incubator-cassandra-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Carlos Scheidecker <nando....@gmail.com>
Subject Re: Issues with intenode encyrption - Keystore was tampered with, or password was incorrect"
Date Thu, 19 Jun 2014 22:30:44 GMT
Never mind fellas.

Found the stupid error here. Sharing with you just in case. Typo error on
my script to generate those.

I have the '' characters while generating the keystore and certificates.
 -keystore 'mypassword' while correct is -keystore mypassword

I knew it was a certificate issue, debugging it I was able to find it.

The longer you do things, the longer you are prone to errors.

cheers



On Thu, Jun 19, 2014 at 3:20 PM, Carlos Scheidecker <nando.nlp@gmail.com>
wrote:

> Hello,
>
> I am using Cassandra 2.1.0-rc1 and trying to set up internode encryption.
>
> Here's how I have generated the certificates and keystores:
>
> keytool -genkeypair -v -keyalg RSA -keysize 1024 -alias node1 -keystore
> node1.keystore -storepass 'mypassword' -dname 'CN=Development' -keypass
> 'mypassword' -validity 3650
>
>  keytool -export -v -alias node1 -file node1.cer -keystore node1.keystore
> -storepass 'mypassword'
>
> keytool -import -v -trustcacerts -alias node1 -file node1.cer -keystore
> global.truststore -storepass 'mypassword' -noprompt
>
> Now, I have create a folder /etc/cassandra/certs
>
> and copied the certs there: node1.keystore and global.truststore
>
> Set the ownership and permissions of both to chown cassandra:cassandra and
> chmod 600
>
> Then on Cassandra.yaml I did the following:
>
> server_encryption_options:
>     internode_encryption: all
>     keystore: /etc/cassandra/certs/node1.keystore
>     keystore_password: mypassword
>     truststore: /etc/cassandra/certs/global.truststore
>     truststore_password: mypassword
>
>
> When starting the server I get the following error:
>
> ERROR [main] 2014-06-19 15:00:03,701 CassandraDaemon.java:340 - Fatal
> configuration error
> org.apache.cassandra.exceptions.ConfigurationException: Unable to create
> ssl socket
> at
> org.apache.cassandra.net.MessagingService.getServerSockets(MessagingService.java:431)
> ~[apache-cassandra-2.1.0~rc1.jar:2.1.0~rc1]
>  at
> org.apache.cassandra.net.MessagingService.listen(MessagingService.java:411)
> ~[apache-cassandra-2.1.0~rc1.jar:2.1.0~rc1]
> at
> org.apache.cassandra.service.StorageService.prepareToJoin(StorageService.java:694)
> ~[apache-cassandra-2.1.0~rc1.jar:2.1.0~rc1]
>  at
> org.apache.cassandra.service.StorageService.initServer(StorageService.java:628)
> ~[apache-cassandra-2.1.0~rc1.jar:2.1.0~rc1]
> at
> org.apache.cassandra.service.StorageService.initServer(StorageService.java:511)
> ~[apache-cassandra-2.1.0~rc1.jar:2.1.0~rc1]
>  at
> org.apache.cassandra.service.CassandraDaemon.setup(CassandraDaemon.java:336)
> [apache-cassandra-2.1.0~rc1.jar:2.1.0~rc1]
> at
> org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:455)
> [apache-cassandra-2.1.0~rc1.jar:2.1.0~rc1]
>  at
> org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:544)
> [apache-cassandra-2.1.0~rc1.jar:2.1.0~rc1]
> Caused by: java.io.IOException: Error creating the initializing the SSL
> Context
>  at
> org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:124)
> ~[apache-cassandra-2.1.0~rc1.jar:2.1.0~rc1]
> at
> org.apache.cassandra.security.SSLFactory.getServerSocket(SSLFactory.java:53)
> ~[apache-cassandra-2.1.0~rc1.jar:2.1.0~rc1]
>  at
> org.apache.cassandra.net.MessagingService.getServerSockets(MessagingService.java:427)
> ~[apache-cassandra-2.1.0~rc1.jar:2.1.0~rc1]
> ... 7 common frames omitted
> Caused by: java.io.IOException: Keystore was tampered with, or password
> was incorrect
> at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772)
> ~[na:1.8.0_05]
>  at
> sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
> ~[na:1.8.0_05]
> at java.security.KeyStore.load(KeyStore.java:1433) ~[na:1.8.0_05]
>  at
> org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:108)
> ~[apache-cassandra-2.1.0~rc1.jar:2.1.0~rc1]
> ... 9 common frames omitted
> Caused by: java.security.UnrecoverableKeyException: Password verification
> failed
> at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:770)
> ~[na:1.8.0_05]
>  ... 12 common frames omitted
> INFO  [StorageServiceShutdownHook] 2014-06-19 15:00:03,705
> Gossiper.java:1272 - Announcing shutdown
>
>
> Why would the certificate fail and the error "Keystore was tampered with,
> or password was incorrect" is displayed?
>
> I have tested the keystore password by doing keytool -list -keystore
> node1.keystore
>
> And it shows the certficate and password is correct:
>
> keytool -list -keystore node1.keystore -storepass mypassword
>
> Keystore type: JKS
> Keystore provider: SUN
>
> Your keystore contains 1 entry
>
> node1, Jun 19, 2014, PrivateKeyEntry,
> Certificate fingerprint (SHA1):
> 85:28:6F:75:B5:E2:CE:5C:52:84:AC:A6:12:FC:45:FB:BA:8D:97:4D
>
> Have no idea what went wrong as I have tried to find out.
>
> It does not seem to be a Cassandra issue but more likely an issue while
> generating the keystore and trustore.
>
> I am doing it for 4 nodes, which is why trustore is the same file name,
> only keystores are different names which are unique for the nodes.
>
> Thanks.
>
>
>

Mime
View raw message