The locator is coming up.
The server isn't - this is the exception (when not using 0):
er
--J=-DIMDG_PROP_FILE=/users/xpiwrk1/GemFire/Server/properties/IMDGServer.properties
--J=-DACTIVE_ENABLE=true
..............................................The Cache Server process
terminated unexpectedly with exit status 1. Please refer to the log file in
/users/xpiwrk1/GemFire/Server/servers/server1 for full details.
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option PermSize=64m;
support was removed in 8.0
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=256m;
support was removed in 8.0
Exception in thread "main" java.lang.IllegalArgumentException: Selector thread
pooling can not be used with client/server SSL. The selector can be disabled by
setting max-threads=0.
at
org.apache.geode.internal.cache.tier.sockets.AcceptorImpl.<init>(AcceptorImpl.java:436)
at
org.apache.geode.internal.cache.CacheServerImpl.start(CacheServerImpl.java:354)
at
org.apache.geode.internal.cache.xmlcache.CacheCreation.startCacheServers(CacheCreation.java:634)
at
org.apache.geode.internal.cache.xmlcache.CacheCreation.create(CacheCreation.java:529)
at
org.apache.geode.internal.cache.xmlcache.CacheXmlParser.create(CacheXmlParser.java:338)
at
org.apache.geode.internal.cache.GemFireCacheImpl.loadCacheXml(GemFireCacheImpl.java:4313)
at
org.apache.geode.internal.cache.GemFireCacheImpl.initializeDeclarativeCache(GemFireCacheImpl.java:1403)
at
org.apache.geode.internal.cache.GemFireCacheImpl.initialize(GemFireCacheImpl.java:1203)
at
org.apache.geode.internal.cache.GemFireCacheImpl.basicCreate(GemFireCacheImpl.java:778)
-----Original Message-----
From: Anthony Baker <aba...@pivotal.io>
Sent: Monday, July 2, 2018 7:07 PM
To: dev@geode.apache.org
Cc: Gregory Vortman <gregory.vort...@amdocs.com>; Ori Levy <o...@amdocs.com>;
Ari Erev <ari.e...@amdocs.com>
Subject: Re: trying to implement SSL configuration
Why did you change the number of threads to 0 (and which setting did you
change)? AFAIK this is not a requirement.
Anthony
> On Jul 1, 2018, at 10:29 PM, Liron Ben Ari <liron.ben...@amdocs.com> wrote:
>
> Hi again...
> After some functional test on the SSL configuration, we saw degradation of
> 300% on performance!!
> Does anyone have an experience?
> Is there a some special tuning that I can do?
>
> We used this In our configuration - from documentation it looks like this is
> the only possible option to use...
> (we must use the "all" option according to the GPRD regulations...)
>
> ssl-enabled-components=all
> ssl-protocols=any
> ssl-ciphers=SSL_RSA_WITH_NULL_SHA
> we have also change the number of threads to 0 (so it will be thread
> per connection - there was no other way...)
>
>
> thanks a lot for any help :)
>
> -----Original Message-----
> From: Liron Ben Ari
> Sent: Sunday, June 24, 2018 12:58 PM
> To: dev@geode.apache.org <mailto:dev@geode.apache.org>
> Cc: Gregory Vortman <gregory.vort...@amdocs.com
> <mailto:gregory.vort...@amdocs.com>>
> Subject: RE: trying to implement SSL configuration
>
> Thanks a lot for your respond Ryan,
> I've used the ssl-enabled-components=all parameter.
> All my c++ clients are able to connect to the locator and to send ssl events..
> I have another java client that connects to the locator and I gave him the
> same parameters...
> I will try changing it and will update :) thanks
>
> Here are the parameters I used for the server side:
>
> ssl-enabled-components=all
> ssl-protocols=any
> ssl-ciphers=SSL_RSA_WITH_NULL_SHA
> ssl-keystore-type=PKCS12
> ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA-simple/pki/private/test1.p1
> 2
> ssl-keystore-password=*****
> ssl-truststore-type=JKS
> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA-simple/Amdocs-Test-CA-sim
> ple.jks
> ssl-truststore-password=changeit
>
> -----Original Message-----
> From: Ryan McMahon [mailto:rmcma...@pivotal.io
> <mailto:rmcma...@pivotal.io>]
> Sent: Wednesday, June 20, 2018 6:57 PM
> To: dev@geode.apache.org <mailto:dev@geode.apache.org>
> Subject: Re: trying to implement SSL configuration
>
> Hi Liron,
>
>
> The first thing that jumps out to me when you say that GFSH could not connect
> to the JMX manager is that you need to have `jmx` in addition to `locator` in
> your `ssl-enabled-components` Geode system property. For example, you'd need
> ssl-enabled-components=locator,jmx at a minimum for GFSH to connect. it's a
> bit different if you pass --use-http to your `connect` command, but it
> doesn't appear you are doing that.
>
>
> Ryan
>
> On Wed, Jun 20, 2018 at 8:46 AM, Liron Ben Ari
> <liron.ben...@amdocs.com <mailto:liron.ben...@amdocs.com>>
> wrote:
>
>> Hi ,
>> Well , I managed!! All my processes are talking with SSL
>> configuration (hip hip Horay ☺) I figure out – that I need client
>> authentication and server authentication in the server certificate
>> EKU , and that I need a single depth hierarchy , I am not sure it
>> will be the case when I wil need to implement it in the customer
>> site…
>>
>> Does anyone have id why it was used like this?
>>
>>
>> Last question…
>> I am trying to configure the gfsh to connect to my locator.
>> I’ve added to the connect command the needed properties…
>>
> native" C++ interaction have a look at geode-native/cppcache/
>> integration-test/testThinClientSSL
>> This should provide an example of connecting with SSL enabled...
>>
>> EB
>>
>> On Tue, Jun 12, 2018 at 2:48 AM, Liron Ben Ari
>> <liron.ben...@amdocs.com< mailto:liron.ben...@amdocs.com>> wrote:
>>
>> We check - the PKCS12 works - (as we saw it in the s_client) It
>> looks like the server did not found a valid certificate...
>>
>> Maybe you have a working example? When the client is native c++?
>>
>> Thanks!!
>>
>> -----Original Message-----
>> From: Liron Ben Ari
>> Sent: Tuesday, June 12, 2018 11:25 AM
>> To: Udo Kohlmeyer
>> <ukohlme...@pivotal.io<mailto:ukohlme...@pivotal.io>>;
>> dev@geode.apache.org<mailto:dev@geode.apache.org>;
>> u...@geode.apache.org <mailto:u...@geode.apache.org>
>> Cc: Gregory Vortman <gregory.vort...@amdocs.com<mailto:
>> gregory.vort...@amdocs.com>>; Vladi Polonsky
>> <vladi.polon...@amdocs.com< mailto:vladi.polon...@amdocs.com>>; Alon
>> Bar-Lev <alon.bar...@amdocs.com< mailto:alon.bar...@amdocs.com>>
>> Subject: RE: trying to implement SSL configuration
>>
>> Hi ,
>> Thanks you for the quick respond.
>> So according to the link you send, the keystore type is jks as well.
>> I will try and update...
>> But according the client configuration (I found this document for it:
>> http://pubs.vmware.com/vfabric53/topic/com.vmware.
>> ICbase/PDF/vfabric-gemfire-nc-ug-7.0.1.pdf)
>>
>> The keystore for the native client should be in PEM format.
>>
>>
>>
>> -----Original Message-----
>> From: Udo Kohlmeyer [mailto:ukohlme...@pivotal.io<mailto:
>> ukohlme...@pivotal.io>]
>> Sent: Tuesday, June 12, 2018 1:49 AM
>> To: dev@geode.apache.org<mailto:dev@geode.apache.org>; Liron Ben Ari
>> < liron.ben...@amdocs.com<mailto:liron.ben...@amdocs.com>>;
>> u...@geode.apache.org<mailto:u...@geode.apache.org>
>> Cc: Gregory Vortman <gregory.vort...@amdocs.com<mailto:
>> gregory.vort...@amdocs.com>>; Vladi Polonsky
>> <vladi.polon...@amdocs.com< mailto:vladi.polon...@amdocs.com>>; Alon
>> Bar-Lev <alon.bar...@amdocs.com< mailto:alon.bar...@amdocs.com>>
>> Subject: Re: trying to implement SSL configuration
>>
>> Hi there,
>>
>> Have you tried the following?
>>
>> https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/index.html
>>
>> I have not tried to use a PKCS12 keystore type. Was there a
>> particular reason why you are using it? Could you try with a JKS?
>>
>> --Udo
>>
>> On 6/11/18 03:31, Liron Ben Ari wrote:
>>> Hello team.
>>> I am trying to move my Client server to work with SSL as part of
>> Security POC we are running .
>>> I was moving on GEODE documents (there are a lot! :)) and there was
>>> a
>> lot of different options...
>>>
>>>
>>>
>>> This is the configuration I used:
>>>
>>> I've generated Keystore & certificate using a private tool (that
>>> uses the openssl + Keytools)
>>>
>>> For client:
>>> A file containing PEM encoded X.509 certificate and PEM encoded
>>> PKCS#8 encrypted private key For server:
>>> PKCS#12 - this part works
>>> as we could see openssl s_client to return the chain
>>>
>>>
>>>
>>> On the gemfire.proerties file - I used:
>>>
>>> ssl-enabled-components=all
>>> ssl-protocols=any
>>> ssl-ciphers=SSL_RSA_WITH_NULL_SHA //I've tries both option (empty
>> as well)
>>> ssl-keystore-type=PKCS12
>>> ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA/pki/private/server4.p12
>>> ssl-keystore-password=changeme
>>> ssl-truststore-type=JKS
>>> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.jks
>>> ssl-truststore-password=changeit
>>>
>>>
>>>
>>> on the Client Side I used the PEM format:
>>> gfcpp1.properties:
>>> ssl-enabled=true
>>> ssl-keystore=/tmp/server4.pem
>>> ssl-keystore-password=changeme
>>> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.pem
>>>
>>>
>>> this is the error I am getting from the server when client is trying
>>> to
>> connect (locator):
>>> [info 2018/06/11 11:46:40.907 IDT eaasrt-locator <locator request
>>> thread[16]> tid=0x55] Exception in processing request from
>>> 192.168.2.100
>>> javax.net.ssl.SSLHandshakeException:
>>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>> find valid certification path to requested target
>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>>> at sun.security.ssl.SSLSocketImpl.fatal(
>> SSLSocketImpl.java:1949)
>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
>>> at sun.security.ssl.ServerHandshaker.clientCertificate(
>> ServerHandshaker.java:1906)
>>> at sun.security.ssl.ServerHandshaker.processMessage(
>> ServerHandshaker.java:233)
>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:
>> 1026)
>>> at sun.security.ssl.Handshaker.process_record(Handshaker.
>> java:961)
>>> at sun.security.ssl.SSLSocketImpl.readRecord(
>> SSLSocketImpl.java:1062)
>>> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(
>> SSLSocketImpl.java:1375)
>>> at sun.security.ssl.SSLSocketImpl.startHandshake(
>> SSLSocketImpl.java:1403)
>>> at sun.security.ssl.SSLSocketImpl.startHandshake(
>> SSLSocketImpl.java:1387)
>>> at org.apache.geode.internal.net<http://org.apache.geode.
>> internal.net>.SocketCreator.configureServerSSLSocket(
>> SocketCreator.java:1013)
>>> at org.apache.geode.distributed.internal.tcpserver.TcpServer.
>> lambda$processRequest$0(TcpServer.java:366)
>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(
>> ThreadPoolExecutor.java:1142)
>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(
>> ThreadPoolExecutor.java:617)
>>> at java.lang.Thread.run(Thread.java:748)
>>> Caused by: sun.security.validator.ValidatorException: PKIX path
>> building failed: sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>>> at sun.security.validator.PKIXValidator.doBuild(
>> PKIXValidator.java:387)
>>> at sun.security.validator.PKIXValidator.engineValidate(
>> PKIXValidator.java:292)
>>> at sun.security.validator.Validator.validate(Validator.
>> java:260)
>>> at sun.security.ssl.X509TrustManagerImpl.validate(
>> X509TrustManagerImpl.java:324)
>>> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(
>> X509TrustManagerImpl.java:227)
>>> at
>>> sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(
>> X509TrustManagerImpl.java:118)
>>> at sun.security.ssl.ServerHandshaker.clientCertificate(
>> ServerHandshaker.java:1888)
>>> ... 12 more
>>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>>> at
>>> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathB
>>> ui
>>> lder.java:141)
>>> :
>>>
>>> this are the errors I am getting from the client:
>>>
>>> ACE_SSL (45715|140151217246912) error code: 336151574 -
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>> unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>> unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>> unknown ACE_SSL (45715|140147953735424) error code: 336151574 -
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>> unknown ACE_SSL (45715|140148921374464) error code: 336151574 -
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>> unknown ACE_SSL (45715|140148896196352) error code: 336151574 -
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>> unknown ACE_SSL (45715|140148004091648) error code: 336151574 -
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>> unknown ACE_SSL (45715|140147978913536) error code: 336151574 -
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>> unknown ACE_SSL (45715|140148398352128) error code: 336151574 -
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>> unknown ACE_SSL (45715|140148373174016) error code: 336151574 -
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>> unknown
>>>
>>>
>>>
>>>
>>>
>>>
>>> Any help will be appreciated !!
>>>
>>> Thanks.
>>>
>>>
>>> This message and the information contained herein is proprietary and
>>> confidential and subject to the Amdocs policy statement,
>>>
>>> you may review at https://www.amdocs.com/about/email-disclaimer
>>> <https://www.amdocs.com/about/email-disclaimer>
>>>
>>
>> This message and the information contained herein is proprietary and
>> confidential and subject to the Amdocs policy statement,
>>
>> you may review at https://www.amdocs.com/about/email-disclaimer <
>> https://www.amdocs.com/about/email-disclaimer>
>>
>> This message and the information contained herein is proprietary and
>> confidential and subject to the Amdocs policy statement,
>>
>> you may review at https://www.amdocs.com/about/email-disclaimer <
>> https://www.amdocs.com/about/email-disclaimer>
>>
> This message and the information contained herein is proprietary and
> confidential and subject to the Amdocs policy statement,
>
> you may review at https://www.amdocs.com/about/email-disclaimer
> <https://www.amdocs.com/about/email-disclaimer>
> This message and the information contained herein is proprietary and
> confidential and subject to the Amdocs policy statement,
>
> you may review at https://www.amdocs.com/about/email-disclaimer
> <https://www.amdocs.com/about/email-disclaimer>
> <https://www.amdocs.com/about/email-disclaimer
> <https://www.amdocs.com/about/email-disclaimer>>
This message and the information contained herein is proprietary and
confidential and subject to the Amdocs policy statement,
you may review at https://www.amdocs.com/about/email-disclaimer
<https://www.amdocs.com/about/email-disclaimer>
