[
https://issues.apache.org/jira/browse/CASSANDRA-20484?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17952976#comment-17952976
]
Jyothsna Konisa commented on CASSANDRA-20484:
---------------------------------------------
Hi [[email protected]]
Firstly I am not much familiar with this tool, I have touched a part of this
file in one of my previous commits, but that change is not making any
significant changes in terms of how we create SSL context for this tool. After
looking into the code, it feels to me that the code is throwing a legitimate
error.
looks like the tool is expected to use cassandra's yaml to see the server's SSL
configuration and create SSL context for the loader based on server's
configuration.
The Yaml configuration that you have is
client_encryption_options.enabled : true
client_encryption_options. require_client_auth: false
Which means the sever should send it's server certificate during SSL connection
and the It doesn't require the client (Loader in this case) to send a client
certificate during SSL connection.
For talking to such a server you are creating SSLContext for a loader, In the
handshake the server sends its certificate and the loader's SSLContext has to
verify the server cert against it's own truststore, but that truststore is
missing on the loader (file not exists error) and that is the reason why you
are seeing this error.
Note that `require_client_auth: false` setting means that the server doesn't
require loader to send its client certificate and it doesn't mean that the
client can skip validating server certificate
Thanks [~maulin.vasavada] for tagging me
> Bulkloader requires truststore path even when required_client_auth is false
> in cassandra.yaml
> ---------------------------------------------------------------------------------------------
>
> Key: CASSANDRA-20484
> URL: https://issues.apache.org/jira/browse/CASSANDRA-20484
> Project: Apache Cassandra
> Issue Type: Bug
> Components: Tool/bulk load
> Reporter: Niket Vilas Bagwe
> Assignee: Maulin Vasavada
> Priority: Normal
> Attachments: image-2025-05-13-23-42-19-536.png
>
>
> If client_encryption_options are enabled in cassandra.yaml with
> require_client_auth false *and* Sstableloader command is used with -f option
> (for cassandra.yaml path), sstableloader fails with "NoSuchFileException:
> conf/.truststore".
> Sample sstableloader command is as follows.
> |sstableloader /opt/cassandra/data/keyspace/table -d 127.0.0.1 -p 9042 -ssp
> 7001 -sp 7000 -f */opt/nosql/clusters/cassandra-6382/conf/cassandra.yaml* -u
> "caas" -pw *******|
> Exception encountered is as follows:
>
> {code:java}
> Exception in thread "main" java.lang.RuntimeException: Could not create SSL
> Context.
> at
> org.apache.cassandra.tools.BulkLoader.buildSSLOptions(BulkLoader.java:271)
> at org.apache.cassandra.tools.BulkLoader.load(BulkLoader.java:72)
> at org.apache.cassandra.tools.BulkLoader.main(BulkLoader.java:58)
> Caused by: javax.net.ssl.SSLException: failed to build trust manager store
> for secure connections
> at
> org.apache.cassandra.security.FileBasedSslContextFactory.buildTrustManagerFactory(FileBasedSslContextFactory.java:196)
> at
> org.apache.cassandra.security.AbstractSslContextFactory.createJSSESslContext(AbstractSslContextFactory.java:155)
> at
> org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:127)
> at
> org.apache.cassandra.tools.BulkLoader.buildSSLOptions(BulkLoader.java:267)
> ... 2 more
> Caused by: java.nio.file.NoSuchFileException: conf/.truststore
> at
> java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92)
> at
> java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
> at
> java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:116)
> at
> java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:219)
> at java.base/java.nio.file.Files.newByteChannel(Files.java:371)
> at java.base/java.nio.file.Files.newByteChannel(Files.java:422)
> at
> java.base/java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:420)
> at java.base/java.nio.file.Files.newInputStream(Files.java:156)
> at
> org.apache.cassandra.security.FileBasedSslContextFactory.buildTrustManagerFactory(FileBasedSslContextFactory.java:183)
> ... 5 more {code}
> The reason for this is that sslcontext for native connection in BulkLoader is
> always created with EncryptionOptions.ClientAuth set to true at
> [line|https://github.com/apache/cassandra/blob/f278f6774fc76465c182041e081982105c3e7dbb/src/java/org/apache/cassandra/tools/BulkLoader.java#L267]
> irrespective of the value of require_client_auth present in cassandra.yaml.
> Because of this BulkLoader always expects to have a truststore file inorder
> to verify the client certificates. Copying below the errorneous code block
> for reference.
> {code:java}
> private static SSLOptions buildSSLOptions(EncryptionOptions
> clientEncryptionOptions)
> { if (!clientEncryptionOptions.getEnabled())
> {
> return null;
> } SSLContext sslContext;
> try
> {
> ################ problematic line
> sslContext = SSLFactory.createSSLContext(clientEncryptionOptions,
> true);
> ################
> }
> catch (IOException e)
> {
> throw new RuntimeException("Could not create SSL Context.", e);
> } {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
