
chmod 600

Then on Cassandra.yaml I did the following:

server_encryption_options:
    internode_encryption: all
    keystore: /etc/cassandra/certs/node1.keystore
    keystore_password: mypassword
    truststore: /etc/cassandra/certs/global.truststore
    truststore_password: mypassword


When starting the server I get the following error:

ERROR [main] 2014-06-19 15:00:03,701 CassandraDaemon.java:340 - Fatal
configuration error
org.apache.cassandra.exceptions.ConfigurationException: Unable to create
ssl socket
at
org.apache.cassandra.net.MessagingService.getServerSockets(MessagingService.java:431)
~[apache-cassandra-2.1.0~rc1.jar:2.1.0~rc1]
 at
org.apache.cassandra.net.MessagingService.listen(MessagingService.java:411)
~[apache-cassandra-2.1.0~rc1.jar:2.1.0~rc1]
at
org.apache.cassandra.service.StorageService.prepareToJoin(StorageService.java:694)
~[apache-cassandra-2.1.0~rc1.jar:2.1.0~rc1]
 at
org.apache.cassandra.service.StorageService.initServer(StorageService.java:628)
~[apache-cassandra-2.1.0~rc1.jar:2.1.0~rc1]
at
org.apache.cassandra.service.StorageService.initServer(StorageService.java:511)
~[apache-cassandra-2.1.0~rc1.jar:2.1.0~rc1]
 at
org.apache.cassandra.service.CassandraDaemon.setup(CassandraDaemon.java:336)
[apache-cassandra-2.1.0~rc1.jar:2.1.0~rc1]
at
org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:455)
[apache-cassandra-2.1.0~rc1.jar:2.1.0~rc1]
 at
org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:544)
[apache-cassandra-2.1.0~rc1.jar:2.1.0~rc1]
Caused by: java.io.IOException: Error creating the initializing the SSL
Context
 at
org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:124)
~[apache-cassandra-2.1.0~rc1.jar:2.1.0~rc1]
at
org.apache.cassandra.security.SSLFactory.getServerSocket(SSLFactory.java:53)
~[apache-cassandra-2.1.0~rc1.jar:2.1.0~rc1]
 at
org.apache.cassandra.net.MessagingService.getServerSockets(MessagingService.java:427)
~[apache-cassandra-2.1.0~rc1.jar:2.1.0~rc1]
... 7 common frames omitted
Caused by: java.io.IOException: Keystore was tampered with, or password was
incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772)
~[na:1.8.0_05]
 at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
~[na:1.8.0_05]
at java.security.KeyStore.load(KeyStore.java:1433) ~[na:1.8.0_05]
 at
org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:108)
~[apache-cassandra-2.1.0~rc1.jar:2.1.0~rc1]
... 9 common frames omitted
Caused by: java.security.UnrecoverableKeyException: Password verification
failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:770)
~[na:1.8.0_05]
 ... 12 common frames omitted
INFO  [StorageServiceShutdownHook] 2014-06-19 15:00:03,705
Gossiper.java:1272 - Announcing shutdown


Why would the certificate fail and the error "Keystore was tampered with,
or password was incorrect" is displayed?

I have tested the keystore password by doing keytool -list -keystore
node1.keystore

And it shows the certficate and password is correct:

keytool -list -keystore node1.keystore -storepass mypassword

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

node1, Jun 19, 2014, PrivateKeyEntry,
Certificate fingerprint (SHA1):
85:28:6F:75:B5:E2:CE:5C:52:84:AC:A6:12:FC:45:FB:BA:8D:97:4D

Have no idea what went wrong as I have tried to find out.

It does not seem to be a Cassandra issue but more likely an issue while
generating the keystore and trustore.

I am doing it for 4 nodes, which is why trustore is the same file name,
only keystores are different names which are unique for the nodes.

Thanks.

Mime
View raw message