Thanks a lot, Luke! I finally got the mutual certificate based authentication working by setting check_clr = off since I don't see any documentation on how to set this up and we might not need this feature. Another thing that I added to make it work is to add the correct entry for cidr. I was using 127.0.0.1/32 instead of 10.0.2.2/32 which is the Ubuntu ip that my laptop localhost is sending the request to.
+--------------------+------------+-----------+----------+ | users | cidr | source | options | +--------------------+------------+-----------+----------+ | kyle |10.0.2.2/32 |certificate| [] TLS also works without using the DNS-resolvable hostname with protocol buffer. Hence, I thought you must have referred to HTTPS. -Kyle- -----Original Message----- From: Luke Bakken [mailto:[email protected]] Sent: Monday, August 29, 2016 7:59 AM To: Nguyen, Kyle Cc: Riak Users Subject: Re: Need help with Riak-KV (2.1.4) certificate based authentication using Java client Kyle - What is the output of these commands? riak-admin security print-users riak-admin security print-sources http://docs.basho.com/riak/kv/2.1.4/using/security/basics/#user-management Please note that setting up certificate authentication *requires* that you have set up SSL / TLS in Riak as well. http://docs.basho.com/riak/kv/2.1.4/using/security/basics/#enabling-ssl The SSL certificates used by Riak *must* have their "CN=" section match the server's DNS-resolvable host name. This is an SSL/TLS requirement, not specific to Riak. Then, when you connect via the Java client, you must use the DNS name and not IP address. The client must have the appropriate public key information to validate the server cert as well (from Get a Cert). -- Luke Bakken Engineer [email protected] On Fri, Aug 26, 2016 at 3:34 PM, Nguyen, Kyle <[email protected]> wrote: > Update – Handshake was successfully after I opted out mutual > authentication option, client no longer sends its certificate to riak. > However, getting the following error after TLS is established: > > > > *** Finished > > verify_data: { 149, 140, 49, 23, 238, 152, 45, 212, 158, 44, 189, 155 > } > > *** > > %% Cached client session: [Session-12, > TLS_RSA_WITH_AES_128_CBC_SHA256] > > nioEventLoopGroup-2-4, WRITE: TLSv1.2 Application Data, length = 21 > > nioEventLoopGroup-2-4, called closeOutbound() > > ….. > > Caused by: com.basho.riak.client.core.NoNodesAvailableException > > at > com.basho.riak.client.core.RiakCluster.retryOperation(RiakCluster.java > :469) > > at > com.basho.riak.client.core.RiakCluster.access$1000(RiakCluster.java:48 > ) > > at > com.basho.riak.client.core.RiakCluster$RetryTask.run(RiakCluster.java: > 554) > > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511 > ) > > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.a > ccess$201(ScheduledThreadPoolExecutor.java:180) > > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.r > un(ScheduledThreadPoolExecutor.java:293) > > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.j > ava:1142) > > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor. > java:617) > > ... 1 more ________________________________ The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message. _______________________________________________ riak-users mailing list [email protected] http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
