RE: Need help with Riak-KV (2.1.4) certificate based authentication using Java client

Nguyen, Kyle Fri, 26 Aug 2016 15:36:15 -0700

Update – Handshake was successfully after I opted out mutual authentication 
option, client no longer sends its certificate to riak. However, getting the 
following error after TLS is established:


*** Finished
verify_data:  { 149, 140, 49, 23, 238, 152, 45, 212, 158, 44, 189, 155 }
***
%% Cached client session: [Session-12, TLS_RSA_WITH_AES_128_CBC_SHA256]
nioEventLoopGroup-2-4, WRITE: TLSv1.2 Application Data, length = 21
nioEventLoopGroup-2-4, called closeOutbound()
…..
Caused by: com.basho.riak.client.core.NoNodesAvailableException
        at 
com.basho.riak.client.core.RiakCluster.retryOperation(RiakCluster.java:469)
        at 
com.basho.riak.client.core.RiakCluster.access$1000(RiakCluster.java:48)
        at 
com.basho.riak.client.core.RiakCluster$RetryTask.run(RiakCluster.java:554)
        at 
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at 
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
        at 
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
        at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        ... 1 more

From: Jonathan Joseph [mailto:[email protected]]
Sent: Thursday, August 25, 2016 5:53 PM
To: Nguyen, Kyle
Cc: Riak Users
Subject: Re: Need help with Riak-KV (2.1.4) certificate based authentication 
using Java client

Try adding the following Java property setting when launching your java client 
in order to see SSL Handshake related debug information:

-Djavax.net.debug=ssl:handshake
Or to see all ssl related debug output:

-Djavax.net.debug=ssl


On Thu, Aug 25, 2016 at 4:24 PM, Nguyen, Kyle 
<[email protected]<mailto:[email protected]>> wrote:
Hi all,

I was trying to implement client certificate based authentication following 
http://docs.basho.com/riak/kv/2.1.4/using/security/basics/ but kept getting the 
following SSL Handshake exception. I believe I have the client keystore, 
truststore and riak server cert/key setup properly. Both client cert and riak 
server cert are signed with the same CA. Any advice and suggestions will be 
greatly appreciated!

2016-08-25 12:53:24 DEBUG InternalLoggerFactory:71 - Using SLF4J as the default 
logging framework
2016-08-25 12:53:24 DEBUG MultithreadEventLoopGroup:76 - 
-Dio.netty.eventLoopThreads: 16
2016-08-25 12:53:24 DEBUG PlatformDependent0:76 - java.nio.Buffer.address: 
available
2016-08-25 12:53:24 DEBUG PlatformDependent0:76 - sun.misc.Unsafe.theUnsafe: 
available
2016-08-25 12:53:24 DEBUG PlatformDependent0:71 - sun.misc.Unsafe.copyMemory: 
available
2016-08-25 12:53:24 DEBUG PlatformDependent0:76 - java.nio.Bits.unaligned: true
2016-08-25 12:53:24 DEBUG PlatformDependent:71 - Platform: Windows
2016-08-25 12:53:24 DEBUG PlatformDependent:76 - Java version: 8
2016-08-25 12:53:24 DEBUG PlatformDependent:76 - -Dio.netty.noUnsafe: false
2016-08-25 12:53:24 DEBUG PlatformDependent:76 - sun.misc.Unsafe: available
2016-08-25 12:53:24 DEBUG PlatformDependent:76 - -Dio.netty.noJavassist: false
2016-08-25 12:53:24 DEBUG PlatformDependent:71 - Javassist: unavailable
2016-08-25 12:53:24 DEBUG PlatformDependent:71 - You don't have Javassist in 
your class path or you don't have enough permission to load dynamically 
generated classes.  Please check the configuration for better performance.
2016-08-25 12:53:24 DEBUG PlatformDependent:76 - -Dio.netty.tmpdir: 
C:\apache-tomcat-7.0.54\temp (java.io.tmpdir)
2016-08-25 12:53:24 DEBUG PlatformDependent:76 - -Dio.netty.bitMode: 64 
(sun.arch.data.model)
2016-08-25 12:53:24 DEBUG PlatformDependent:76 - -Dio.netty.noPreferDirect: 
false
2016-08-25 12:53:24 DEBUG NioEventLoop:76 - -Dio.netty.noKeySetOptimization: 
false
2016-08-25 12:53:24 DEBUG NioEventLoop:76 - 
-Dio.netty.selectorAutoRebuildThreshold: 512
2016-08-25 12:53:24 INFO  RiakJKSConnection:73 - initializeRiak Cluster is OK
2016-08-25 12:53:24 DEBUG ThreadLocalRandom:71 - 
-Dio.netty.initialSeedUniquifier: 0xac658e47a52a7794 (took 3 ms)
2016-08-25 12:53:24 DEBUG ByteBufUtil:76 - -Dio.netty.allocator.type: unpooled
2016-08-25 12:53:24 DEBUG ByteBufUtil:76 - 
-Dio.netty.threadLocalDirectBufferSize: 65536
2016-08-25 12:53:24 DEBUG ByteBufUtil:76 - 
-Dio.netty.maxThreadLocalCharBufferSize: 16384
2016-08-25 12:53:24 DEBUG RiakNode:762 - Using TLSv1.2
2016-08-25 12:53:24 DEBUG RiakSecurityDecoder:166 - Handler Added
2016-08-25 12:53:24 DEBUG RiakNode:777 - Waiting on SSL Promise
2016-08-25 12:53:24 DEBUG AbstractByteBuf:81 - 
-Dio.netty.buffer.bytebuf.checkAccessible: true
2016-08-25 12:53:24 DEBUG ResourceLeakDetector:81 - 
-Dio.netty.leakDetection.level: simple
2016-08-25 12:53:24 DEBUG ResourceLeakDetector:81 - 
-Dio.netty.leakDetection.maxRecords: 4
2016-08-25 12:53:24 DEBUG Recycler:76 - 
-Dio.netty.recycler.maxCapacity.default: 262144
2016-08-25 12:53:24 DEBUG Cleaner0:76 - java.nio.ByteBuffer.cleaner(): available
2016-08-25 12:53:24 DEBUG RiakSecurityDecoder:69 - RiakSecurityDecoder decode
2016-08-25 12:53:24 DEBUG RiakSecurityDecoder:93 - Received MSG_RpbStartTls 
reply
2016-08-25 12:53:24 ERROR RiakSecurityDecoder:230 - SSL Handshake failed:
java.nio.channels.ClosedChannelException
2016-08-25 12:53:24 ERROR RiakNode:787 - Failure during Auth; 
127.0.0.1:8087<http://127.0.0.1:8087> java.nio.channels.ClosedChannelException
2016-08-25 12:53:24 DEBUG RiakSecurityDecoder:181 - Channel Inactive

RiakNode builder setup:

public static RiakCluster getRiakCluster(String riakUserName, String 
userPassword, String storePath, String storePasswd, String keyPasswd) throws 
UnknownHostException{

       KeyStore keyStore = loadKeystore(storePath,storePasswd);
       //riak with one node
       RiakNode.Builder builder = new 
RiakNode.Builder().withRemoteAddress("127.0.0.1").withRemotePort(8087);
       builder.withAuth(riakUserName, userPassword, trustStore, keyStore, 
keyPasswd);
       builder.withConnectionTimeout(30000);
       RiakCluster cluster = cluster = new 
RiakCluster.Builder(builder.build()).build();
       cluster.start();
       return cluster;


    }

Thanks

-Kyle-

________________________________
The information contained in this message may be confidential and legally 
protected under applicable law. The message is intended solely for the 
addressee(s). If you are not the intended recipient, you are hereby notified 
that any use, forwarding, dissemination, or reproduction of this message is 
strictly prohibited and may be unlawful. If you are not the intended recipient, 
please contact the sender by return e-mail and destroy all copies of the 
original message.

_______________________________________________
riak-users mailing list
[email protected]<mailto:[email protected]>
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com

_______________________________________________
riak-users mailing list
[email protected]
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com

RE: Need help with Riak-KV (2.1.4) certificate based authentication using Java client

Reply via email to