Jon Moses created CASSANDRA-10391: ------------------------------------- Summary: sstableloader fails with client SSL enabled with non-standard keystore/truststore location Key: CASSANDRA-10391 URL: https://issues.apache.org/jira/browse/CASSANDRA-10391 Project: Cassandra Issue Type: Bug Environment: [cqlsh 4.1.1 | Cassandra 2.0.14.425 | DSE 4.6.6 | CQL spec 3.1.1 | Thrift protocol 19.39.0]
[cqlsh 5.0.1 | Cassandra 2.1.8.689 | DSE 4.7.3 | CQL spec 3.2.0 | Native protocol v3] Reporter: Jon Moses If client SSL is enabled, sstableloader is unable to access the keystore and truststore if they are not in the expected locations. I reproduce this issue providing {{-f /path/to/cassandra.yaml}} as well as manually using the {{-ks}} flag with the proper path to the keystore. For example: {noformat} client_encryption_options: enabled: true keystore: /var/tmp/.keystore {noformat} {noformat} # sstableloader -d 172.31.2.240,172.31.2.241 -f /etc/dse/cassandra/cassandra.yaml Keyspace1/Standard1/ Could not retrieve endpoint ranges: java.io.FileNotFoundException: /usr/share/dse/conf/.keystore Run with --debug to get full stack trace or --help to get help. # # sstableloader -d 172.31.2.240,172.31.2.241 -ks /var/tmp/.keystore Keyspace1/Standard1/ Could not retrieve endpoint ranges: java.io.FileNotFoundException: /usr/share/dse/conf/.keystore Run with --debug to get full stack trace or --help to get help. # {noformat} The full stack is: {noformat} # sstableloader -d 172.31.2.240,172.31.2.241 -f /etc/dse/cassandra/cassandra.yaml --debug Keyspace1/Standard1/ Could not retrieve endpoint ranges: java.io.FileNotFoundException: /usr/share/dse/conf/.keystore java.lang.RuntimeException: Could not retrieve endpoint ranges: at org.apache.cassandra.tools.BulkLoader$ExternalClient.init(BulkLoader.java:283) at org.apache.cassandra.io.sstable.SSTableLoader.stream(SSTableLoader.java:144) at org.apache.cassandra.tools.BulkLoader.main(BulkLoader.java:95) Caused by: java.io.FileNotFoundException: /usr/share/dse/conf/.keystore at com.datastax.bdp.transport.client.TClientSocketFactory.getSSLSocket(TClientSocketFactory.java:128) at com.datastax.bdp.transport.client.TClientSocketFactory.openSocket(TClientSocketFactory.java:114) at com.datastax.bdp.transport.client.TDseClientTransportFactory.openTransport(TDseClientTransportFactory.java:186) at com.datastax.bdp.transport.client.TDseClientTransportFactory.openTransport(TDseClientTransportFactory.java:120) at com.datastax.bdp.transport.client.TDseClientTransportFactory.openTransport(TDseClientTransportFactory.java:111) at org.apache.cassandra.tools.BulkLoader$ExternalClient.createThriftClient(BulkLoader.java:302) at org.apache.cassandra.tools.BulkLoader$ExternalClient.init(BulkLoader.java:254) ... 2 more root@ip-172-31-2-240:/tmp/foo# {noformat}. If I copy the keystore to the expected location, I get the same error with the truststore. {noformat} # sstableloader -d 172.31.2.240,172.31.2.241 -f /etc/dse/cassandra/cassandra.yaml --debug Keyspace1/Standard1/ Could not retrieve endpoint ranges: java.io.FileNotFoundException: /usr/share/dse/conf/.truststore java.lang.RuntimeException: Could not retrieve endpoint ranges: at org.apache.cassandra.tools.BulkLoader$ExternalClient.init(BulkLoader.java:283) at org.apache.cassandra.io.sstable.SSTableLoader.stream(SSTableLoader.java:144) at org.apache.cassandra.tools.BulkLoader.main(BulkLoader.java:95) Caused by: java.io.FileNotFoundException: /usr/share/dse/conf/.truststore at com.datastax.bdp.transport.client.TClientSocketFactory.getSSLSocket(TClientSocketFactory.java:130) at com.datastax.bdp.transport.client.TClientSocketFactory.openSocket(TClientSocketFactory.java:114) at com.datastax.bdp.transport.client.TDseClientTransportFactory.openTransport(TDseClientTransportFactory.java:186) at com.datastax.bdp.transport.client.TDseClientTransportFactory.openTransport(TDseClientTransportFactory.java:120) at com.datastax.bdp.transport.client.TDseClientTransportFactory.openTransport(TDseClientTransportFactory.java:111) at org.apache.cassandra.tools.BulkLoader$ExternalClient.createThriftClient(BulkLoader.java:302) at org.apache.cassandra.tools.BulkLoader$ExternalClient.init(BulkLoader.java:254) ... 2 more # {noformat} If I copy the truststore, it finds them both, but then fails to open them due to what I assume is a password error, even those it's present in the cassandra.yaml. {noformat} # sstableloader -d 172.31.2.240,172.31.2.241 -f /etc/dse/cassandra/cassandra.yaml --debug Keyspace1/Standard1/ Could not retrieve endpoint ranges: java.io.IOException: Failed to open transport to: 172.31.2.240:9160 java.lang.RuntimeException: Could not retrieve endpoint ranges: at org.apache.cassandra.tools.BulkLoader$ExternalClient.init(BulkLoader.java:283) at org.apache.cassandra.io.sstable.SSTableLoader.stream(SSTableLoader.java:144) at org.apache.cassandra.tools.BulkLoader.main(BulkLoader.java:95) Caused by: java.io.IOException: Failed to open transport to: 172.31.2.240:9160 at com.datastax.bdp.transport.client.TDseClientTransportFactory.openTransport(TDseClientTransportFactory.java:137) at com.datastax.bdp.transport.client.TDseClientTransportFactory.openTransport(TDseClientTransportFactory.java:111) at org.apache.cassandra.tools.BulkLoader$ExternalClient.createThriftClient(BulkLoader.java:302) at org.apache.cassandra.tools.BulkLoader$ExternalClient.init(BulkLoader.java:254) ... 2 more Caused by: org.apache.thrift.transport.TTransportException: Error creating the transport at org.apache.thrift.transport.TSSLTransportFactory.createSSLContext(TSSLTransportFactory.java:201) at org.apache.thrift.transport.TSSLTransportFactory.getClientSocket(TSSLTransportFactory.java:165) at com.datastax.bdp.transport.client.TClientSocketFactory.getSSLSocket(TClientSocketFactory.java:136) at com.datastax.bdp.transport.client.TClientSocketFactory.openSocket(TClientSocketFactory.java:114) at com.datastax.bdp.transport.client.TDseClientTransportFactory.openTransport(TDseClientTransportFactory.java:186) at com.datastax.bdp.transport.client.TDseClientTransportFactory.openTransport(TDseClientTransportFactory.java:120) ... 5 more Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772) at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55) at java.security.KeyStore.load(KeyStore.java:1445) at org.apache.thrift.transport.TSSLTransportFactory.createSSLContext(TSSLTransportFactory.java:179) ... 10 more Caused by: java.security.UnrecoverableKeyException: Password verification failed at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:770) ... 13 more {noformat} If I specify the password on the command line, I get the same error. -- This message was sent by Atlassian JIRA (v6.3.4#6332)