Why did you change the number of threads to 0 (and which setting did you change)? AFAIK this is not a requirement.
Anthony > On Jul 1, 2018, at 10:29 PM, Liron Ben Ari <liron.ben...@amdocs.com> wrote: > > Hi again... > After some functional test on the SSL configuration, we saw degradation of > 300% on performance!! > Does anyone have an experience? > Is there a some special tuning that I can do? > > We used this In our configuration - from documentation it looks like this is > the only possible option to use... > (we must use the "all" option according to the GPRD regulations...) > > ssl-enabled-components=all > ssl-protocols=any > ssl-ciphers=SSL_RSA_WITH_NULL_SHA > we have also change the number of threads to 0 (so it will be thread per > connection - there was no other way...) > > > thanks a lot for any help :) > > -----Original Message----- > From: Liron Ben Ari > Sent: Sunday, June 24, 2018 12:58 PM > To: dev@geode.apache.org <mailto:dev@geode.apache.org> > Cc: Gregory Vortman <gregory.vort...@amdocs.com > <mailto:gregory.vort...@amdocs.com>> > Subject: RE: trying to implement SSL configuration > > Thanks a lot for your respond Ryan, > I've used the ssl-enabled-components=all parameter. > All my c++ clients are able to connect to the locator and to send ssl events.. > I have another java client that connects to the locator and I gave him the > same parameters... > I will try changing it and will update :) thanks > > Here are the parameters I used for the server side: > > ssl-enabled-components=all > ssl-protocols=any > ssl-ciphers=SSL_RSA_WITH_NULL_SHA > ssl-keystore-type=PKCS12 > ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA-simple/pki/private/test1.p12 > ssl-keystore-password=***** > ssl-truststore-type=JKS > ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA-simple/Amdocs-Test-CA-simple.jks > ssl-truststore-password=changeit > > -----Original Message----- > From: Ryan McMahon [mailto:rmcma...@pivotal.io <mailto:rmcma...@pivotal.io>] > Sent: Wednesday, June 20, 2018 6:57 PM > To: dev@geode.apache.org <mailto:dev@geode.apache.org> > Subject: Re: trying to implement SSL configuration > > Hi Liron, > > > The first thing that jumps out to me when you say that GFSH could not connect > to the JMX manager is that you need to have `jmx` in addition to `locator` in > your `ssl-enabled-components` Geode system property. For example, you'd need > ssl-enabled-components=locator,jmx at a minimum for GFSH to connect. it's a > bit different if you pass --use-http to your `connect` command, but it > doesn't appear you are doing that. > > > Ryan > > On Wed, Jun 20, 2018 at 8:46 AM, Liron Ben Ari <liron.ben...@amdocs.com > <mailto:liron.ben...@amdocs.com>> > wrote: > >> Hi , >> Well , I managed!! All my processes are talking with SSL configuration >> (hip hip Horay ☺) I figure out – that I need client authentication and >> server authentication in the server certificate EKU , and that I need >> a single depth hierarchy , I am not sure it will be the case when I >> wil need to implement it in the customer site… >> >> Does anyone have id why it was used like this? >> >> >> Last question… >> I am trying to configure the gfsh to connect to my locator. >> I’ve added to the connect command the needed properties… >> > native" C++ interaction have a look at geode-native/cppcache/ >> integration-test/testThinClientSSL >> This should provide an example of connecting with SSL enabled... >> >> EB >> >> On Tue, Jun 12, 2018 at 2:48 AM, Liron Ben Ari >> <liron.ben...@amdocs.com< mailto:liron.ben...@amdocs.com>> wrote: >> >> We check - the PKCS12 works - (as we saw it in the s_client) It >> looks like the server did not found a valid certificate... >> >> Maybe you have a working example? When the client is native c++? >> >> Thanks!! >> >> -----Original Message----- >> From: Liron Ben Ari >> Sent: Tuesday, June 12, 2018 11:25 AM >> To: Udo Kohlmeyer >> <ukohlme...@pivotal.io<mailto:ukohlme...@pivotal.io>>; >> dev@geode.apache.org<mailto:dev@geode.apache.org>; >> u...@geode.apache.org <mailto:u...@geode.apache.org> >> Cc: Gregory Vortman <gregory.vort...@amdocs.com<mailto: >> gregory.vort...@amdocs.com>>; Vladi Polonsky >> <vladi.polon...@amdocs.com< mailto:vladi.polon...@amdocs.com>>; Alon >> Bar-Lev <alon.bar...@amdocs.com< mailto:alon.bar...@amdocs.com>> >> Subject: RE: trying to implement SSL configuration >> >> Hi , >> Thanks you for the quick respond. >> So according to the link you send, the keystore type is jks as well. >> I will try and update... >> But according the client configuration (I found this document for it: >> http://pubs.vmware.com/vfabric53/topic/com.vmware. >> ICbase/PDF/vfabric-gemfire-nc-ug-7.0.1.pdf) >> >> The keystore for the native client should be in PEM format. >> >> >> >> -----Original Message----- >> From: Udo Kohlmeyer [mailto:ukohlme...@pivotal.io<mailto: >> ukohlme...@pivotal.io>] >> Sent: Tuesday, June 12, 2018 1:49 AM >> To: dev@geode.apache.org<mailto:dev@geode.apache.org>; Liron Ben Ari < >> liron.ben...@amdocs.com<mailto:liron.ben...@amdocs.com>>; >> u...@geode.apache.org<mailto:u...@geode.apache.org> >> Cc: Gregory Vortman <gregory.vort...@amdocs.com<mailto: >> gregory.vort...@amdocs.com>>; Vladi Polonsky >> <vladi.polon...@amdocs.com< mailto:vladi.polon...@amdocs.com>>; Alon >> Bar-Lev <alon.bar...@amdocs.com< mailto:alon.bar...@amdocs.com>> >> Subject: Re: trying to implement SSL configuration >> >> Hi there, >> >> Have you tried the following? >> >> https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/index.html >> >> I have not tried to use a PKCS12 keystore type. Was there a particular >> reason why you are using it? Could you try with a JKS? >> >> --Udo >> >> On 6/11/18 03:31, Liron Ben Ari wrote: >>> Hello team. >>> I am trying to move my Client server to work with SSL as part of >> Security POC we are running . >>> I was moving on GEODE documents (there are a lot! :)) and there was >>> a >> lot of different options... >>> >>> >>> >>> This is the configuration I used: >>> >>> I've generated Keystore & certificate using a private tool (that >>> uses the openssl + Keytools) >>> >>> For client: >>> A file containing PEM encoded X.509 certificate and PEM encoded >>> PKCS#8 encrypted private key For server: >>> PKCS#12 - this part works >>> as we could see openssl s_client to return the chain >>> >>> >>> >>> On the gemfire.proerties file - I used: >>> >>> ssl-enabled-components=all >>> ssl-protocols=any >>> ssl-ciphers=SSL_RSA_WITH_NULL_SHA //I've tries both option (empty >> as well) >>> ssl-keystore-type=PKCS12 >>> ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA/pki/private/server4.p12 >>> ssl-keystore-password=changeme >>> ssl-truststore-type=JKS >>> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.jks >>> ssl-truststore-password=changeit >>> >>> >>> >>> on the Client Side I used the PEM format: >>> gfcpp1.properties: >>> ssl-enabled=true >>> ssl-keystore=/tmp/server4.pem >>> ssl-keystore-password=changeme >>> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.pem >>> >>> >>> this is the error I am getting from the server when client is trying >>> to >> connect (locator): >>> [info 2018/06/11 11:46:40.907 IDT eaasrt-locator <locator request >>> thread[16]> tid=0x55] Exception in processing request from >>> 192.168.2.100 >>> javax.net.ssl.SSLHandshakeException: >>> sun.security.validator.ValidatorException: PKIX path building failed: >> sun.security.provider.certpath.SunCertPathBuilderException: unable to >> find valid certification path to requested target >>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>> at sun.security.ssl.SSLSocketImpl.fatal( >> SSLSocketImpl.java:1949) >>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) >>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) >>> at sun.security.ssl.ServerHandshaker.clientCertificate( >> ServerHandshaker.java:1906) >>> at sun.security.ssl.ServerHandshaker.processMessage( >> ServerHandshaker.java:233) >>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java: >> 1026) >>> at sun.security.ssl.Handshaker.process_record(Handshaker. >> java:961) >>> at sun.security.ssl.SSLSocketImpl.readRecord( >> SSLSocketImpl.java:1062) >>> at sun.security.ssl.SSLSocketImpl.performInitialHandshake( >> SSLSocketImpl.java:1375) >>> at sun.security.ssl.SSLSocketImpl.startHandshake( >> SSLSocketImpl.java:1403) >>> at sun.security.ssl.SSLSocketImpl.startHandshake( >> SSLSocketImpl.java:1387) >>> at org.apache.geode.internal.net<http://org.apache.geode. >> internal.net>.SocketCreator.configureServerSSLSocket( >> SocketCreator.java:1013) >>> at org.apache.geode.distributed.internal.tcpserver.TcpServer. >> lambda$processRequest$0(TcpServer.java:366) >>> at java.util.concurrent.ThreadPoolExecutor.runWorker( >> ThreadPoolExecutor.java:1142) >>> at java.util.concurrent.ThreadPoolExecutor$Worker.run( >> ThreadPoolExecutor.java:617) >>> at java.lang.Thread.run(Thread.java:748) >>> Caused by: sun.security.validator.ValidatorException: PKIX path >> building failed: sun.security.provider.certpath.SunCertPathBuilderException: >> unable to find valid certification path to requested target >>> at sun.security.validator.PKIXValidator.doBuild( >> PKIXValidator.java:387) >>> at sun.security.validator.PKIXValidator.engineValidate( >> PKIXValidator.java:292) >>> at sun.security.validator.Validator.validate(Validator. >> java:260) >>> at sun.security.ssl.X509TrustManagerImpl.validate( >> X509TrustManagerImpl.java:324) >>> at sun.security.ssl.X509TrustManagerImpl.checkTrusted( >> X509TrustManagerImpl.java:227) >>> at >>> sun.security.ssl.X509TrustManagerImpl.checkClientTrusted( >> X509TrustManagerImpl.java:118) >>> at sun.security.ssl.ServerHandshaker.clientCertificate( >> ServerHandshaker.java:1888) >>> ... 12 more >>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >> unable to find valid certification path to requested target >>> at >>> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathB >>> ui >>> lder.java:141) >>> : >>> >>> this are the errors I am getting from the client: >>> >>> ACE_SSL (45715|140151217246912) error code: 336151574 - >>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate >>> unknown ACE_SSL (45715|140151217246912) error code: 336151574 - >>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate >>> unknown ACE_SSL (45715|140151217246912) error code: 336151574 - >>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate >>> unknown ACE_SSL (45715|140147953735424) error code: 336151574 - >>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate >>> unknown ACE_SSL (45715|140148921374464) error code: 336151574 - >>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate >>> unknown ACE_SSL (45715|140148896196352) error code: 336151574 - >>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate >>> unknown ACE_SSL (45715|140148004091648) error code: 336151574 - >>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate >>> unknown ACE_SSL (45715|140147978913536) error code: 336151574 - >>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate >>> unknown ACE_SSL (45715|140148398352128) error code: 336151574 - >>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate >>> unknown ACE_SSL (45715|140148373174016) error code: 336151574 - >>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate >>> unknown >>> >>> >>> >>> >>> >>> >>> Any help will be appreciated !! >>> >>> Thanks. >>> >>> >>> This message and the information contained herein is proprietary and >>> confidential and subject to the Amdocs policy statement, >>> >>> you may review at https://www.amdocs.com/about/email-disclaimer >>> <https://www.amdocs.com/about/email-disclaimer> >>> >> >> This message and the information contained herein is proprietary and >> confidential and subject to the Amdocs policy statement, >> >> you may review at https://www.amdocs.com/about/email-disclaimer < >> https://www.amdocs.com/about/email-disclaimer> >> >> This message and the information contained herein is proprietary and >> confidential and subject to the Amdocs policy statement, >> >> you may review at https://www.amdocs.com/about/email-disclaimer < >> https://www.amdocs.com/about/email-disclaimer> >> > This message and the information contained herein is proprietary and > confidential and subject to the Amdocs policy statement, > > you may review at https://www.amdocs.com/about/email-disclaimer > <https://www.amdocs.com/about/email-disclaimer> > This message and the information contained herein is proprietary and > confidential and subject to the Amdocs policy statement, > > you may review at https://www.amdocs.com/about/email-disclaimer > <https://www.amdocs.com/about/email-disclaimer> > <https://www.amdocs.com/about/email-disclaimer > <https://www.amdocs.com/about/email-disclaimer>>
