Hi again... After some functional test on the SSL configuration, we saw degradation of 300% on performance!! Does anyone have an experience? Is there a some special tuning that I can do?
We used this In our configuration - from documentation it looks like this is the only possible option to use... (we must use the "all" option according to the GPRD regulations...) ssl-enabled-components=all ssl-protocols=any ssl-ciphers=SSL_RSA_WITH_NULL_SHA we have also change the number of threads to 0 (so it will be thread per connection - there was no other way...) thanks a lot for any help :) -----Original Message----- From: Liron Ben Ari Sent: Sunday, June 24, 2018 12:58 PM To: dev@geode.apache.org Cc: Gregory Vortman <gregory.vort...@amdocs.com> Subject: RE: trying to implement SSL configuration Thanks a lot for your respond Ryan, I've used the ssl-enabled-components=all parameter. All my c++ clients are able to connect to the locator and to send ssl events.. I have another java client that connects to the locator and I gave him the same parameters... I will try changing it and will update :) thanks Here are the parameters I used for the server side: ssl-enabled-components=all ssl-protocols=any ssl-ciphers=SSL_RSA_WITH_NULL_SHA ssl-keystore-type=PKCS12 ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA-simple/pki/private/test1.p12 ssl-keystore-password=***** ssl-truststore-type=JKS ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA-simple/Amdocs-Test-CA-simple.jks ssl-truststore-password=changeit -----Original Message----- From: Ryan McMahon [mailto:rmcma...@pivotal.io] Sent: Wednesday, June 20, 2018 6:57 PM To: dev@geode.apache.org Subject: Re: trying to implement SSL configuration Hi Liron, The first thing that jumps out to me when you say that GFSH could not connect to the JMX manager is that you need to have `jmx` in addition to `locator` in your `ssl-enabled-components` Geode system property. For example, you'd need ssl-enabled-components=locator,jmx at a minimum for GFSH to connect. it's a bit different if you pass --use-http to your `connect` command, but it doesn't appear you are doing that. Ryan On Wed, Jun 20, 2018 at 8:46 AM, Liron Ben Ari <liron.ben...@amdocs.com> wrote: > Hi , > Well , I managed!! All my processes are talking with SSL configuration > (hip hip Horay ☺) I figure out – that I need client authentication and > server authentication in the server certificate EKU , and that I need > a single depth hierarchy , I am not sure it will be the case when I > wil need to implement it in the customer site… > > Does anyone have id why it was used like this? > > > Last question… > I am trying to configure the gfsh to connect to my locator. > I’ve added to the connect command the needed properties… > native" C++ interaction have a look at geode-native/cppcache/ > integration-test/testThinClientSSL > This should provide an example of connecting with SSL enabled... > > EB > > On Tue, Jun 12, 2018 at 2:48 AM, Liron Ben Ari > <liron.ben...@amdocs.com< mailto:liron.ben...@amdocs.com>> wrote: > > We check - the PKCS12 works - (as we saw it in the s_client) It > looks like the server did not found a valid certificate... > > Maybe you have a working example? When the client is native c++? > > Thanks!! > > -----Original Message----- > From: Liron Ben Ari > Sent: Tuesday, June 12, 2018 11:25 AM > To: Udo Kohlmeyer > <ukohlme...@pivotal.io<mailto:ukohlme...@pivotal.io>>; > dev@geode.apache.org<mailto:dev@geode.apache.org>; > u...@geode.apache.org <mailto:u...@geode.apache.org> > Cc: Gregory Vortman <gregory.vort...@amdocs.com<mailto: > gregory.vort...@amdocs.com>>; Vladi Polonsky > <vladi.polon...@amdocs.com< mailto:vladi.polon...@amdocs.com>>; Alon > Bar-Lev <alon.bar...@amdocs.com< mailto:alon.bar...@amdocs.com>> > Subject: RE: trying to implement SSL configuration > > Hi , > Thanks you for the quick respond. > So according to the link you send, the keystore type is jks as well. > I will try and update... > But according the client configuration (I found this document for it: > http://pubs.vmware.com/vfabric53/topic/com.vmware. > ICbase/PDF/vfabric-gemfire-nc-ug-7.0.1.pdf) > > The keystore for the native client should be in PEM format. > > > > -----Original Message----- > From: Udo Kohlmeyer [mailto:ukohlme...@pivotal.io<mailto: > ukohlme...@pivotal.io>] > Sent: Tuesday, June 12, 2018 1:49 AM > To: dev@geode.apache.org<mailto:dev@geode.apache.org>; Liron Ben Ari < > liron.ben...@amdocs.com<mailto:liron.ben...@amdocs.com>>; > u...@geode.apache.org<mailto:u...@geode.apache.org> > Cc: Gregory Vortman <gregory.vort...@amdocs.com<mailto: > gregory.vort...@amdocs.com>>; Vladi Polonsky > <vladi.polon...@amdocs.com< mailto:vladi.polon...@amdocs.com>>; Alon > Bar-Lev <alon.bar...@amdocs.com< mailto:alon.bar...@amdocs.com>> > Subject: Re: trying to implement SSL configuration > > Hi there, > > Have you tried the following? > > https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/index.html > > I have not tried to use a PKCS12 keystore type. Was there a particular > reason why you are using it? Could you try with a JKS? > > --Udo > > On 6/11/18 03:31, Liron Ben Ari wrote: > > Hello team. > > I am trying to move my Client server to work with SSL as part of > Security POC we are running . > > I was moving on GEODE documents (there are a lot! :)) and there was > > a > lot of different options... > > > > > > > > This is the configuration I used: > > > > I've generated Keystore & certificate using a private tool (that > > uses the openssl + Keytools) > > > > For client: > > A file containing PEM encoded X.509 certificate and PEM encoded > > PKCS#8 encrypted private key For server: > > PKCS#12 - this part works > > as we could see openssl s_client to return the chain > > > > > > > > On the gemfire.proerties file - I used: > > > > ssl-enabled-components=all > > ssl-protocols=any > > ssl-ciphers=SSL_RSA_WITH_NULL_SHA //I've tries both option (empty > as well) > > ssl-keystore-type=PKCS12 > > ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA/pki/private/server4.p12 > > ssl-keystore-password=changeme > > ssl-truststore-type=JKS > > ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.jks > > ssl-truststore-password=changeit > > > > > > > > on the Client Side I used the PEM format: > > gfcpp1.properties: > > ssl-enabled=true > > ssl-keystore=/tmp/server4.pem > > ssl-keystore-password=changeme > > ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.pem > > > > > > this is the error I am getting from the server when client is trying > > to > connect (locator): > > [info 2018/06/11 11:46:40.907 IDT eaasrt-locator <locator request > > thread[16]> tid=0x55] Exception in processing request from > > 192.168.2.100 > > javax.net.ssl.SSLHandshakeException: > > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target > > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > > at sun.security.ssl.SSLSocketImpl.fatal( > SSLSocketImpl.java:1949) > > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) > > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) > > at sun.security.ssl.ServerHandshaker.clientCertificate( > ServerHandshaker.java:1906) > > at sun.security.ssl.ServerHandshaker.processMessage( > ServerHandshaker.java:233) > > at sun.security.ssl.Handshaker.processLoop(Handshaker.java: > 1026) > > at sun.security.ssl.Handshaker.process_record(Handshaker. > java:961) > > at sun.security.ssl.SSLSocketImpl.readRecord( > SSLSocketImpl.java:1062) > > at sun.security.ssl.SSLSocketImpl.performInitialHandshake( > SSLSocketImpl.java:1375) > > at sun.security.ssl.SSLSocketImpl.startHandshake( > SSLSocketImpl.java:1403) > > at sun.security.ssl.SSLSocketImpl.startHandshake( > SSLSocketImpl.java:1387) > > at org.apache.geode.internal.net<http://org.apache.geode. > internal.net>.SocketCreator.configureServerSSLSocket( > SocketCreator.java:1013) > > at org.apache.geode.distributed.internal.tcpserver.TcpServer. > lambda$processRequest$0(TcpServer.java:366) > > at java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > > at java.lang.Thread.run(Thread.java:748) > > Caused by: sun.security.validator.ValidatorException: PKIX path > building failed: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > > at sun.security.validator.PKIXValidator.doBuild( > PKIXValidator.java:387) > > at sun.security.validator.PKIXValidator.engineValidate( > PKIXValidator.java:292) > > at sun.security.validator.Validator.validate(Validator. > java:260) > > at sun.security.ssl.X509TrustManagerImpl.validate( > X509TrustManagerImpl.java:324) > > at sun.security.ssl.X509TrustManagerImpl.checkTrusted( > X509TrustManagerImpl.java:227) > > at > > sun.security.ssl.X509TrustManagerImpl.checkClientTrusted( > X509TrustManagerImpl.java:118) > > at sun.security.ssl.ServerHandshaker.clientCertificate( > ServerHandshaker.java:1888) > > ... 12 more > > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > > at > > sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathB > > ui > > lder.java:141) > > : > > > > this are the errors I am getting from the client: > > > > ACE_SSL (45715|140151217246912) error code: 336151574 - > > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > > unknown ACE_SSL (45715|140151217246912) error code: 336151574 - > > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > > unknown ACE_SSL (45715|140151217246912) error code: 336151574 - > > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > > unknown ACE_SSL (45715|140147953735424) error code: 336151574 - > > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > > unknown ACE_SSL (45715|140148921374464) error code: 336151574 - > > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > > unknown ACE_SSL (45715|140148896196352) error code: 336151574 - > > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > > unknown ACE_SSL (45715|140148004091648) error code: 336151574 - > > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > > unknown ACE_SSL (45715|140147978913536) error code: 336151574 - > > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > > unknown ACE_SSL (45715|140148398352128) error code: 336151574 - > > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > > unknown ACE_SSL (45715|140148373174016) error code: 336151574 - > > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > > unknown > > > > > > > > > > > > > > Any help will be appreciated !! > > > > Thanks. > > > > > > This message and the information contained herein is proprietary and > > confidential and subject to the Amdocs policy statement, > > > > you may review at https://www.amdocs.com/about/email-disclaimer > > <https://www.amdocs.com/about/email-disclaimer> > > > > This message and the information contained herein is proprietary and > confidential and subject to the Amdocs policy statement, > > you may review at https://www.amdocs.com/about/email-disclaimer < > https://www.amdocs.com/about/email-disclaimer> > > This message and the information contained herein is proprietary and > confidential and subject to the Amdocs policy statement, > > you may review at https://www.amdocs.com/about/email-disclaimer < > https://www.amdocs.com/about/email-disclaimer> > This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer> This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>
