Hi Liron,
The first thing that jumps out to me when you say that GFSH could not
connect to the JMX manager is that you need to have `jmx` in addition to
`locator` in your `ssl-enabled-components` Geode system property. For
example, you'd need ssl-enabled-components=locator,jmx at a minimum for
GFSH to connect. it's a bit different if you pass --use-http to your
`connect` command, but it doesn't appear you are doing that.
Ryan
On Wed, Jun 20, 2018 at 8:46 AM, Liron Ben Ari <liron.ben...@amdocs.com>
wrote:
> Hi ,
> Well , I managed!! All my processes are talking with SSL configuration
> (hip hip Horay ☺)
> I figure out – that I need client authentication and server authentication
> in the server certificate EKU , and that I need a single depth hierarchy ,
> I am not sure it will be the case when I wil need to implement it in the
> customer site…
>
> Does anyone have id why it was used like this?
>
>
> Last question…
> I am trying to configure the gfsh to connect to my locator.
> I’ve added to the connect command the needed properties…
>
>
> ${GEMFIRE_HOME}/bin/gfsh -e "connect --locator=192.168.2.100[1028]
> --use-ssl --security-properties-file=$GF_SERVER_DIR/properties/
> gemfire.sec.properties
>
> I can see that he is able to connect to the locator – but I see that it is
> trying to connect to the manager without success.
> Does anyone know if I need to add another certificate or key for the
> manager?
>
>
> 1) Executing - connect --locator=192.168.2.100[1028] --use-ssl
> --security-properties-file=/users/xpiwrk1/GemFire/Server/
> properties/gemfire.sec.properties
>
> Connecting to Locator at [host=192.168.2.100, port=1028] ..
> Connecting to Manager at [host=eaasrt, port=1029] ..
> Could not connect to : [host=eaasrt, port=1029]. Failed to retrieve
> RMIServer stub: javax.naming.CommunicationException [Root exception is
> java.rmi.ConnectIOException: error during JRMP connection establishment;
> nested exception is:
> javax.net.ssl.SSLHandshakeException: Received fatal alert:
> handshake_failure]
>
>
>
> Thank you so much!!!
> From: Ernest Burghardt [mailto:eburgha...@pivotal.io]
> Sent: Tuesday, June 12, 2018 7:27 PM
> To: u...@geode.apache.org
> Cc: Udo Kohlmeyer <ukohlme...@pivotal.io>; dev@geode.apache.org; Gregory
> Vortman <gregory.vort...@amdocs.com>; Vladi Polonsky
> <vladi.polon...@amdocs.com>; Alon Bar-Lev <alon.bar...@amdocs.com>
> Subject: Re: trying to implement SSL configuration
>
> Hello,
>
> For "native" C++ interaction have a look at geode-native/cppcache/
> integration-test/testThinClientSSL
> This should provide an example of connecting with SSL enabled...
>
> EB
>
> On Tue, Jun 12, 2018 at 2:48 AM, Liron Ben Ari <liron.ben...@amdocs.com<
> mailto:liron.ben...@amdocs.com>> wrote:
>
> We check - the PKCS12 works - (as we saw it in the s_client)
> It looks like the server did not found a valid certificate...
>
> Maybe you have a working example? When the client is native c++?
>
> Thanks!!
>
> -----Original Message-----
> From: Liron Ben Ari
> Sent: Tuesday, June 12, 2018 11:25 AM
> To: Udo Kohlmeyer <ukohlme...@pivotal.io<mailto:ukohlme...@pivotal.io>>;
> dev@geode.apache.org<mailto:dev@geode.apache.org>; u...@geode.apache.org
> <mailto:u...@geode.apache.org>
> Cc: Gregory Vortman <gregory.vort...@amdocs.com<mailto:
> gregory.vort...@amdocs.com>>; Vladi Polonsky <vladi.polon...@amdocs.com<
> mailto:vladi.polon...@amdocs.com>>; Alon Bar-Lev <alon.bar...@amdocs.com<
> mailto:alon.bar...@amdocs.com>>
> Subject: RE: trying to implement SSL configuration
>
> Hi ,
> Thanks you for the quick respond.
> So according to the link you send, the keystore type is jks as well.
> I will try and update...
> But according the client configuration (I found this document for it:
> http://pubs.vmware.com/vfabric53/topic/com.vmware.
> ICbase/PDF/vfabric-gemfire-nc-ug-7.0.1.pdf)
>
> The keystore for the native client should be in PEM format.
>
>
>
> -----Original Message-----
> From: Udo Kohlmeyer [mailto:ukohlme...@pivotal.io<mailto:
> ukohlme...@pivotal.io>]
> Sent: Tuesday, June 12, 2018 1:49 AM
> To: dev@geode.apache.org<mailto:dev@geode.apache.org>; Liron Ben Ari <
> liron.ben...@amdocs.com<mailto:liron.ben...@amdocs.com>>;
> u...@geode.apache.org<mailto:u...@geode.apache.org>
> Cc: Gregory Vortman <gregory.vort...@amdocs.com<mailto:
> gregory.vort...@amdocs.com>>; Vladi Polonsky <vladi.polon...@amdocs.com<
> mailto:vladi.polon...@amdocs.com>>; Alon Bar-Lev <alon.bar...@amdocs.com<
> mailto:alon.bar...@amdocs.com>>
> Subject: Re: trying to implement SSL configuration
>
> Hi there,
>
> Have you tried the following?
>
> https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/index.html
>
> I have not tried to use a PKCS12 keystore type. Was there a particular
> reason why you are using it? Could you try with a JKS?
>
> --Udo
>
> On 6/11/18 03:31, Liron Ben Ari wrote:
> > Hello team.
> > I am trying to move my Client server to work with SSL as part of
> Security POC we are running .
> > I was moving on GEODE documents (there are a lot! :)) and there was a
> lot of different options...
> >
> >
> >
> > This is the configuration I used:
> >
> > I've generated Keystore & certificate using a private tool (that uses
> > the openssl + Keytools)
> >
> > For client:
> > A file containing PEM encoded X.509 certificate and PEM encoded
> > PKCS#8 encrypted private key For server:
> > PKCS#12 - this part works
> > as we could see openssl s_client to return the chain
> >
> >
> >
> > On the gemfire.proerties file - I used:
> >
> > ssl-enabled-components=all
> > ssl-protocols=any
> > ssl-ciphers=SSL_RSA_WITH_NULL_SHA //I've tries both option (empty
> as well)
> > ssl-keystore-type=PKCS12
> > ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA/pki/private/server4.p12
> > ssl-keystore-password=changeme
> > ssl-truststore-type=JKS
> > ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.jks
> > ssl-truststore-password=changeit
> >
> >
> >
> > on the Client Side I used the PEM format:
> > gfcpp1.properties:
> > ssl-enabled=true
> > ssl-keystore=/tmp/server4.pem
> > ssl-keystore-password=changeme
> > ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.pem
> >
> >
> > this is the error I am getting from the server when client is trying to
> connect (locator):
> > [info 2018/06/11 11:46:40.907 IDT eaasrt-locator <locator request
> > thread[16]> tid=0x55] Exception in processing request from
> > 192.168.2.100
> > javax.net.ssl.SSLHandshakeException:
> > sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
> > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> > at sun.security.ssl.SSLSocketImpl.fatal(
> SSLSocketImpl.java:1949)
> > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
> > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
> > at sun.security.ssl.ServerHandshaker.clientCertificate(
> ServerHandshaker.java:1906)
> > at sun.security.ssl.ServerHandshaker.processMessage(
> ServerHandshaker.java:233)
> > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:
> 1026)
> > at sun.security.ssl.Handshaker.process_record(Handshaker.
> java:961)
> > at sun.security.ssl.SSLSocketImpl.readRecord(
> SSLSocketImpl.java:1062)
> > at sun.security.ssl.SSLSocketImpl.performInitialHandshake(
> SSLSocketImpl.java:1375)
> > at sun.security.ssl.SSLSocketImpl.startHandshake(
> SSLSocketImpl.java:1403)
> > at sun.security.ssl.SSLSocketImpl.startHandshake(
> SSLSocketImpl.java:1387)
> > at org.apache.geode.internal.net<http://org.apache.geode.
> internal.net>.SocketCreator.configureServerSSLSocket(
> SocketCreator.java:1013)
> > at org.apache.geode.distributed.internal.tcpserver.TcpServer.
> lambda$processRequest$0(TcpServer.java:366)
> > at java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1142)
> > at java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:617)
> > at java.lang.Thread.run(Thread.java:748)
> > Caused by: sun.security.validator.ValidatorException: PKIX path
> building failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> > at sun.security.validator.PKIXValidator.doBuild(
> PKIXValidator.java:387)
> > at sun.security.validator.PKIXValidator.engineValidate(
> PKIXValidator.java:292)
> > at sun.security.validator.Validator.validate(Validator.
> java:260)
> > at sun.security.ssl.X509TrustManagerImpl.validate(
> X509TrustManagerImpl.java:324)
> > at sun.security.ssl.X509TrustManagerImpl.checkTrusted(
> X509TrustManagerImpl.java:227)
> > at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(
> X509TrustManagerImpl.java:118)
> > at sun.security.ssl.ServerHandshaker.clientCertificate(
> ServerHandshaker.java:1888)
> > ... 12 more
> > Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> > at
> > sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBui
> > lder.java:141)
> > :
> >
> > this are the errors I am getting from the client:
> >
> > ACE_SSL (45715|140151217246912) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140147953735424) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140148921374464) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140148896196352) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140148004091648) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140147978913536) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140148398352128) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140148373174016) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown
> >
> >
> >
> >
> >
> >
> > Any help will be appreciated !!
> >
> > Thanks.
> >
> >
> > This message and the information contained herein is proprietary and
> > confidential and subject to the Amdocs policy statement,
> >
> > you may review at https://www.amdocs.com/about/email-disclaimer
> > <https://www.amdocs.com/about/email-disclaimer>
> >
>
> This message and the information contained herein is proprietary and
> confidential and subject to the Amdocs policy statement,
>
> you may review at https://www.amdocs.com/about/email-disclaimer <
> https://www.amdocs.com/about/email-disclaimer>
>
> This message and the information contained herein is proprietary and
> confidential and subject to the Amdocs policy statement,
>
> you may review at https://www.amdocs.com/about/email-disclaimer <
> https://www.amdocs.com/about/email-disclaimer>
>
