Hello, For "native" C++ interaction have a look at geode-native/cppcache/integration-test/testThinClientSSL This should provide an example of connecting with SSL enabled...
EB On Tue, Jun 12, 2018 at 2:48 AM, Liron Ben Ari <liron.ben...@amdocs.com> wrote: > > We check - the PKCS12 works - (as we saw it in the s_client) > It looks like the server did not found a valid certificate... > > Maybe you have a working example? When the client is native c++? > > Thanks!! > > -----Original Message----- > From: Liron Ben Ari > Sent: Tuesday, June 12, 2018 11:25 AM > To: Udo Kohlmeyer <ukohlme...@pivotal.io>; dev@geode.apache.org; > u...@geode.apache.org > Cc: Gregory Vortman <gregory.vort...@amdocs.com>; Vladi Polonsky > <vladi.polon...@amdocs.com>; Alon Bar-Lev <alon.bar...@amdocs.com> > Subject: RE: trying to implement SSL configuration > > Hi , > Thanks you for the quick respond. > So according to the link you send, the keystore type is jks as well. > I will try and update... > But according the client configuration (I found this document for it: > http://pubs.vmware.com/vfabric53/topic/com.vmware. > ICbase/PDF/vfabric-gemfire-nc-ug-7.0.1.pdf) > > The keystore for the native client should be in PEM format. > > > > -----Original Message----- > From: Udo Kohlmeyer [mailto:ukohlme...@pivotal.io] > Sent: Tuesday, June 12, 2018 1:49 AM > To: dev@geode.apache.org; Liron Ben Ari <liron.ben...@amdocs.com>; > u...@geode.apache.org > Cc: Gregory Vortman <gregory.vort...@amdocs.com>; Vladi Polonsky > <vladi.polon...@amdocs.com>; Alon Bar-Lev <alon.bar...@amdocs.com> > Subject: Re: trying to implement SSL configuration > > Hi there, > > Have you tried the following? > > https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/index.html > > I have not tried to use a PKCS12 keystore type. Was there a particular > reason why you are using it? Could you try with a JKS? > > --Udo > > On 6/11/18 03:31, Liron Ben Ari wrote: > > Hello team. > > I am trying to move my Client server to work with SSL as part of > Security POC we are running . > > I was moving on GEODE documents (there are a lot! :)) and there was a > lot of different options... > > > > > > > > This is the configuration I used: > > > > I've generated Keystore & certificate using a private tool (that uses > > the openssl + Keytools) > > > > For client: > > A file containing PEM encoded X.509 certificate and PEM encoded > > PKCS#8 encrypted private key For server: > > PKCS#12 - this part works > > as we could see openssl s_client to return the chain > > > > > > > > On the gemfire.proerties file - I used: > > > > ssl-enabled-components=all > > ssl-protocols=any > > ssl-ciphers=SSL_RSA_WITH_NULL_SHA //I've tries both option (empty > as well) > > ssl-keystore-type=PKCS12 > > ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA/pki/private/server4.p12 > > ssl-keystore-password=changeme > > ssl-truststore-type=JKS > > ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.jks > > ssl-truststore-password=changeit > > > > > > > > on the Client Side I used the PEM format: > > gfcpp1.properties: > > ssl-enabled=true > > ssl-keystore=/tmp/server4.pem > > ssl-keystore-password=changeme > > ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.pem > > > > > > this is the error I am getting from the server when client is trying to > connect (locator): > > [info 2018/06/11 11:46:40.907 IDT eaasrt-locator <locator request > > thread[16]> tid=0x55] Exception in processing request from > > 192.168.2.100 > > javax.net.ssl.SSLHandshakeException: > > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target > > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > > at sun.security.ssl.SSLSocketImpl.fatal( > SSLSocketImpl.java:1949) > > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) > > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) > > at sun.security.ssl.ServerHandshaker.clientCertificate( > ServerHandshaker.java:1906) > > at sun.security.ssl.ServerHandshaker.processMessage( > ServerHandshaker.java:233) > > at sun.security.ssl.Handshaker.processLoop(Handshaker.java: > 1026) > > at sun.security.ssl.Handshaker.process_record(Handshaker. > java:961) > > at sun.security.ssl.SSLSocketImpl.readRecord( > SSLSocketImpl.java:1062) > > at sun.security.ssl.SSLSocketImpl.performInitialHandshake( > SSLSocketImpl.java:1375) > > at sun.security.ssl.SSLSocketImpl.startHandshake( > SSLSocketImpl.java:1403) > > at sun.security.ssl.SSLSocketImpl.startHandshake( > SSLSocketImpl.java:1387) > > at org.apache.geode.internal.net.SocketCreator. > configureServerSSLSocket(SocketCreator.java:1013) > > at org.apache.geode.distributed.internal.tcpserver.TcpServer. > lambda$processRequest$0(TcpServer.java:366) > > at java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > > at java.lang.Thread.run(Thread.java:748) > > Caused by: sun.security.validator.ValidatorException: PKIX path > building failed: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > > at sun.security.validator.PKIXValidator.doBuild( > PKIXValidator.java:387) > > at sun.security.validator.PKIXValidator.engineValidate( > PKIXValidator.java:292) > > at sun.security.validator.Validator.validate(Validator. > java:260) > > at sun.security.ssl.X509TrustManagerImpl.validate( > X509TrustManagerImpl.java:324) > > at sun.security.ssl.X509TrustManagerImpl.checkTrusted( > X509TrustManagerImpl.java:227) > > at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted( > X509TrustManagerImpl.java:118) > > at sun.security.ssl.ServerHandshaker.clientCertificate( > ServerHandshaker.java:1888) > > ... 12 more > > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > > at > > sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBui > > lder.java:141) > > : > > > > this are the errors I am getting from the client: > > > > ACE_SSL (45715|140151217246912) error code: 336151574 - > > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > > unknown ACE_SSL (45715|140151217246912) error code: 336151574 - > > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > > unknown ACE_SSL (45715|140151217246912) error code: 336151574 - > > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > > unknown ACE_SSL (45715|140147953735424) error code: 336151574 - > > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > > unknown ACE_SSL (45715|140148921374464) error code: 336151574 - > > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > > unknown ACE_SSL (45715|140148896196352) error code: 336151574 - > > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > > unknown ACE_SSL (45715|140148004091648) error code: 336151574 - > > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > > unknown ACE_SSL (45715|140147978913536) error code: 336151574 - > > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > > unknown ACE_SSL (45715|140148398352128) error code: 336151574 - > > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > > unknown ACE_SSL (45715|140148373174016) error code: 336151574 - > > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > > unknown > > > > > > > > > > > > > > Any help will be appreciated !! > > > > Thanks. > > > > > > This message and the information contained herein is proprietary and > > confidential and subject to the Amdocs policy statement, > > > > you may review at https://www.amdocs.com/about/email-disclaimer > > <https://www.amdocs.com/about/email-disclaimer> > > > > This message and the information contained herein is proprietary and > confidential and subject to the Amdocs policy statement, > > you may review at https://www.amdocs.com/about/email-disclaimer < > https://www.amdocs.com/about/email-disclaimer> > >
