Geode unit tests completed in 'develop/FlakyTest' with non-zero exit code
Pipeline results can be found at: Concourse: https://concourse.apachegeode-ci.info/teams/main/pipelines/develop/jobs/FlakyTest/builds/72
Geode unit tests completed in 'develop/DistributedTest' with non-zero exit code
Pipeline results can be found at: Concourse: https://concourse.apachegeode-ci.info/teams/main/pipelines/develop/jobs/DistributedTest/builds/52
trying to implement SSL configuration
Hello team. I am trying to move my Client server to work with SSL as part of Security POC we are running . I was moving on GEODE documents (there are a lot! :)) and there was a lot of different options... This is the configuration I used: I've generated Keystore & certificate using a private tool (that uses the openssl + Keytools) For client: A file containing PEM encoded X.509 certificate and PEM encoded PKCS#8 encrypted private key For server: PKCS#12 - this part works as we could see openssl s_client to return the chain On the gemfire.proerties file - I used: ssl-enabled-components=all ssl-protocols=any ssl-ciphers=SSL_RSA_WITH_NULL_SHA //I've tries both option (empty as well) ssl-keystore-type=PKCS12 ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA/pki/private/server4.p12 ssl-keystore-password=changeme ssl-truststore-type=JKS ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.jks ssl-truststore-password=changeit on the Client Side I used the PEM format: gfcpp1.properties: ssl-enabled=true ssl-keystore=/tmp/server4.pem ssl-keystore-password=changeme ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.pem this is the error I am getting from the server when client is trying to connect (locator): [info 2018/06/11 11:46:40.907 IDT eaasrt-locator tid=0x55] Exception in processing request from 192.168.2.100 javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1906) at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:233) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) at sun.security.ssl.Handshaker.process_record(Handshaker.java:961) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) at org.apache.geode.internal.net.SocketCreator.configureServerSSLSocket(SocketCreator.java:1013) at org.apache.geode.distributed.internal.tcpserver.TcpServer.lambda$processRequest$0(TcpServer.java:366) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:748) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:227) at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:118) at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1888) ... 12 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) : this are the errors I am getting from the client: ACE_SSL (45715|140151217246912) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown ACE_SSL (45715|140151217246912) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown ACE_SSL (45715|140151217246912) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown ACE_SSL (45715|140147953735424) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown ACE_SSL (45715|140148921374464) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown ACE_SSL (45715|140148896196352) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown ACE_SSL (45715|140148004091648) error code: 336151574 - error:14094416:SSL r
Re: trying to implement SSL configuration
Hi there, Have you tried the following? https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/index.html I have not tried to use a PKCS12 keystore type. Was there a particular reason why you are using it? Could you try with a JKS? --Udo On 6/11/18 03:31, Liron Ben Ari wrote: Hello team. I am trying to move my Client server to work with SSL as part of Security POC we are running . I was moving on GEODE documents (there are a lot! :)) and there was a lot of different options... This is the configuration I used: I've generated Keystore & certificate using a private tool (that uses the openssl + Keytools) For client: A file containing PEM encoded X.509 certificate and PEM encoded PKCS#8 encrypted private key For server: PKCS#12 - this part works as we could see openssl s_client to return the chain On the gemfire.proerties file - I used: ssl-enabled-components=all ssl-protocols=any ssl-ciphers=SSL_RSA_WITH_NULL_SHA //I've tries both option (empty as well) ssl-keystore-type=PKCS12 ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA/pki/private/server4.p12 ssl-keystore-password=changeme ssl-truststore-type=JKS ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.jks ssl-truststore-password=changeit on the Client Side I used the PEM format: gfcpp1.properties: ssl-enabled=true ssl-keystore=/tmp/server4.pem ssl-keystore-password=changeme ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.pem this is the error I am getting from the server when client is trying to connect (locator): [info 2018/06/11 11:46:40.907 IDT eaasrt-locator tid=0x55] Exception in processing request from 192.168.2.100 javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1906) at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:233) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) at sun.security.ssl.Handshaker.process_record(Handshaker.java:961) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) at org.apache.geode.internal.net.SocketCreator.configureServerSSLSocket(SocketCreator.java:1013) at org.apache.geode.distributed.internal.tcpserver.TcpServer.lambda$processRequest$0(TcpServer.java:366) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:748) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:227) at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:118) at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1888) ... 12 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) : this are the errors I am getting from the client: ACE_SSL (45715|140151217246912) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown ACE_SSL (45715|140151217246912) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown ACE_SSL (45715|140151217246912) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown ACE_SSL (45715|140147953735424) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown ACE_SSL (45715|140148921374464) e
[Spring CI] Spring Data GemFire > Nightly-ApacheGeode > #945 was SUCCESSFUL (with 2418 tests)
--- Spring Data GemFire > Nightly-ApacheGeode > #945 was successful. --- Scheduled 2420 tests in total. https://build.spring.io/browse/SGF-NAG-945/ -- This message is automatically generated by Atlassian Bamboo
Geode unit tests completed in 'develop/UITests' with non-zero exit code
Pipeline results can be found at: Concourse: https://concourse.apachegeode-ci.info/teams/main/pipelines/develop/jobs/UITests/builds/86
Re: trying to implement SSL configuration
You may want to enable ssl debugging: -Djavax.net.debug=all https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html Anthony > On Jun 11, 2018, at 3:49 PM, Udo Kohlmeyer wrote: > > Hi there, > > Have you tried the following? > > https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/index.html > > I have not tried to use a PKCS12 keystore type. Was there a particular reason > why you are using it? Could you try with a JKS? > > --Udo > > On 6/11/18 03:31, Liron Ben Ari wrote: >> Hello team. >> I am trying to move my Client server to work with SSL as part of Security >> POC we are running . >> I was moving on GEODE documents (there are a lot! :)) and there was a lot >> of different options... >> >> >> >> This is the configuration I used: >> >> I've generated Keystore & certificate using a private tool (that uses the >> openssl + Keytools) >> >> For client: >> A file containing PEM encoded X.509 certificate and PEM encoded PKCS#8 >> encrypted private key >> For server: >> PKCS#12 - this part works >> as we could see openssl s_client to return the chain >> >> >> >> On the gemfire.proerties file - I used: >> >> ssl-enabled-components=all >> ssl-protocols=any >> ssl-ciphers=SSL_RSA_WITH_NULL_SHA //I've tries both option (empty as >> well) >> ssl-keystore-type=PKCS12 >> ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA/pki/private/server4.p12 >> ssl-keystore-password=changeme >> ssl-truststore-type=JKS >> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.jks >> ssl-truststore-password=changeit >> >> >> >> on the Client Side I used the PEM format: >> gfcpp1.properties: >> ssl-enabled=true >> ssl-keystore=/tmp/server4.pem >> ssl-keystore-password=changeme >> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.pem >> >> >> this is the error I am getting from the server when client is trying to >> connect (locator): >> [info 2018/06/11 11:46:40.907 IDT eaasrt-locator > thread[16]> tid=0x55] Exception in processing request from 192.168.2.100 >> javax.net.ssl.SSLHandshakeException: >> sun.security.validator.ValidatorException: PKIX path building failed: >> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >> valid certification >> path to requested target >> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) >> at >> sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1906) >> at >> sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:233) >> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) >> at sun.security.ssl.Handshaker.process_record(Handshaker.java:961) >> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) >> at >> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) >> at >> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) >> at >> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) >> at >> org.apache.geode.internal.net.SocketCreator.configureServerSSLSocket(SocketCreator.java:1013) >> at >> org.apache.geode.distributed.internal.tcpserver.TcpServer.lambda$processRequest$0(TcpServer.java:366) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> at java.lang.Thread.run(Thread.java:748) >> Caused by: sun.security.validator.ValidatorException: PKIX path building >> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable >> to find valid certification path to requested target >> at >> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) >> at >> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) >> at sun.security.validator.Validator.validate(Validator.java:260) >> at >> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) >> at >> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:227) >> at >> sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:118) >> at >> sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1888) >> ... 12 more >> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >> unable to find valid certification path to requested target >> at >> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) >> : >> >> this are the errors I am getting from the client: >> >> ACE_SSL (45715|1401512172469
