Michael Maier created CASSANDRA-14833: -----------------------------------------
Summary: change client keystore from jks to pkcs12 doesn't work Key: CASSANDRA-14833 URL: https://issues.apache.org/jira/browse/CASSANDRA-14833 Project: Cassandra Issue Type: Bug Components: Configuration Environment: Cassandra version: 2.2.12 Java: 1.8.0_181 SLES11 Reporter: Michael Maier Changing from JKS to PKS12 store_type doesn't work for client_encryption_options. for server_encryption_options it is not a problem. I use: {{client_encryption_options:}} {{ enabled: true}} {{ optional: false}} {{ keystore: keystore.p12}} {{ keystore_password: keystorepass}} {{ truststore: truststore.p12}} {{ truststore_password: keystorepass}} {{ store_type: PKCS12}} but get this error: {{ERROR 06:34:36 Exception encountered during startup}} {{java.lang.RuntimeException: Unable to create thrift socket to /192.168.1.2:9160}} {{ at org.apache.cassandra.thrift.CustomTThreadPoolServer$Factory.buildTServer(CustomTThreadPoolServer.java:270) ~[apache-cassandra-2.2.12.jar:2.2.12]}} {{ at org.apache.cassandra.thrift.TServerCustomFactory.buildTServer(TServerCustomFactory.java:46) ~[apache-cassandra-2.2.12.jar:2.2.12]}} {{ at org.apache.cassandra.thrift.ThriftServer$ThriftServerThread.<init>(ThriftServer.java:131) ~[apache-cassandra-2.2.12.jar:2.2.12]}} {{ at org.apache.cassandra.thrift.ThriftServer.start(ThriftServer.java:58) ~[apache-cassandra-2.2.12.jar:2.2.12]}} {{ at org.apache.cassandra.service.CassandraDaemon.start(CassandraDaemon.java:453) [apache-cassandra-2.2.12.jar:2.2.12]}} {{ at org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:548) [apache-cassandra-2.2.12.jar:2.2.12]}} {{ at org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:642) [apache-cassandra-2.2.12.jar:2.2.12]}} {{Caused by: org.apache.thrift.transport.TTransportException: Error creating the transport}} {{ at org.apache.thrift.transport.TSSLTransportFactory.createSSLContext(TSSLTransportFactory.java:210) ~[libthrift-0.9.2.jar:0.9.2]}} {{ at org.apache.thrift.transport.TSSLTransportFactory.getServerSocket(TSSLTransportFactory.java:104) ~[libthrift-0.9.2.jar:0.9.2]}} {{ at org.apache.cassandra.thrift.CustomTThreadPoolServer$Factory.buildTServer(CustomTThreadPoolServer.java:256) ~[apache-cassandra-2.2.12.jar:2.2.12]}} {{ ... 6 common frames omitted}} {{Caused by: java.io.IOException: Invalid keystore format}} {{ at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:658) ~[na:1.8.0_181]}} {{ at sun.security.provider.{color:#FF0000}JavaKeyStore$JKS.engineLoad({color}JavaKeyStore.java:56) ~[na:1.8.0_181]}} {{ at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:215) ~[na:1.8.0_181]}} {{ at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70) ~[na:1.8.0_181]}} {{ at java.security.KeyStore.load(KeyStore.java:1445) ~[na:1.8.0_181]}} {{ at org.apache.thrift.transport.TSSLTransportFactory.createSSLContext(TSSLTransportFactory.java:195) ~[libthrift-0.9.2.jar:0.9.2]}} {{ ... 8 common frames omitted}} Looks like the store_type option is not set properly for client encryption. If I don't use the store_type: PKCS12 option the error accuses earlier at the startup {{INFO 06:43:46 Enabling encrypted CQL connections between client and server}} {{Exception (java.lang.RuntimeException) encountered during startup: Failed to setup secure pipeline}} {{java.lang.RuntimeException: Failed to setup secure pipeline}} so from my point of view it looks like the option is set, but not everywhere it should. I also use PKCS12 stores for server encryption. It works fine there. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org