[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16761930#comment-16761930 ] Christian Tramnitz commented on ZOOKEEPER-2125: --- I second that. It's hard to justify that TLS is *not* supported by an application in 2019. With the "beta" tag on 3.5 this is not an option for some enterprises in production. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng >Priority: Major > Fix For: 3.5.1, 3.6.0 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, > testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16722913#comment-16722913 ] Andreas Buschka commented on ZOOKEEPER-2125: Would it be possible to backport this enhancement to Zookeeper 3.4.x? As of 12/2018, Zookeeper 3.5 still seems to be marked as "Beta" ( [https://zookeeper.apache.org/releases.html] ) and it would really be helpful to have full TLS support in the stable version. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng >Priority: Major > Fix For: 3.5.1, 3.6.0 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, > testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16638309#comment-16638309 ] Martin M commented on ZOOKEEPER-2125: - In this Jira item it is indicated that in order to configure SSl, one has to specified secureClientPort in zoo.cfg. However, the documentation (https://zookeeper.apache.org/doc/r3.5.2-alpha/zookeeperReconfig.html) says: {noformat} Starting with 3.5.0 the clientPort and clientPortAddress configuration parameters should no longer be used {noformat} I have tried setting the SSL port in the dynamic configuration, but it doesnt work. The secureClientPort must be specified in zoo.cfg. When i specify both securePortClient in zoo.cfg and the dynamic configuration, ZK server doesnt start anymore. How to fix this? Thanks > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng >Priority: Major > Fix For: 3.5.1, 3.6.0 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, > testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15863346#comment-15863346 ] Sriram commented on ZOOKEEPER-2125: --- I am using zookeeper-3.5.2-alpha . I tried enabling the SSL for zookeeper and marathon . I am getting the following error error : EXCEPTION: org.jboss.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 002dea600.. org.jboss.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 002dea600010 at org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:857) at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425) at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303) at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559) at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268) at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255) at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88) at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108) at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337) at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89) at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178) at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108) at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Exception is same as the one mentioned in : http://grokbase.com/t/zookeeper/user/166g6xvvkk/ssl-between-java-client-and-zookeeper Any pointers? > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1, 3.6.0 > > Attachments: testKeyStore.jks, testTrustStore.jks, > ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore paramete
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15859776#comment-15859776 ] Gaurav Abbi commented on ZOOKEEPER-2125: Is it possible to test Zookeeper with SSL using self-signed certificates? > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1, 3.6.0 > > Attachments: testKeyStore.jks, testTrustStore.jks, > ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15848621#comment-15848621 ] Gérald Quintana commented on ZOOKEEPER-2125: This change is interesting. But giving truststore|keystore password using an environment variable is dangerous, they should be stored in Zookeeper's config file. Any user with access to the machine can do a `ps` and grab passwords, it's like not having passwords at all. {code} # ps -ef |grep zookeeper zookeeper4125 1 0 17:39 ?00:00:04 /usr/lib/java/jdk-1.8.0_91/bin/java -Dzookeeper.log.dir=/var/log/zookeeper -Dzookeeper.root.logger=INFO,ROLLINGFILE -cp /appli/projects/sup/supervision/zookeeper/zookeeper-3.4.6/bin/../build/classes:/opt/zookeeper-3.4.6/bin/../build/lib/*.jar:/opt/zookeeper-3.4.6/bin/../lib/slf4j-log4j12-1.6.1.jar:/opt/zookeeper-3.4.6/bin/../lib/slf4j-api-1.6.1.jar:/opt/zookeeper-3.4.6/bin/../lib/netty-3.7.0.Final.jar:/opt/zookeeper-3.4.6/bin/../lib/log4j-1.2.16.jar:/opt/zookeeper-3.4.6/bin/../lib/jline-0.9.94.jar:/opt/zookeeper-3.4.6/bin/../zookeeper-3.4.6.jar:/opt/zookeeper-3.4.6/bin/../src/java/lib/*.jar:/opt/zookeeper-3.4.6/bin/../conf: -Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory -Dzookeeper.ssl.keyStore.location=/opt/zookeeper-3.4.6/conf/keystore.jks -Dzookeeper.ssl.keyStore.password=changeme - zookeeper.ssl.trustStore.location=/opt/zookeeper-3.4.6/conf/truststore.jks -Dzookeeper.ssl.trustStore.password=changeme org.apache.zookeeper.server.quorum.QuorumPeerMain /opt/zookeeper-3.4.6/bin/../conf/zoo.cfg {code} > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1, 3.6.0 > > Attachments: testKeyStore.jks, testTrustStore.jks, > ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15843297#comment-15843297 ] Flavio Junqueira commented on ZOOKEEPER-2125: - I remember having a different user on our list also requesting a backport of this feature. I'd have to look for the thread, but the message we gave at the time was that it is ok to work on a patch and share with the community, but we won't be merging it o 3.4 because it is a stable branch and we generally avoid merging new features to a stable branch, we target merging only bug fixes. As for it being technically possible, I don't see why i wouldn't be, but I haven't actually tried. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1, 3.6.0 > > Attachments: testKeyStore.jks, testTrustStore.jks, > ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15843196#comment-15843196 ] Shivam commented on ZOOKEEPER-2125: --- Do you know any expected release date for stable 3.5.x release ? we are using 3.4.9 stable release and need ssl asap. I can work on back porting it , if you say it is technically possible ? > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1, 3.6.0 > > Attachments: testKeyStore.jks, testTrustStore.jks, > ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15842884#comment-15842884 ] Flavio Junqueira commented on ZOOKEEPER-2125: - hello [~shivamvds], this is not a bug fix, but a feature and as such we have no plan to back port it to the 3.4 branch. we are working towards a stable 3.5.x release, though. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1, 3.6.0 > > Attachments: testKeyStore.jks, testTrustStore.jks, > ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15840986#comment-15840986 ] Shivam commented on ZOOKEEPER-2125: --- Can this fix be back ported to last stable release 3.4.9 ?? > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1, 3.6.0 > > Attachments: testKeyStore.jks, testTrustStore.jks, > ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14375218#comment-14375218 ] Hongchao Deng commented on ZOOKEEPER-2125: -- Sounds excellent. I have created ZOOKEEPER-2148 for it. I'm pretty occupied by other stuff right now. I will continue to work on it and would like to include things in ZOOKEEPER-2123 in the guide too :) > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1, 3.6.0 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, > testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14375213#comment-14375213 ] Michi Mutsuzaki commented on ZOOKEEPER-2125: This feature probably deserves a dedicated user guide, something similar to https://cwiki.apache.org/confluence/display/ZOOKEEPER/Zookeeper+and+SASL . What do you guys think? > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1, 3.6.0 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, > testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14366986#comment-14366986 ] Hudson commented on ZOOKEEPER-2125: --- SUCCESS: Integrated in ZooKeeper-trunk #2633 (See [https://builds.apache.org/job/ZooKeeper-trunk/2633/]) ZOOKEEPER-2125 SSL on Netty client-server communication (Hongchao, Ian Dimayuga via rakeshr) (rakeshr: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1667358) * /zookeeper/trunk/CHANGES.txt * /zookeeper/trunk/build.xml * /zookeeper/trunk/src/docs/src/documentation/content/xdocs/zookeeperAdmin.xml * /zookeeper/trunk/src/java/main/org/apache/zookeeper/ClientCnxnSocketNetty.java * /zookeeper/trunk/src/java/main/org/apache/zookeeper/ZooKeeper.java * /zookeeper/trunk/src/java/main/org/apache/zookeeper/common/X509Exception.java * /zookeeper/trunk/src/java/main/org/apache/zookeeper/common/X509Util.java * /zookeeper/trunk/src/java/main/org/apache/zookeeper/server/FinalRequestProcessor.java * /zookeeper/trunk/src/java/main/org/apache/zookeeper/server/NIOServerCnxnFactory.java * /zookeeper/trunk/src/java/main/org/apache/zookeeper/server/NettyServerCnxnFactory.java * /zookeeper/trunk/src/java/main/org/apache/zookeeper/server/ServerCnxnFactory.java * /zookeeper/trunk/src/java/main/org/apache/zookeeper/server/ServerConfig.java * /zookeeper/trunk/src/java/main/org/apache/zookeeper/server/ZooKeeperServer.java * /zookeeper/trunk/src/java/main/org/apache/zookeeper/server/ZooKeeperServerBean.java * /zookeeper/trunk/src/java/main/org/apache/zookeeper/server/ZooKeeperServerMain.java * /zookeeper/trunk/src/java/main/org/apache/zookeeper/server/quorum/Leader.java * /zookeeper/trunk/src/java/main/org/apache/zookeeper/server/quorum/Learner.java * /zookeeper/trunk/src/java/main/org/apache/zookeeper/server/quorum/QuorumPeer.java * /zookeeper/trunk/src/java/main/org/apache/zookeeper/server/quorum/QuorumPeerConfig.java * /zookeeper/trunk/src/java/main/org/apache/zookeeper/server/quorum/QuorumPeerMain.java * /zookeeper/trunk/src/java/main/org/apache/zookeeper/server/quorum/ReadOnlyZooKeeperServer.java * /zookeeper/trunk/src/java/test/data/ssl * /zookeeper/trunk/src/java/test/data/ssl/README.md * /zookeeper/trunk/src/java/test/data/ssl/testKeyStore.jks * /zookeeper/trunk/src/java/test/data/ssl/testTrustStore.jks * /zookeeper/trunk/src/java/test/org/apache/zookeeper/server/quorum/QuorumPeerTestBase.java * /zookeeper/trunk/src/java/test/org/apache/zookeeper/server/quorum/Zab1_0Test.java * /zookeeper/trunk/src/java/test/org/apache/zookeeper/test/ReconfigTest.java * /zookeeper/trunk/src/java/test/org/apache/zookeeper/test/SSLTest.java > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1, 3.6.0 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, > testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/r
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14364686#comment-14364686 ] Rakesh R commented on ZOOKEEPER-2125: - Thanks [~iandi] for the good work and [~rgs] for the review efforts. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, > testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14364611#comment-14364611 ] Hongchao Deng commented on ZOOKEEPER-2125: -- Thanks [~rgs] too! Most of the refactoring work are from his comments. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, > testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14364609#comment-14364609 ] Rakesh R commented on ZOOKEEPER-2125: - Thanks a lot [~fpj], [~michim] for the reviews and [~hdeng] for taking care the patch. I will push this in tonight(IST timezone) if no other comments. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, > testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14364305#comment-14364305 ] Hadoop QA commented on ZOOKEEPER-2125: -- -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12704925/ZOOKEEPER-2125.patch against trunk revision 1666908. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 27 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 2.0.3) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed core unit tests. +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2575//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2575//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2575//console This message is automatically generated. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, > testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14364170#comment-14364170 ] Flavio Junqueira commented on ZOOKEEPER-2125: - Cool, I'm signing off on this one. +1, looks good, thanks for bearing with me, [~hdeng]. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, > testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14364163#comment-14364163 ] Hongchao Deng commented on ZOOKEEPER-2125: -- The rephrase def looks better! Thanks for it. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, testKeyStore.jks, testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14364136#comment-14364136 ] Flavio Junqueira commented on ZOOKEEPER-2125: - [~hdeng], code looks good. there is just a small thing I'd like to improve here, which is the comment right above: {noformat} ZOOKEEPER-558: In some cases the server would not close the connection (closeconn buffer was not being queued) properly. This would happen anyway when the client closed the connection, but the server should do the right thing regardless -- close session. Calling closeSession() if we have lost the cnxn results in the client's close session response. {noformat} I tried to rephrase in a way that is more understandable to me, but feel free to complain. I just want to make it a bit more meaningful: {noformat} In some cases the server does not close the connection (e.g., closeconn buffer was not being queued — ZOOKEEPER-558) properly. This happens, for example, when the client closes the connection. The server should still close the session, though. Calling closeSession() after losing the cnxn, results in the client close session response being dropped. {noformat} Let me know if this makes sense and if it reads better. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, testKeyStore.jks, testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14362113#comment-14362113 ] Camille Fournier commented on ZOOKEEPER-2125: - [~michim] tbh not sure there's much I can add unless very specifically directed. Any areas you folks are really concerned with having another set of eyes on? > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, testKeyStore.jks, testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14362081#comment-14362081 ] Hongchao Deng commented on ZOOKEEPER-2125: -- The new code looks like: {code} if (request.type == OpCode.closeSession && connClosedByClient(request)) { // We need to check if we can close the session id. // Sometimes the corresponding ServerCnxnFactory could be null because // we are just playing diffs from the leader. if (closeSession(zks.serverCnxnFactory, request.sessionId) || closeSession(zks.secureServerCnxnFactory, request.sessionId)) { return; } } private boolean closeSession(ServerCnxnFactory serverCnxnFactory, long sessionId) { if (serverCnxnFactory == null) { return false; } return serverCnxnFactory.closeSession(sessionId); } private boolean connClosedByClient(Request request) { return request.cnxn == null; } {code} > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, testKeyStore.jks, testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14362080#comment-14362080 ] Hongchao Deng commented on ZOOKEEPER-2125: -- I'm almost getting consensus from Flavio. Waiting for his response. The point that we have discussed is [this code|https://github.com/apache/zookeeper/blob/b7698101e3cb02bd570b4098878e85882b3c2a22/src/java/main/org/apache/zookeeper/server/FinalRequestProcessor.java#L136]: {code} if (request.type == OpCode.closeSession) { ServerCnxnFactory scxn = zks.getServerCnxnFactory(); // this might be possible since // we might just be playing diffs from the leader if (scxn != null && request.cnxn == null) { // calling this if we have the cnxn results in the client's // close session response being lost - we've already closed // the session/socket here before we can send the closeSession // in the switch block below scxn.closeSession(request.sessionId); return; } } {code} The patch adds another `zks.secureServerCnxnFactory`. So I have to change the ServerCnxnFactory#closeSession to return boolean to check if session is found and closed in either normal or secure factory. This is what I thought code originally was. If Michi or Camille can share some thoughts or original design on this code, that would be very nice. Thanks in advance for the long reading. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, testKeyStore.jks, testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14362076#comment-14362076 ] Michi Mutsuzaki commented on ZOOKEEPER-2125: [~fournc] could you also take a look if you get a chance? thanks! > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, testKeyStore.jks, testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14361578#comment-14361578 ] Hadoop QA commented on ZOOKEEPER-2125: -- -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12704566/ZOOKEEPER-2125.patch against trunk revision 1665315. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 27 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 2.0.3) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed core unit tests. +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2563//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2563//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2563//console This message is automatically generated. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, testKeyStore.jks, testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14361549#comment-14361549 ] Hadoop QA commented on ZOOKEEPER-2125: -- -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12704565/ZOOKEEPER-2125.patch against trunk revision 1665315. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 27 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. -1 javac. The patch appears to cause tar ant target to fail. +1 findbugs. The patch does not introduce any new Findbugs (version 2.0.3) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed core unit tests. +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2562//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2562//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2562//console This message is automatically generated. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > testKeyStore.jks, testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14361276#comment-14361276 ] Flavio Junqueira commented on ZOOKEEPER-2125: - Thanks, Hongchao. I've left a comment there about the loop on connections. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, > testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14360695#comment-14360695 ] Hongchao Deng commented on ZOOKEEPER-2125: -- Addressed the comments. Please take another look. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, > testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14359707#comment-14359707 ] Hadoop QA commented on ZOOKEEPER-2125: -- -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12704296/ZOOKEEPER-2125.patch against trunk revision 1665315. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 27 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 2.0.3) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed core unit tests. +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2560//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2560//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2560//console This message is automatically generated. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, > testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14359489#comment-14359489 ] Flavio Junqueira commented on ZOOKEEPER-2125: - I have added some minor points to the rb. I have also run tests locally and they pass just fine for me. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, testKeyStore.jks, testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14358169#comment-14358169 ] Hadoop QA commented on ZOOKEEPER-2125: -- -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12704094/ZOOKEEPER-2125.patch against trunk revision 1665315. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 19 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 2.0.3) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed core unit tests. +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2558//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2558//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2558//console This message is automatically generated. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, testKeyStore.jks, testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14358101#comment-14358101 ] Michi Mutsuzaki commented on ZOOKEEPER-2125: For the release audit warnings, please update the releaseaudit target in build.xml to exclude files that you want to ignore. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > testKeyStore.jks, testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14356786#comment-14356786 ] Rakesh R commented on ZOOKEEPER-2125: - Since this is major change and to make sure that we are not breaking anything. It would be great if I can get +1 from [~fpj], [~michim], [~phunt]. Thanks! > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > testKeyStore.jks, testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14356269#comment-14356269 ] Rakesh R commented on ZOOKEEPER-2125: - Thanks [~phunt]. I got your point. I'm not stuck at this moment. +1 latest patch looks fine for me. I'll wait for one day to see any more comments and will checkin the patch after that. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > testKeyStore.jks, testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14356249#comment-14356249 ] Patrick Hunt commented on ZOOKEEPER-2125: - That's normal. Unfortunately "diff" and "patch" doesn't support binary files (changes). So typically you need to apply the patch, then copy the binaries into their respective locations, then "svn add" the new files (e.g. the binaries), then svn commit it all. That make sense? I'm not sure, are you stuck or are you ok at this point? > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > testKeyStore.jks, testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14356239#comment-14356239 ] Rakesh R commented on ZOOKEEPER-2125: - bq. what do you mean "apply"? I meant, svn or git command to apply the {{ZOOKEEPER-2125.patch}} which will inturn create testKeyStore.jks, testTrustStore.jks files into my local repository. What I've done is, applied the patch and then copy these files separately into my local repository. I understand that later when committing I can do "svn add" these files separately and do the commits together. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > testKeyStore.jks, testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14356181#comment-14356181 ] Patrick Hunt commented on ZOOKEEPER-2125: - Hi [~rakeshr] - what do you mean "apply"? You should be able to "svn add" the binaries and then commit if you're talking about source control. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > testKeyStore.jks, testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14356178#comment-14356178 ] Hongchao Deng commented on ZOOKEEPER-2125: -- Did you try "--force": http://svnbook.red-bean.com/en/1.6/svn.ref.svn.c.add.html > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > testKeyStore.jks, testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14356172#comment-14356172 ] Rakesh R commented on ZOOKEEPER-2125: - I ran the SSLTest.java testcases successfully in my env. I've manually copied the attached testKeyStore.jks, testTrustStore.jks files to {{$HOME/test/data/ssl}} directories, unfortunately I couldn't find command to apply the binary files. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > testKeyStore.jks, testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14356021#comment-14356021 ] Hongchao Deng commented on ZOOKEEPER-2125: -- Hi [~rakeshr]. In case you didn't know the process in ZOOKEEPER-1513, SVN (unlike GIT) won't take in any binary changes, even if diff patch contains it. It needs the committer to review it more carefully. They will need to run the tests rather than rely on jenkins (in this case, the "SSLTest"). Then commit both the patches and binaries (I've provided instructions in "description" section) :) > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > testKeyStore.jks, testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14355516#comment-14355516 ] Hongchao Deng commented on ZOOKEEPER-2125: -- I think the "readme" file is fine. No "readme" file should contain License header. Just ignore the release audit warning. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > testKeyStore.jks, testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14355418#comment-14355418 ] Hongchao Deng commented on ZOOKEEPER-2125: -- I was trying to run the test without build failing immediately so I added a "README" in the ssl/ directory. Jenkins complains a release audit warning.. [~rakeshr], do you think I should remove the file or add an Apache License header? > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > testKeyStore.jks, testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14355342#comment-14355342 ] Hadoop QA commented on ZOOKEEPER-2125: -- -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12703686/ZOOKEEPER-2125.patch against trunk revision 1665315. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 23 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 2.0.3) warnings. -1 release audit. The applied patch generated 1 release audit warnings (more than the trunk's current 0 warnings). -1 core tests. The patch failed core unit tests. +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2556//testReport/ Release audit warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2556//artifact/trunk/patchprocess/patchReleaseAuditProblems.txt Findbugs warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2556//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2556//console This message is automatically generated. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > testKeyStore.jks, testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14355333#comment-14355333 ] Rakesh R commented on ZOOKEEPER-2125: - OK. Will see the jenkins report. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > testKeyStore.jks, testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14355328#comment-14355328 ] Raul Gutierrez Segales commented on ZOOKEEPER-2125: --- [~hdeng]: do you mind updating the RB as well? I'd like to take a last look - thanks! > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > testKeyStore.jks, testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14355222#comment-14355222 ] Hongchao Deng commented on ZOOKEEPER-2125: -- Uploaded a new patch. Added the "src/java/test/data/ssl/" dir in the patch. Is it right? > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > testKeyStore.jks, testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14355207#comment-14355207 ] Rakesh R commented on ZOOKEEPER-2125: - ZOOKEEPER-1513 patch includes the test resources like, {code} diff --git src/java/test/data/buffersize/create/version-2/log.1 src/java/test/data/buffersize/create/version-2/log.1 ... ... {code} but in your case, ${basedir}/src/java/test/data/ssl path doesn't has the ssl test resources. Thats the reason while copying its fails to find the source files which need to be copied. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, > testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14355208#comment-14355208 ] Rakesh R commented on ZOOKEEPER-2125: - ZOOKEEPER-1513 patch includes the test resources like, {code} diff --git src/java/test/data/buffersize/create/version-2/log.1 src/java/test/data/buffersize/create/version-2/log.1 ... ... {code} but in your case, ${basedir}/src/java/test/data/ssl path doesn't has the ssl test resources. Thats the reason while copying its fails to find the source files which need to be copied. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, > testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14355158#comment-14355158 ] Hongchao Deng commented on ZOOKEEPER-2125: -- Here's a detailed explanation. The final patch add the change in "build.xml": {code} {code} This copies the test data from "src/java/test/data/ssl" to "build/test/data/ssl". This is similar to ZOOKEEPER-1513. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, > testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14355147#comment-14355147 ] Hongchao Deng commented on ZOOKEEPER-2125: -- Right. You need to put testing purpose keystore and truststore under "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/" since it didn't exist. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, > testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14354542#comment-14354542 ] Rakesh R commented on ZOOKEEPER-2125: - {code} [exec] BUILD FAILED [exec] /home/jenkins/jenkins-slave/workspace/PreCommit-ZOOKEEPER-Build/trunk/build.xml:1278: /home/jenkins/jenkins-slave/workspace/PreCommit-ZOOKEEPER-Build/trunk/src/java/test/data/ssl does not exist. [exec] [exec] Total time: 3 seconds {code} > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, > testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14354216#comment-14354216 ] Hongchao Deng commented on ZOOKEEPER-2125: -- Hi Rakesh, I've uploaded the final patch. And also instructions where to put the example binaries in the "description" section. Let me know if you have any other questions. Thanks! > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, > testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14353492#comment-14353492 ] Hadoop QA commented on ZOOKEEPER-2125: -- -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12703483/ZOOKEEPER-2125.patch against trunk revision 1665315. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 17 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 2.0.3) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed core unit tests. +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2553//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2553//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2553//console This message is automatically generated. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, > testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14353467#comment-14353467 ] Hongchao Deng commented on ZOOKEEPER-2125: -- Right. The test needs the binary files, which couldn't be uploaded by SVN patch. I've run local jenkins to make sure the patch works :) Will update the final patch shortly. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, testKeyStore.jks, testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14353456#comment-14353456 ] Hadoop QA commented on ZOOKEEPER-2125: -- -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12703464/ZOOKEEPER-2125.patch against trunk revision 1665315. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 14 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 2.0.3) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed core unit tests. +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2552//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2552//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2552//console This message is automatically generated. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, testKeyStore.jks, testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14353382#comment-14353382 ] Rakesh R commented on ZOOKEEPER-2125: - [~hdeng] btw I've noticed the test case added is not running in CI. {code} Skipped org.apache.zookeeper.test.SSLTest.testSecureStandaloneServer Skipped for the past 1 build (Since Failed#2547 ) Took 0 ms. Skip Message need example binary keystore and truststore {code} > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, testKeyStore.jks, testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14353361#comment-14353361 ] Rakesh R commented on ZOOKEEPER-2125: - +1 latest patch looks good to me > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > testKeyStore.jks, testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14351746#comment-14351746 ] Hadoop QA commented on ZOOKEEPER-2125: -- -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12703254/ZOOKEEPER-2125.patch against trunk revision 1663127. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 14 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 2.0.3) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed core unit tests. +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2547//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2547//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2547//console This message is automatically generated. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14351728#comment-14351728 ] Hongchao Deng commented on ZOOKEEPER-2125: -- Attached a new patch to address findbugs and Rakesh's comments. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14351315#comment-14351315 ] Hadoop QA commented on ZOOKEEPER-2125: -- -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12703189/ZOOKEEPER-2125.patch against trunk revision 1663127. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 14 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. -1 findbugs. The patch appears to introduce 1 new Findbugs (version 2.0.3) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed core unit tests. +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2545//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2545//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2545//console This message is automatically generated. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14351081#comment-14351081 ] Hongchao Deng commented on ZOOKEEPER-2125: -- Attached a new patch addressing Rakesh's comments. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14349558#comment-14349558 ] Hongchao Deng commented on ZOOKEEPER-2125: -- 1. Finished the docs on newly added options. 2. Regarding the the example keystore and truststore binaries, I think we should use static files. I figure out most people create credentials using the official "keytool". If we wanna dynamically create keystores, we might need the build process to depend on "keytool". This isn't optimal to keep things simple here. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14346422#comment-14346422 ] Hongchao Deng commented on ZOOKEEPER-2125: -- 1. not bundle in dummy key store Yes. That's possible. We can programmatically create certs and run SSL test. 2. docs It would be great if [~rgs] you can help write the docs from a user's perspective. We can make it in this JIRA or create another. At the mean time, I can fix #1. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14346398#comment-14346398 ] Raul Gutierrez Segales commented on ZOOKEEPER-2125: --- Could we not bundle in a dummy key store (and certs, etc.) so that SSL tests always run? p.s.: I am happy to help reviewing (or writing parts of) the docs that I mentioned in the previous comment. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14346003#comment-14346003 ] Raul Gutierrez Segales commented on ZOOKEEPER-2125: --- Gave the RB a shipit - great work [~hdeng]! I think what's missing is: * updating CHANGES.txt * updating docs Would be great to see this merged soon! cc: [~phunt], [~rakeshr], [~fpj] > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14343652#comment-14343652 ] Hongchao Deng commented on ZOOKEEPER-2125: -- Compile warnings are "serial" warning. Will add "@SuppressWarnings("serial")" to custom exceptions later. It doesn't affect reviewing now. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14343638#comment-14343638 ] Hadoop QA commented on ZOOKEEPER-2125: -- -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12701941/ZOOKEEPER-2125.patch against trunk revision 1663127. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 14 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. -1 javac. The applied patch generated 9 javac compiler warnings (more than the trunk's current 6 warnings). +1 findbugs. The patch does not introduce any new Findbugs (version 2.0.3) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed core unit tests. +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2540//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2540//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2540//console This message is automatically generated. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14340969#comment-14340969 ] Patrick Hunt commented on ZOOKEEPER-2125: - You certainly don't want to do 3 - that would be a bad idea from a security perspective. We need to ensure that the connection uses SSL if that's what the client is expecting, better to never connect than to connect insecurely in that case. What do we do in the case where you specify an invalid ZK server? Don't we continue retrying? I suspect that's what we should do in this case, log the issue and let the operator address it. Especially given that this is typically only going to happen when you first setup the cluster. Thereafter I wouldn't expect the parameters to change. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14340406#comment-14340406 ] Hongchao Deng commented on ZOOKEEPER-2125: -- I just figured out a flaw in current design and would like to ask for help. The current client will retry connecting if failed. This isn't desired in SSL case where user put wrong parameters and client would keep failing. There are a few options: 1. the connection could failed over to normal unencrypted mode. 2. client could die on knowing SSL exception. 3. Server can failover to accepting any credentials. I'm not sure what's the right way to go, nor the technical details to implement it. Anyone can help here? > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14337051#comment-14337051 ] Hongchao Deng commented on ZOOKEEPER-2125: -- Thanks [~rgs] for the review. I have some questions before I can do further improvement. Please help answer it. :) > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14336919#comment-14336919 ] Raul Gutierrez Segales commented on ZOOKEEPER-2125: --- Hi [~hdeng], I did a first pass on the RB - let me know what you think of my feedback and then I'll do another pass. Thanks! > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14336912#comment-14336912 ] Hadoop QA commented on ZOOKEEPER-2125: -- -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12700812/ZOOKEEPER-2125.patch against trunk revision 1662055. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 14 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 2.0.3) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed core unit tests. +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2536//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2536//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2536//console This message is automatically generated. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Fix For: 3.5.1 > > Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14336135#comment-14336135 ] Hadoop QA commented on ZOOKEEPER-2125: -- -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12700686/ZOOKEEPER-2125.patch against trunk revision 1662055. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 17 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 2.0.3) warnings. -1 release audit. The applied patch generated 1 release audit warnings (more than the trunk's current 0 warnings). -1 core tests. The patch failed core unit tests. +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2535//testReport/ Release audit warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2535//artifact/trunk/patchprocess/patchReleaseAuditProblems.txt Findbugs warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2535//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2535//console This message is automatically generated. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14336080#comment-14336080 ] Hongchao Deng commented on ZOOKEEPER-2125: -- Added test code. Currently the test are ignored because they need the binary keys stuff. Just showing the test code. Please review and give feedback: https://reviews.apache.org/r/31277/diff/# > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14332460#comment-14332460 ] Hongchao Deng commented on ZOOKEEPER-2125: -- Hi, [~fpj] [~rakeshr] [~iandi]. I have uploaded a "simplified" patch based on ZK-2094: 1. The work handles encrypted communication. Authentication, ZooKeeperMain(CLI) and 4lws changes are NOT included. 2. It only supports keystore and truststore. I think [~iandi] can work out the custom key_manager/trust_manager in another JIRA so that we can cherry pick commits based on our needs. I'm pretty open on this so more discussion is welcome. 3. Addressed Rakesh's comments. Code improvement, refactoring, reduce the coupling between classes. About testing: I have manually tried the patch and it works great for normal cases. It doesn't look well when user specifies any wrong ssl parameters.. I don't know how to nicely deal with it so let's keep it open for people like [~rgs] to talk about or write the patch for it. The patch isn't final -- there is also unit test. The unit test needs example binary certificates. I am not including them to show jenkins test result. Final patch will include unit test. I prefer docs in another JIRA. Review board is at the Description section (top of the page). Please review and give feedback. Thanks! > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14332322#comment-14332322 ] Hadoop QA commented on ZOOKEEPER-2125: -- -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12700108/ZOOKEEPER-2125.patch against trunk revision 165. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 6 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 2.0.3) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed core unit tests. +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2528//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2528//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2528//console This message is automatically generated. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14332265#comment-14332265 ] Hadoop QA commented on ZOOKEEPER-2125: -- -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12700100/ZOOKEEPER-2125.patch against trunk revision 165. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 6 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 2.0.3) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed core unit tests. +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2527//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2527//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2527//console This message is automatically generated. > SSL on Netty client-server communication > > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task >Reporter: Hongchao Deng >Assignee: Hongchao Deng > Attachments: ZOOKEEPER-2125.patch > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ -- This message was sent by Atlassian JIRA (v6.3.4#6332)