Re: trying to implement SSL configuration

Mon, 02 Jul 2018 09:44:55 -0700 

Hi there Liron,
Given that if you set a connection per thread, and by that I assume you mean that you set the min size on the thread pool to 0, you will incur the overhead of SSL negotiation EVERY time you create a connection. 


Now I'm not sure what your thread pool configuration is, I'm only really 
make a wild educated guess.



Any possibility you could share your configuration with us? That would 
include thread-pool config, etc....


--Udo


On 7/2/18 09:06, Anthony Baker wrote:

Why did you change the number of threads to 0 (and which setting did you 
change)?  AFAIK this is not a requirement.

Anthony



On Jul 1, 2018, at 10:29 PM, Liron Ben Ari <liron.ben...@amdocs.com> wrote:

Hi again...
After some functional test on the SSL configuration, we saw degradation of 300% 
on performance!!
Does anyone have an experience?
Is there a some special tuning that I can do?

We used this In our configuration - from documentation it looks like this is 
the only possible option to use...
(we must use the "all" option according to the GPRD regulations...)

ssl-enabled-components=all
ssl-protocols=any
ssl-ciphers=SSL_RSA_WITH_NULL_SHA
we have also change the number of threads to 0 (so it will be thread per 
connection - there was no other way...)


thanks a lot for any help :)

-----Original Message-----
From: Liron Ben Ari
Sent: Sunday, June 24, 2018 12:58 PM
To: dev@geode.apache.org <mailto:dev@geode.apache.org>
Cc: Gregory Vortman <gregory.vort...@amdocs.com 
<mailto:gregory.vort...@amdocs.com>>
Subject: RE: trying to implement SSL configuration

Thanks a lot for your respond Ryan,
I've used the ssl-enabled-components=all parameter.
All my c++ clients are able to connect to the locator and to send ssl events..
I have another java client that connects to the locator and I gave him the same 
parameters...
I will try changing it and will update :) thanks

Here are the parameters  I used for the server side:

ssl-enabled-components=all
ssl-protocols=any
ssl-ciphers=SSL_RSA_WITH_NULL_SHA
ssl-keystore-type=PKCS12
ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA-simple/pki/private/test1.p12
ssl-keystore-password=*****
ssl-truststore-type=JKS
ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA-simple/Amdocs-Test-CA-simple.jks
ssl-truststore-password=changeit

-----Original Message-----
From: Ryan McMahon [mailto:rmcma...@pivotal.io <mailto:rmcma...@pivotal.io>]
Sent: Wednesday, June 20, 2018 6:57 PM
To: dev@geode.apache.org <mailto:dev@geode.apache.org>
Subject: Re: trying to implement SSL configuration

Hi Liron,


The first thing that jumps out to me when you say that GFSH could not connect 
to the JMX manager is that you need to have `jmx` in addition to `locator` in 
your `ssl-enabled-components` Geode system property.  For example, you'd need 
ssl-enabled-components=locator,jmx at a minimum for GFSH to connect.  it's a 
bit different if you pass --use-http to your `connect` command, but it doesn't 
appear you are doing that.


Ryan

On Wed, Jun 20, 2018 at 8:46 AM, Liron Ben Ari <liron.ben...@amdocs.com 
<mailto:liron.ben...@amdocs.com>>
wrote:


Hi ,
Well , I managed!! All my processes are talking with SSL configuration
(hip hip Horay ☺) I figure out – that I need client authentication and
server authentication in the server certificate EKU , and that I need
a single  depth hierarchy , I am not sure it will be the case when I
wil need to implement it in the customer site…

Does anyone have id why it was used like this?


Last question…
I am trying to configure the gfsh to connect to my locator.
I’ve added to the connect command the needed properties…


native" C++ interaction have a look at geode-native/cppcache/

integration-test/testThinClientSSL
This should provide an example of connecting with SSL enabled...

EB

On Tue, Jun 12, 2018 at 2:48 AM, Liron Ben Ari
<liron.ben...@amdocs.com< mailto:liron.ben...@amdocs.com>> wrote:

We check  - the PKCS12 works  - (as  we saw it in the s_client) It
looks like the server did not found  a valid certificate...

Maybe you have a working example? When the client is native c++?

Thanks!!

-----Original Message-----
From: Liron Ben Ari
Sent: Tuesday, June 12, 2018 11:25 AM
To: Udo Kohlmeyer
<ukohlme...@pivotal.io<mailto:ukohlme...@pivotal.io>>;
dev@geode.apache.org<mailto:dev@geode.apache.org>;
u...@geode.apache.org <mailto:u...@geode.apache.org>
Cc: Gregory Vortman <gregory.vort...@amdocs.com<mailto:
gregory.vort...@amdocs.com>>; Vladi Polonsky
<vladi.polon...@amdocs.com< mailto:vladi.polon...@amdocs.com>>; Alon
Bar-Lev <alon.bar...@amdocs.com< mailto:alon.bar...@amdocs.com>>
Subject: RE: trying to implement SSL configuration

Hi ,
Thanks you for the quick respond.
So according to the link you send, the keystore type is jks as well.
I will try  and update...
But according the client configuration (I found this document for it:
http://pubs.vmware.com/vfabric53/topic/com.vmware.
ICbase/PDF/vfabric-gemfire-nc-ug-7.0.1.pdf)

The  keystore for the native client should be in PEM format.



-----Original Message-----
From: Udo Kohlmeyer [mailto:ukohlme...@pivotal.io<mailto:
ukohlme...@pivotal.io>]
Sent: Tuesday, June 12, 2018 1:49 AM
To: dev@geode.apache.org<mailto:dev@geode.apache.org>; Liron Ben Ari <
liron.ben...@amdocs.com<mailto:liron.ben...@amdocs.com>>;
u...@geode.apache.org<mailto:u...@geode.apache.org>
Cc: Gregory Vortman <gregory.vort...@amdocs.com<mailto:
gregory.vort...@amdocs.com>>; Vladi Polonsky
<vladi.polon...@amdocs.com< mailto:vladi.polon...@amdocs.com>>; Alon
Bar-Lev <alon.bar...@amdocs.com< mailto:alon.bar...@amdocs.com>>
Subject: Re: trying to implement SSL configuration

Hi there,

Have you tried the following?

https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/index.html

I have not tried to use a PKCS12 keystore type. Was there a particular
reason why you are using it? Could you try with a JKS?

--Udo

On 6/11/18 03:31, Liron Ben Ari wrote:

Hello team.
I am trying to move my Client server to work with SSL as part of

Security POC we are running .

I was moving on GEODE documents  (there are a lot! :)) and there was
a

lot of different options...



This is the configuration  I used:

I've generated Keystore & certificate using a private tool (that
uses the openssl + Keytools)

For client:
  A file containing PEM encoded X.509 certificate and PEM encoded
PKCS#8 encrypted private key For server:
PKCS#12  - this part works
as we could see openssl s_client to return the chain



On the gemfire.proerties file - I used:

ssl-enabled-components=all
ssl-protocols=any
ssl-ciphers=SSL_RSA_WITH_NULL_SHA       //I've tries both option (empty

as well)

ssl-keystore-type=PKCS12
ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA/pki/private/server4.p12
ssl-keystore-password=changeme
ssl-truststore-type=JKS
ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.jks
ssl-truststore-password=changeit



on the Client Side I used the PEM format:
gfcpp1.properties:
ssl-enabled=true
ssl-keystore=/tmp/server4.pem
ssl-keystore-password=changeme
ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.pem


this is the error I am getting from the server when client is trying
to

connect  (locator):

[info 2018/06/11 11:46:40.907 IDT eaasrt-locator <locator request
thread[16]> tid=0x55] Exception in processing request from
192.168.2.100
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:

sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target

         at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
         at sun.security.ssl.SSLSocketImpl.fatal(

SSLSocketImpl.java:1949)

         at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
         at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
         at sun.security.ssl.ServerHandshaker.clientCertificate(

ServerHandshaker.java:1906)

         at sun.security.ssl.ServerHandshaker.processMessage(

ServerHandshaker.java:233)

         at sun.security.ssl.Handshaker.processLoop(Handshaker.java:

1026)

         at sun.security.ssl.Handshaker.process_record(Handshaker.

java:961)

         at sun.security.ssl.SSLSocketImpl.readRecord(

SSLSocketImpl.java:1062)

         at sun.security.ssl.SSLSocketImpl.performInitialHandshake(

SSLSocketImpl.java:1375)

         at sun.security.ssl.SSLSocketImpl.startHandshake(

SSLSocketImpl.java:1403)

         at sun.security.ssl.SSLSocketImpl.startHandshake(

SSLSocketImpl.java:1387)

         at org.apache.geode.internal.net<http://org.apache.geode.

internal.net>.SocketCreator.configureServerSSLSocket(
SocketCreator.java:1013)

         at org.apache.geode.distributed.internal.tcpserver.TcpServer.

lambda$processRequest$0(TcpServer.java:366)

         at java.util.concurrent.ThreadPoolExecutor.runWorker(

ThreadPoolExecutor.java:1142)

         at java.util.concurrent.ThreadPoolExecutor$Worker.run(

ThreadPoolExecutor.java:617)

         at java.lang.Thread.run(Thread.java:748)
Caused by: sun.security.validator.ValidatorException: PKIX path

building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target

         at sun.security.validator.PKIXValidator.doBuild(

PKIXValidator.java:387)

         at sun.security.validator.PKIXValidator.engineValidate(

PKIXValidator.java:292)

         at sun.security.validator.Validator.validate(Validator.

java:260)

         at sun.security.ssl.X509TrustManagerImpl.validate(

X509TrustManagerImpl.java:324)

         at sun.security.ssl.X509TrustManagerImpl.checkTrusted(

X509TrustManagerImpl.java:227)

         at
sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(

X509TrustManagerImpl.java:118)

         at sun.security.ssl.ServerHandshaker.clientCertificate(

ServerHandshaker.java:1888)

         ... 12 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:

unable to find valid certification path to requested target

         at
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathB
ui
lder.java:141)
:

this are the errors I am getting from the client:

ACE_SSL (45715|140151217246912) error code: 336151574 -
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown ACE_SSL (45715|140147953735424) error code: 336151574 -
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown ACE_SSL (45715|140148921374464) error code: 336151574 -
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown ACE_SSL (45715|140148896196352) error code: 336151574 -
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown ACE_SSL (45715|140148004091648) error code: 336151574 -
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown ACE_SSL (45715|140147978913536) error code: 336151574 -
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown ACE_SSL (45715|140148398352128) error code: 336151574 -
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown ACE_SSL (45715|140148373174016) error code: 336151574 -
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown






Any help will be appreciated !!

Thanks.


This message and the information contained herein is proprietary and
confidential and subject to the Amdocs policy statement,

you may review at https://www.amdocs.com/about/email-disclaimer
<https://www.amdocs.com/about/email-disclaimer>


This message and the information contained herein is proprietary and
confidential and subject to the Amdocs policy statement,

you may review at https://www.amdocs.com/about/email-disclaimer <
https://www.amdocs.com/about/email-disclaimer>

This message and the information contained herein is proprietary and
confidential and subject to the Amdocs policy statement,

you may review at https://www.amdocs.com/about/email-disclaimer <
https://www.amdocs.com/about/email-disclaimer>


This message and the information contained herein is proprietary and 
confidential and subject to the Amdocs policy statement,

you may review at https://www.amdocs.com/about/email-disclaimer 
<https://www.amdocs.com/about/email-disclaimer>
This message and the information contained herein is proprietary and 
confidential and subject to the Amdocs policy statement,

you may review at https://www.amdocs.com/about/email-disclaimer 
<https://www.amdocs.com/about/email-disclaimer> 
<https://www.amdocs.com/about/email-disclaimer 
<https://www.amdocs.com/about/email-disclaimer>>




























					Reply via email to