Hi Ishara, Herewith I have attached jaas.conf and java.env files. You need to add these two files to <MB-HOME>/repository/conf/etc/ where MB instance start as zookeeper profile. After that change the path of jaas.conf in the java.env. Also check the <MB-HOME>/repository/conf/security/jaas.conf file exist. If it is not exist copy the jaas.conf. The issue seems to be MB server start as zookeeper won't get the SASL configuration properly. Anyway you can further debug and see with these configuration settings.
Cheers!
On Tue, Apr 29, 2014 at 11:46 PM, Ishara Premadasa <ish...@wso2.com> wrote:
> Hi,
>
> From WSO2 MB 2.2.0 onwards we will be supporting zookeeper profiles with
> MB where a message broker instance can be started as a zookeeper server as
> well by using carbon profiles. For this we use embedded zookeeper server
> that getting shipped with Coordination component. However as stated in [1]
> when enabled SASL security for zookeeper server, the coordination server (
> which is zk server here) doesn't seem to initiate a ZooKeeperSaslServer
> object, but still it starts a non-SASL Zookeeper server only.
>
> I enabled the debug logs for zookeeper server and once the client tries to
> connect to server with providing client login data the following error logs
> can be seen at zk server side and client side.
>
> *server side ( MB with zookeeper profile enabled)*
> [2014-04-29 22:06:31,316] DEBUG
> {org.apache.zookeeper.server.ZooKeeperServer} - Responding to client SASL
> token.
> [2014-04-29 22:06:31,316] DEBUG
> {org.apache.zookeeper.server.ZooKeeperServer} - Size of client SASL token:
> 0
> [2014-04-29 22:06:31,317] ERROR
> {org.apache.zookeeper.server.ZooKeeperServer} - cnxn.saslServer is null:
> cnxn object did not initialize its saslServer properly.
>
> *client side ( MB server which connects to zookeeper)*
> [2014-04-29 22:06:31,313] DEBUG
> {org.apache.zookeeper.client.ZooKeeperSaslClient} -
> ClientCnxn:sendSaslPacket:length=0
> [2014-04-29 22:06:31,319] ERROR
> {org.apache.zookeeper.client.ZooKeeperSaslClient} - SASL authentication
> failed using login context 'Client'.
>
> To get this verified, i tested the same scenario by pointing to an
> external Apache zookeeper server where client was able to successfully
> authenticate through same credentials as below logs.
>
> [2014-04-29 22:12:10,873] DEBUG
> {org.apache.zookeeper.client.ZooKeeperSaslClient} -
> ClientCnxn:sendSaslPacket:length=0
> [2014-04-29 22:12:10,873] DEBUG
> {org.apache.zookeeper.client.ZooKeeperSaslClient} -
> saslClient.evaluateChallenge(len=101)
> [2014-04-29 22:12:10,874] DEBUG
> {org.apache.zookeeper.client.ZooKeeperSaslClient} -
> ClientCnxn:sendSaslPacket:length=276
> [2014-04-29 22:12:10,876] DEBUG
> {org.apache.zookeeper.client.ZooKeeperSaslClient} -
> saslClient.evaluateChallenge(len=40)
> [2014-04-29 22:12:10,877] DEBUG {org.apache.zookeeper.ClientCnxn} -
> Reading reply sessionid:0x145ae5b1d2e0002, packet:: clientPath:null
> serverPath:null finished:false header:: 3,3 replyHeader:: 3,5,-101
> request:: '/queue_workers_parent,F response::
>
> Therefore it seems coordination server doesn't start zookeeper instance by
> verifying whether security enabled or not. We need to get this fixed for MB
> 2.2.0 and i am currently working on it. If there is any configuration
> available for coordination server to handle this without changing the
> source please mention it here.
>
> Thanks!
> Ishara
>
> [1] https://wso2.org/jira/browse/MB-601
>
> --
> Ishara Premasada
> Software Engineer,
> WSO2 Inc. http://wso2.com/
>
>
> *Blog : http://isharapremadasa.blogspot.com/
> <http://isharapremadasa.blogspot.com/> Twitter :
> https://twitter.com/ishadil <https://twitter.com/ishadil>Mobile : +94
> 714445832 <%2B94%20714445832>*
>
>
>
--
Indika Sampath
Software Engineer
WSO2 Inc.
http://wso2.com
Phone: +94 716 424 744
Blog: http://indikasampath.blogspot.com/
jaas.conf
Description: Binary data
java.env
Description: Binary data
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
