RE: trying to implement SSL configuration

[Liron Ben Ari]

The locator is coming up.
The server isn't - this is the exception (when not using 0): 



er 
--J=-DIMDG_PROP_FILE=/users/xpiwrk1/GemFire/Server/properties/IMDGServer.properties
 --J=-DACTIVE_ENABLE=true

..............................................The Cache Server process 
terminated unexpectedly with exit status 1. Please refer to the log file in 
/users/xpiwrk1/GemFire/Server/servers/server1 for full details.

Java HotSpot(TM) 64-Bit Server VM warning: ignoring option PermSize=64m; 
support was removed in 8.0

Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=256m; 
support was removed in 8.0

Exception in thread "main" java.lang.IllegalArgumentException: Selector thread 
pooling can not be used with client/server SSL. The selector can be disabled by 
setting max-threads=0.

        at 
org.apache.geode.internal.cache.tier.sockets.AcceptorImpl.<init>(AcceptorImpl.java:436)

        at 
org.apache.geode.internal.cache.CacheServerImpl.start(CacheServerImpl.java:354)

        at 
org.apache.geode.internal.cache.xmlcache.CacheCreation.startCacheServers(CacheCreation.java:634)

        at 
org.apache.geode.internal.cache.xmlcache.CacheCreation.create(CacheCreation.java:529)

        at 
org.apache.geode.internal.cache.xmlcache.CacheXmlParser.create(CacheXmlParser.java:338)

        at 
org.apache.geode.internal.cache.GemFireCacheImpl.loadCacheXml(GemFireCacheImpl.java:4313)

        at 
org.apache.geode.internal.cache.GemFireCacheImpl.initializeDeclarativeCache(GemFireCacheImpl.java:1403)

        at 
org.apache.geode.internal.cache.GemFireCacheImpl.initialize(GemFireCacheImpl.java:1203)

        at 
org.apache.geode.internal.cache.GemFireCacheImpl.basicCreate(GemFireCacheImpl.java:778)


-----Original Message-----
From: Anthony Baker <aba...@pivotal.io> 
Sent: Monday, July 2, 2018 7:07 PM
To: dev@geode.apache.org
Cc: Gregory Vortman <gregory.vort...@amdocs.com>; Ori Levy <o...@amdocs.com>; 
Ari Erev <ari.e...@amdocs.com>
Subject: Re: trying to implement SSL configuration

Why did you change the number of threads to 0 (and which setting did you 
change)?  AFAIK this is not a requirement.

Anthony


> On Jul 1, 2018, at 10:29 PM, Liron Ben Ari <liron.ben...@amdocs.com> wrote:
> 
> Hi again...
> After some functional test on the SSL configuration, we saw degradation of 
> 300% on performance!!
> Does anyone have an experience?
> Is there a some special tuning that I can do?
> 
> We used this In our configuration - from documentation it looks like this is 
> the only possible option to use...
> (we must use the "all" option according to the GPRD regulations...)
> 
> ssl-enabled-components=all
> ssl-protocols=any
> ssl-ciphers=SSL_RSA_WITH_NULL_SHA
> we have also change the number of threads to 0 (so it will be thread 
> per connection - there was no other way...)
> 
> 
> thanks a lot for any help :)
> 
> -----Original Message-----
> From: Liron Ben Ari
> Sent: Sunday, June 24, 2018 12:58 PM
> To: dev@geode.apache.org <mailto:dev@geode.apache.org>
> Cc: Gregory Vortman <gregory.vort...@amdocs.com 
> <mailto:gregory.vort...@amdocs.com>>
> Subject: RE: trying to implement SSL configuration
> 
> Thanks a lot for your respond Ryan,
> I've used the ssl-enabled-components=all parameter.
> All my c++ clients are able to connect to the locator and to send ssl events..
> I have another java client that connects to the locator and I gave him the 
> same parameters...
> I will try changing it and will update :) thanks
> 
> Here are the parameters  I used for the server side:
> 
> ssl-enabled-components=all
> ssl-protocols=any
> ssl-ciphers=SSL_RSA_WITH_NULL_SHA
> ssl-keystore-type=PKCS12
> ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA-simple/pki/private/test1.p1
> 2
> ssl-keystore-password=*****
> ssl-truststore-type=JKS
> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA-simple/Amdocs-Test-CA-sim
> ple.jks
> ssl-truststore-password=changeit
> 
> -----Original Message-----
> From: Ryan McMahon [mailto:rmcma...@pivotal.io 
> <mailto:rmcma...@pivotal.io>]
> Sent: Wednesday, June 20, 2018 6:57 PM
> To: dev@geode.apache.org <mailto:dev@geode.apache.org>
> Subject: Re: trying to implement SSL configuration
> 
> Hi Liron,
> 
> 
> The first thing that jumps out to me when you say that GFSH could not connect 
> to the JMX manager is that you need to have `jmx` in addition to `locator` in 
> your `ssl-enabled-components` Geode system property.  For example, you'd need 
> ssl-enabled-components=locator,jmx at a minimum for GFSH to connect.  it's a 
> bit different if you pass --use-http to your `connect` command, but it 
> doesn't appear you are doing that.
> 
> 
> Ryan
> 
> On Wed, Jun 20, 2018 at 8:46 AM, Liron Ben Ari 
> <liron.ben...@amdocs.com <mailto:liron.ben...@amdocs.com>>
> wrote:
> 
>> Hi ,
>> Well , I managed!! All my processes are talking with SSL 
>> configuration (hip hip Horay ☺) I figure out – that I need client 
>> authentication and server authentication in the server certificate 
>> EKU , and that I need a single  depth hierarchy , I am not sure it 
>> will be the case when I wil need to implement it in the customer 
>> site…
>> 
>> Does anyone have id why it was used like this?
>> 
>> 
>> Last question…
>> I am trying to configure the gfsh to connect to my locator.
>> I’ve added to the connect command the needed properties…
>> 
> native" C++ interaction have a look at geode-native/cppcache/
>> integration-test/testThinClientSSL
>> This should provide an example of connecting with SSL enabled...
>> 
>> EB
>> 
>> On Tue, Jun 12, 2018 at 2:48 AM, Liron Ben Ari 
>> <liron.ben...@amdocs.com< mailto:liron.ben...@amdocs.com>> wrote:
>> 
>> We check  - the PKCS12 works  - (as  we saw it in the s_client) It 
>> looks like the server did not found  a valid certificate...
>> 
>> Maybe you have a working example? When the client is native c++?
>> 
>> Thanks!!
>> 
>> -----Original Message-----
>> From: Liron Ben Ari
>> Sent: Tuesday, June 12, 2018 11:25 AM
>> To: Udo Kohlmeyer
>> <ukohlme...@pivotal.io<mailto:ukohlme...@pivotal.io>>;
>> dev@geode.apache.org<mailto:dev@geode.apache.org>;
>> u...@geode.apache.org <mailto:u...@geode.apache.org>
>> Cc: Gregory Vortman <gregory.vort...@amdocs.com<mailto:
>> gregory.vort...@amdocs.com>>; Vladi Polonsky 
>> <vladi.polon...@amdocs.com< mailto:vladi.polon...@amdocs.com>>; Alon 
>> Bar-Lev <alon.bar...@amdocs.com< mailto:alon.bar...@amdocs.com>>
>> Subject: RE: trying to implement SSL configuration
>> 
>> Hi ,
>> Thanks you for the quick respond.
>> So according to the link you send, the keystore type is jks as well.
>> I will try  and update...
>> But according the client configuration (I found this document for it:
>> http://pubs.vmware.com/vfabric53/topic/com.vmware.
>> ICbase/PDF/vfabric-gemfire-nc-ug-7.0.1.pdf)
>> 
>> The  keystore for the native client should be in PEM format.
>> 
>> 
>> 
>> -----Original Message-----
>> From: Udo Kohlmeyer [mailto:ukohlme...@pivotal.io<mailto:
>> ukohlme...@pivotal.io>]
>> Sent: Tuesday, June 12, 2018 1:49 AM
>> To: dev@geode.apache.org<mailto:dev@geode.apache.org>; Liron Ben Ari 
>> < liron.ben...@amdocs.com<mailto:liron.ben...@amdocs.com>>;
>> u...@geode.apache.org<mailto:u...@geode.apache.org>
>> Cc: Gregory Vortman <gregory.vort...@amdocs.com<mailto:
>> gregory.vort...@amdocs.com>>; Vladi Polonsky 
>> <vladi.polon...@amdocs.com< mailto:vladi.polon...@amdocs.com>>; Alon 
>> Bar-Lev <alon.bar...@amdocs.com< mailto:alon.bar...@amdocs.com>>
>> Subject: Re: trying to implement SSL configuration
>> 
>> Hi there,
>> 
>> Have you tried the following?
>> 
>> https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/index.html
>> 
>> I have not tried to use a PKCS12 keystore type. Was there a 
>> particular reason why you are using it? Could you try with a JKS?
>> 
>> --Udo
>> 
>> On 6/11/18 03:31, Liron Ben Ari wrote:
>>> Hello team.
>>> I am trying to move my Client server to work with SSL as part of
>> Security POC we are running .
>>> I was moving on GEODE documents  (there are a lot! :)) and there was 
>>> a
>> lot of different options...
>>> 
>>> 
>>> 
>>> This is the configuration  I used:
>>> 
>>> I've generated Keystore & certificate using a private tool (that 
>>> uses the openssl + Keytools)
>>> 
>>> For client:
>>>  A file containing PEM encoded X.509 certificate and PEM encoded
>>> PKCS#8 encrypted private key For server:
>>> PKCS#12  - this part works
>>> as we could see openssl s_client to return the chain
>>> 
>>> 
>>> 
>>> On the gemfire.proerties file - I used:
>>> 
>>> ssl-enabled-components=all
>>> ssl-protocols=any
>>> ssl-ciphers=SSL_RSA_WITH_NULL_SHA       //I've tries both option (empty
>> as well)
>>> ssl-keystore-type=PKCS12
>>> ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA/pki/private/server4.p12
>>> ssl-keystore-password=changeme
>>> ssl-truststore-type=JKS
>>> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.jks
>>> ssl-truststore-password=changeit
>>> 
>>> 
>>> 
>>> on the Client Side I used the PEM format:
>>> gfcpp1.properties:
>>> ssl-enabled=true
>>> ssl-keystore=/tmp/server4.pem
>>> ssl-keystore-password=changeme
>>> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.pem
>>> 
>>> 
>>> this is the error I am getting from the server when client is trying 
>>> to
>> connect  (locator):
>>> [info 2018/06/11 11:46:40.907 IDT eaasrt-locator <locator request 
>>> thread[16]> tid=0x55] Exception in processing request from
>>> 192.168.2.100
>>> javax.net.ssl.SSLHandshakeException:
>>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to 
>> find valid certification path to requested target
>>>         at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>>>         at sun.security.ssl.SSLSocketImpl.fatal(
>> SSLSocketImpl.java:1949)
>>>         at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
>>>         at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
>>>         at sun.security.ssl.ServerHandshaker.clientCertificate(
>> ServerHandshaker.java:1906)
>>>         at sun.security.ssl.ServerHandshaker.processMessage(
>> ServerHandshaker.java:233)
>>>         at sun.security.ssl.Handshaker.processLoop(Handshaker.java:
>> 1026)
>>>         at sun.security.ssl.Handshaker.process_record(Handshaker.
>> java:961)
>>>         at sun.security.ssl.SSLSocketImpl.readRecord(
>> SSLSocketImpl.java:1062)
>>>         at sun.security.ssl.SSLSocketImpl.performInitialHandshake(
>> SSLSocketImpl.java:1375)
>>>         at sun.security.ssl.SSLSocketImpl.startHandshake(
>> SSLSocketImpl.java:1403)
>>>         at sun.security.ssl.SSLSocketImpl.startHandshake(
>> SSLSocketImpl.java:1387)
>>>         at org.apache.geode.internal.net<http://org.apache.geode.
>> internal.net>.SocketCreator.configureServerSSLSocket(
>> SocketCreator.java:1013)
>>>         at org.apache.geode.distributed.internal.tcpserver.TcpServer.
>> lambda$processRequest$0(TcpServer.java:366)
>>>         at java.util.concurrent.ThreadPoolExecutor.runWorker(
>> ThreadPoolExecutor.java:1142)
>>>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(
>> ThreadPoolExecutor.java:617)
>>>         at java.lang.Thread.run(Thread.java:748)
>>> Caused by: sun.security.validator.ValidatorException: PKIX path
>> building failed: sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>>>         at sun.security.validator.PKIXValidator.doBuild(
>> PKIXValidator.java:387)
>>>         at sun.security.validator.PKIXValidator.engineValidate(
>> PKIXValidator.java:292)
>>>         at sun.security.validator.Validator.validate(Validator.
>> java:260)
>>>         at sun.security.ssl.X509TrustManagerImpl.validate(
>> X509TrustManagerImpl.java:324)
>>>         at sun.security.ssl.X509TrustManagerImpl.checkTrusted(
>> X509TrustManagerImpl.java:227)
>>>         at
>>> sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(
>> X509TrustManagerImpl.java:118)
>>>         at sun.security.ssl.ServerHandshaker.clientCertificate(
>> ServerHandshaker.java:1888)
>>>         ... 12 more
>>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>>>         at
>>> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathB
>>> ui
>>> lder.java:141)
>>> :
>>> 
>>> this are the errors I am getting from the client:
>>> 
>>> ACE_SSL (45715|140151217246912) error code: 336151574 - 
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate 
>>> unknown ACE_SSL (45715|140151217246912) error code: 336151574 - 
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate 
>>> unknown ACE_SSL (45715|140151217246912) error code: 336151574 - 
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate 
>>> unknown ACE_SSL (45715|140147953735424) error code: 336151574 - 
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate 
>>> unknown ACE_SSL (45715|140148921374464) error code: 336151574 - 
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate 
>>> unknown ACE_SSL (45715|140148896196352) error code: 336151574 - 
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate 
>>> unknown ACE_SSL (45715|140148004091648) error code: 336151574 - 
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate 
>>> unknown ACE_SSL (45715|140147978913536) error code: 336151574 - 
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate 
>>> unknown ACE_SSL (45715|140148398352128) error code: 336151574 - 
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate 
>>> unknown ACE_SSL (45715|140148373174016) error code: 336151574 - 
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate 
>>> unknown
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> Any help will be appreciated !!
>>> 
>>> Thanks.
>>> 
>>> 
>>> This message and the information contained herein is proprietary and 
>>> confidential and subject to the Amdocs policy statement,
>>> 
>>> you may review at https://www.amdocs.com/about/email-disclaimer
>>> <https://www.amdocs.com/about/email-disclaimer>
>>> 
>> 
>> This message and the information contained herein is proprietary and 
>> confidential and subject to the Amdocs policy statement,
>> 
>> you may review at https://www.amdocs.com/about/email-disclaimer < 
>> https://www.amdocs.com/about/email-disclaimer>
>> 
>> This message and the information contained herein is proprietary and 
>> confidential and subject to the Amdocs policy statement,
>> 
>> you may review at https://www.amdocs.com/about/email-disclaimer < 
>> https://www.amdocs.com/about/email-disclaimer>
>> 
> This message and the information contained herein is proprietary and 
> confidential and subject to the Amdocs policy statement,
> 
> you may review at https://www.amdocs.com/about/email-disclaimer 
> <https://www.amdocs.com/about/email-disclaimer>
> This message and the information contained herein is proprietary and 
> confidential and subject to the Amdocs policy statement,
> 
> you may review at https://www.amdocs.com/about/email-disclaimer 
> <https://www.amdocs.com/about/email-disclaimer> 
> <https://www.amdocs.com/about/email-disclaimer 
> <https://www.amdocs.com/about/email-disclaimer>>

This message and the information contained herein is proprietary and 
confidential and subject to the Amdocs policy statement,

you may review at https://www.amdocs.com/about/email-disclaimer 
<https://www.amdocs.com/about/email-disclaimer>