Re: Need help with Riak-KV (2.1.4) certificate based authentication using Java client
Kyle - Verify return code: 19 (self signed certificate in certificate chain) Since your server cert is self-signed, there's not much more that can be done at this point I believe. My security tests use a dedicated CA where the Root cert is available for validation (https://github.com/basho/riak-client-tools/tree/master/test-ca) -- Luke Bakken Engineer lbak...@basho.com On Wed, Aug 31, 2016 at 3:11 PM, Nguyen, Kyle wrote: > Hi Luke, > > I am getting the following information: > > Verify return code: 19 (self signed certificate in certificate chain) ___ riak-users mailing list riak-users@lists.basho.com http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
RE: Need help with Riak-KV (2.1.4) certificate based authentication using Java client
kGA1UEBhMCVVMx EzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxJDAiBgNVBAoT G2dldGFDZXJ0IC0gd3d3LmdldGFjZXJ0LmNvbTAeFw0xNjA4MjIyMjQyNDBaFw0x NjEwMjEyMjQyNDBaMBkxFzAVBgNVBAMMDnJpYWtAMTI3LjAuMC4xMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiWEXAA193kK/9jVx77/v3grXazowaYD4 oUc78Sk6CfAc8kaRlyrIyvZk+yz8xmnZWhL/UVlEtYkXRTjJ3c8RCCF332TW5C4L VJfdh+l0yXOfB4dsmzfJ9S67PMT6pwGIoj/4khhbHuLKjuCwo8iPjZBs2m1agxwH XFBAZx9NOBgdCKm/NDK3qsx60CaAIe4l8PRVyV6WKYMyt9m3+H5vEXz46907Bbku 8gspGvUjL51xpXeev8osNLFrEAOxHRYjEjzlZVqroxwdBfv00LCh+A/scaWpJ5bi BIFQ9F1RVTIuEIfsjSyfXO/e+ZYpJSSrfwFWv2eSrDQPlepQFapyDQIDAQABoy0w KzAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIE8DALBgNVHQ8EBAMCBSAwDQYJ KoZIhvcNAQELBQADggEBAGh6mMvE3QizwNQGyL5f4ynegLaR7hE+Td2PaEuty/2t I2y4aCkKV+R/TTZDkFpZ+Mv3ZZyfzECrEdeGmSMqRbYMD/uHTiMZGBjqcrsVpp5U BtdrIWRkJ4kMhyVUY/gp6rYTomqJWcr03w0kI9hBJUYpJ7To21eZGL0Wqz8daFRD QaoHwPJFe2qAaco+lJqMc/8hwAuVMJ1+Tn34fWU6tUYPSBosvzZzMR90jfVK7AGF GY/5cu+HbDwZlACHTp9XDJrR2xtLA8xC1ZtUULBG0CIQUpt5fixjdI4g4nORAuOd 3vVTd+vRDilYcpFiUfgZ2TkzJzY1hElNBFM2XNwZTw0= -END CERTIFICATE- subject=/CN=riak@127.0.0.1 issuer=/C=US/ST=Washington/L=Seattle/O=getaCert - www.getacert.com --- Acceptable client certificate CA names /C=US/ST=Washington/L=Seattle/O=getaCert - www.getacert.com --- SSL handshake has read 2123 bytes and written 665 bytes --- New, TLSv1/SSLv3, Cipher is AES128-SHA256 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher: AES128-SHA256 Session-ID: D556E6A1910D375558B3FDA7A69A16E65907336F84B002DD6AB2BD47CAD2DA3A Session-ID-ctx: Master-Key: A1B04B4C00A411B47CE8F0A5EDE4E72448E109D9549246E814BEC1B997DC69C2599D61A904340B5185DD4EC798D66729 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1472681389 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- -Original Message----- From: Luke Bakken [mailto:lbak...@basho.com] Sent: Tuesday, August 30, 2016 2:21 PM To: Nguyen, Kyle Cc: Riak Users Subject: Re: Need help with Riak-KV (2.1.4) certificate based authentication using Java client This command will show the handshake used for HTTPS. It will show if the server's certificate (the same one used for TLS) can be validated. Using "openssl s_client" is a good way to start diagnosing what's actually happening when SSL/TLS is enabled in Riak. -- Luke Bakken Engineer lbak...@basho.com On Tue, Aug 30, 2016 at 2:18 PM, Nguyen, Kyle wrote: > Hi Luke, > > I am using TLS for protocol buffer - not sure if you're thinking of HTTP only. > > Thanks > > -Kyle- > > -Original Message- > From: Luke Bakken [mailto:lbak...@basho.com] > Sent: Tuesday, August 30, 2016 2:14 PM > To: Nguyen, Kyle > Cc: Riak Users > Subject: Re: Need help with Riak-KV (2.1.4) certificate based > authentication using Java client > > Kyle, > > I would be interested to see the output of this command run on the same > server as your Riak node: > > openssl s_client -debug -connect localhost:8098 > > Please replace "8098" with the HTTPS port used in this configuration setting > in your /etc/riak.conf file: > > listener.https.internal The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message. ___ riak-users mailing list riak-users@lists.basho.com http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
Re: Need help with Riak-KV (2.1.4) certificate based authentication using Java client
This command will show the handshake used for HTTPS. It will show if the server's certificate (the same one used for TLS) can be validated. Using "openssl s_client" is a good way to start diagnosing what's actually happening when SSL/TLS is enabled in Riak. -- Luke Bakken Engineer lbak...@basho.com On Tue, Aug 30, 2016 at 2:18 PM, Nguyen, Kyle wrote: > Hi Luke, > > I am using TLS for protocol buffer - not sure if you're thinking of HTTP only. > > Thanks > > -Kyle- > > -Original Message- > From: Luke Bakken [mailto:lbak...@basho.com] > Sent: Tuesday, August 30, 2016 2:14 PM > To: Nguyen, Kyle > Cc: Riak Users > Subject: Re: Need help with Riak-KV (2.1.4) certificate based authentication > using Java client > > Kyle, > > I would be interested to see the output of this command run on the same > server as your Riak node: > > openssl s_client -debug -connect localhost:8098 > > Please replace "8098" with the HTTPS port used in this configuration setting > in your /etc/riak.conf file: > > listener.https.internal ___ riak-users mailing list riak-users@lists.basho.com http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
RE: Need help with Riak-KV (2.1.4) certificate based authentication using Java client
Hi Luke, I am using TLS for protocol buffer - not sure if you're thinking of HTTP only. Thanks -Kyle- -Original Message- From: Luke Bakken [mailto:lbak...@basho.com] Sent: Tuesday, August 30, 2016 2:14 PM To: Nguyen, Kyle Cc: Riak Users Subject: Re: Need help with Riak-KV (2.1.4) certificate based authentication using Java client Kyle, I would be interested to see the output of this command run on the same server as your Riak node: openssl s_client -debug -connect localhost:8098 Please replace "8098" with the HTTPS port used in this configuration setting in your /etc/riak.conf file: listener.https.internal -- Luke Bakken Engineer lbak...@basho.com On Tue, Aug 30, 2016 at 12:01 PM, Nguyen, Kyle wrote: > Hi Luke, > > I believe this is not the case. The Java riak-client (version 2.0.6) that I > used does validate the server's cert but not checking on server's CN. If I > replaced getACert CA in the trustor with another unknown CA then SSL will > fail with "unable to find valid certification path to requested target". I > don't even see an option to ignore server cert validation on the client side. > I am wondering if you can help provide some details related to SSL > certification validation configuration. > > My riak node builder code: > RiakNode.Builder builder = new > RiakNode.Builder().withRemoteAddress("127.0.0.1").withRemotePort(8087); > builder.withAuth(username, password, trustStore, keyStore, > keyPasswd); > > Thanks > > -Kyle- The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message. ___ riak-users mailing list riak-users@lists.basho.com http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
Re: Need help with Riak-KV (2.1.4) certificate based authentication using Java client
Kyle, I would be interested to see the output of this command run on the same server as your Riak node: openssl s_client -debug -connect localhost:8098 Please replace "8098" with the HTTPS port used in this configuration setting in your /etc/riak.conf file: listener.https.internal -- Luke Bakken Engineer lbak...@basho.com On Tue, Aug 30, 2016 at 12:01 PM, Nguyen, Kyle wrote: > Hi Luke, > > I believe this is not the case. The Java riak-client (version 2.0.6) that I > used does validate the server's cert but not checking on server's CN. If I > replaced getACert CA in the trustor with another unknown CA then SSL will > fail with "unable to find valid certification path to requested target". I > don't even see an option to ignore server cert validation on the client side. > I am wondering if you can help provide some details related to SSL > certification validation configuration. > > My riak node builder code: > RiakNode.Builder builder = new > RiakNode.Builder().withRemoteAddress("127.0.0.1").withRemotePort(8087); > builder.withAuth(username, password, trustStore, keyStore, > keyPasswd); > > Thanks > > -Kyle- ___ riak-users mailing list riak-users@lists.basho.com http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
RE: Need help with Riak-KV (2.1.4) certificate based authentication using Java client
Hi Luke, I believe this is not the case. The Java riak-client (version 2.0.6) that I used does validate the server's cert but not checking on server's CN. If I replaced getACert CA in the trustor with another unknown CA then SSL will fail with "unable to find valid certification path to requested target". I don't even see an option to ignore server cert validation on the client side. I am wondering if you can help provide some details related to SSL certification validation configuration. My riak node builder code: RiakNode.Builder builder = new RiakNode.Builder().withRemoteAddress("127.0.0.1").withRemotePort(8087); builder.withAuth(username, password, trustStore, keyStore, keyPasswd); Thanks -Kyle- -Original Message- From: Luke Bakken [mailto:lbak...@basho.com] Sent: Tuesday, August 30, 2016 7:14 AM To: Nguyen, Kyle Cc: Riak Users Subject: Re: Need help with Riak-KV (2.1.4) certificate based authentication using Java client Kyle - The CN should be either the DNS-resolvable host name of the Riak node, or its IP address (without "riak@"). Then, the Java client should be configured to use that to connect to the node (either DNS or IP). Without doing that, I really don't have any idea how the Java client is validating the server certificate during TLS handshake. Did you configure the client to *not* validate the server cert? -- Luke Bakken Engineer lbak...@basho.com On Mon, Aug 29, 2016 at 3:18 PM, Nguyen, Kyle wrote: > Hi Luke, > > The CN for client's certificate is "kyle" and the CN for riak cert > (ssl.certfile) is "riak@127.0.0.1" which matches the nodename in the > riak.conf. Riak ssl.cacertfile.pem contains the same CA (getACert) which I > used to sign both client and riak public keys. It appears that riak also > validated the client certificate following this SSL debug info. I do see *** > CertificateVerify (toward the end) after the client certificate is requested > by Riak. Please let me know if it looks right to you. The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message. ___ riak-users mailing list riak-users@lists.basho.com http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
Re: Need help with Riak-KV (2.1.4) certificate based authentication using Java client
Kyle - The CN should be either the DNS-resolvable host name of the Riak node, or its IP address (without "riak@"). Then, the Java client should be configured to use that to connect to the node (either DNS or IP). Without doing that, I really don't have any idea how the Java client is validating the server certificate during TLS handshake. Did you configure the client to *not* validate the server cert? -- Luke Bakken Engineer lbak...@basho.com On Mon, Aug 29, 2016 at 3:18 PM, Nguyen, Kyle wrote: > Hi Luke, > > The CN for client's certificate is "kyle" and the CN for riak cert > (ssl.certfile) is "riak@127.0.0.1" which matches the nodename in the > riak.conf. Riak ssl.cacertfile.pem contains the same CA (getACert) which I > used to sign both client and riak public keys. It appears that riak also > validated the client certificate following this SSL debug info. I do see *** > CertificateVerify (toward the end) after the client certificate is requested > by Riak. Please let me know if it looks right to you. ___ riak-users mailing list riak-users@lists.basho.com http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
RE: Need help with Riak-KV (2.1.4) certificate based authentication using Java client
n-1, TLS_RSA_WITH_AES_128_CBC_SHA256] nioEventLoopGroup-2-1, WRITE: TLSv1.2 Application Data, length = 21 nioEventLoopGroup-2-1, WRITE: TLSv1.2 Application Data, length = 920 nioEventLoopGroup-2-1, WRITE: TLSv1.2 Application Data, length = 920 Thanks -Kyle- -Original Message- From: Luke Bakken [mailto:lbak...@basho.com] Sent: Monday, August 29, 2016 2:20 PM To: Nguyen, Kyle Cc: Riak Users Subject: Re: Need help with Riak-KV (2.1.4) certificate based authentication using Java client Hi Kyle - Thanks for the info. Just so you know, setting check_clr = off means that Riak will not validate the signing chain of your client certificate. What value are you using for "CN=" for the certificates pointed to by the various "ssl.*" settings in riak.conf? http://docs.basho.com/riak/kv/2.1.4/using/security/basics/#certificate-configuration I ask because the validation of the server certificate by the client during the TLS handshake depends on the CN= value. -- Luke Bakken Engineer lbak...@basho.com On Mon, Aug 29, 2016 at 2:07 PM, Nguyen, Kyle wrote: > Thanks a lot, Luke! I finally got the mutual certificate based authentication > working by setting check_clr = off since I don't see any documentation on how > to set this up and we might not need this feature. Another thing that I added > to make it work is to add the correct entry for cidr. I was using > 127.0.0.1/32 instead of 10.0.2.2/32 which is the Ubuntu ip that my laptop > localhost is sending the request to. > > +++---+--+ > | users|cidr| source | options | > +++---+--+ > |kyle|10.0.2.2/32 |certificate|[] > > TLS also works without using the DNS-resolvable hostname with protocol > buffer. Hence, I thought you must have referred to HTTPS. > > -Kyle- > > -----Original Message----- > From: Luke Bakken [mailto:lbak...@basho.com] > Sent: Monday, August 29, 2016 7:59 AM > To: Nguyen, Kyle > Cc: Riak Users > Subject: Re: Need help with Riak-KV (2.1.4) certificate based > authentication using Java client > > Kyle - > > What is the output of these commands? > > riak-admin security print-users > riak-admin security print-sources > > http://docs.basho.com/riak/kv/2.1.4/using/security/basics/#user-manage > ment > > Please note that setting up certificate authentication *requires* that you > have set up SSL / TLS in Riak as well. > > http://docs.basho.com/riak/kv/2.1.4/using/security/basics/#enabling-ss > l > > The SSL certificates used by Riak *must* have their "CN=" section match the > server's DNS-resolvable host name. This is an SSL/TLS requirement, not > specific to Riak. Then, when you connect via the Java client, you must use > the DNS name and not IP address. The client must have the appropriate public > key information to validate the server cert as well (from Get a Cert). > > -- > Luke Bakken > Engineer > lbak...@basho.com The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message. ___ riak-users mailing list riak-users@lists.basho.com http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
Re: Need help with Riak-KV (2.1.4) certificate based authentication using Java client
Hi Kyle - Thanks for the info. Just so you know, setting check_clr = off means that Riak will not validate the signing chain of your client certificate. What value are you using for "CN=" for the certificates pointed to by the various "ssl.*" settings in riak.conf? http://docs.basho.com/riak/kv/2.1.4/using/security/basics/#certificate-configuration I ask because the validation of the server certificate by the client during the TLS handshake depends on the CN= value. -- Luke Bakken Engineer lbak...@basho.com On Mon, Aug 29, 2016 at 2:07 PM, Nguyen, Kyle wrote: > Thanks a lot, Luke! I finally got the mutual certificate based authentication > working by setting check_clr = off since I don't see any documentation on how > to set this up and we might not need this feature. Another thing that I added > to make it work is to add the correct entry for cidr. I was using > 127.0.0.1/32 instead of 10.0.2.2/32 which is the Ubuntu ip that my laptop > localhost is sending the request to. > > +++---+--+ > | users|cidr| source | options | > +++---+--+ > |kyle|10.0.2.2/32 |certificate|[] > > TLS also works without using the DNS-resolvable hostname with protocol > buffer. Hence, I thought you must have referred to HTTPS. > > -Kyle- > > -Original Message- > From: Luke Bakken [mailto:lbak...@basho.com] > Sent: Monday, August 29, 2016 7:59 AM > To: Nguyen, Kyle > Cc: Riak Users > Subject: Re: Need help with Riak-KV (2.1.4) certificate based authentication > using Java client > > Kyle - > > What is the output of these commands? > > riak-admin security print-users > riak-admin security print-sources > > http://docs.basho.com/riak/kv/2.1.4/using/security/basics/#user-management > > Please note that setting up certificate authentication *requires* that you > have set up SSL / TLS in Riak as well. > > http://docs.basho.com/riak/kv/2.1.4/using/security/basics/#enabling-ssl > > The SSL certificates used by Riak *must* have their "CN=" section match the > server's DNS-resolvable host name. This is an SSL/TLS requirement, not > specific to Riak. Then, when you connect via the Java client, you must use > the DNS name and not IP address. The client must have the appropriate public > key information to validate the server cert as well (from Get a Cert). > > -- > Luke Bakken > Engineer > lbak...@basho.com ___ riak-users mailing list riak-users@lists.basho.com http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
RE: Need help with Riak-KV (2.1.4) certificate based authentication using Java client
Thanks a lot, Luke! I finally got the mutual certificate based authentication working by setting check_clr = off since I don't see any documentation on how to set this up and we might not need this feature. Another thing that I added to make it work is to add the correct entry for cidr. I was using 127.0.0.1/32 instead of 10.0.2.2/32 which is the Ubuntu ip that my laptop localhost is sending the request to. +++---+--+ | users|cidr| source | options | +++---+--+ |kyle|10.0.2.2/32 |certificate|[] TLS also works without using the DNS-resolvable hostname with protocol buffer. Hence, I thought you must have referred to HTTPS. -Kyle- -Original Message- From: Luke Bakken [mailto:lbak...@basho.com] Sent: Monday, August 29, 2016 7:59 AM To: Nguyen, Kyle Cc: Riak Users Subject: Re: Need help with Riak-KV (2.1.4) certificate based authentication using Java client Kyle - What is the output of these commands? riak-admin security print-users riak-admin security print-sources http://docs.basho.com/riak/kv/2.1.4/using/security/basics/#user-management Please note that setting up certificate authentication *requires* that you have set up SSL / TLS in Riak as well. http://docs.basho.com/riak/kv/2.1.4/using/security/basics/#enabling-ssl The SSL certificates used by Riak *must* have their "CN=" section match the server's DNS-resolvable host name. This is an SSL/TLS requirement, not specific to Riak. Then, when you connect via the Java client, you must use the DNS name and not IP address. The client must have the appropriate public key information to validate the server cert as well (from Get a Cert). -- Luke Bakken Engineer lbak...@basho.com On Fri, Aug 26, 2016 at 3:34 PM, Nguyen, Kyle wrote: > Update – Handshake was successfully after I opted out mutual > authentication option, client no longer sends its certificate to riak. > However, getting the following error after TLS is established: > > > > *** Finished > > verify_data: { 149, 140, 49, 23, 238, 152, 45, 212, 158, 44, 189, 155 > } > > *** > > %% Cached client session: [Session-12, > TLS_RSA_WITH_AES_128_CBC_SHA256] > > nioEventLoopGroup-2-4, WRITE: TLSv1.2 Application Data, length = 21 > > nioEventLoopGroup-2-4, called closeOutbound() > > ….. > > Caused by: com.basho.riak.client.core.NoNodesAvailableException > > at > com.basho.riak.client.core.RiakCluster.retryOperation(RiakCluster.java > :469) > > at > com.basho.riak.client.core.RiakCluster.access$1000(RiakCluster.java:48 > ) > > at > com.basho.riak.client.core.RiakCluster$RetryTask.run(RiakCluster.java: > 554) > > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511 > ) > > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.a > ccess$201(ScheduledThreadPoolExecutor.java:180) > > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.r > un(ScheduledThreadPoolExecutor.java:293) > > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.j > ava:1142) > > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor. > java:617) > > ... 1 more The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message. ___ riak-users mailing list riak-users@lists.basho.com http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
Re: Need help with Riak-KV (2.1.4) certificate based authentication using Java client
Kyle - What is the output of these commands? riak-admin security print-users riak-admin security print-sources http://docs.basho.com/riak/kv/2.1.4/using/security/basics/#user-management Please note that setting up certificate authentication *requires* that you have set up SSL / TLS in Riak as well. http://docs.basho.com/riak/kv/2.1.4/using/security/basics/#enabling-ssl The SSL certificates used by Riak *must* have their "CN=" section match the server's DNS-resolvable host name. This is an SSL/TLS requirement, not specific to Riak. Then, when you connect via the Java client, you must use the DNS name and not IP address. The client must have the appropriate public key information to validate the server cert as well (from Get a Cert). -- Luke Bakken Engineer lbak...@basho.com On Fri, Aug 26, 2016 at 3:34 PM, Nguyen, Kyle wrote: > Update – Handshake was successfully after I opted out mutual authentication > option, client no longer sends its certificate to riak. However, getting the > following error after TLS is established: > > > > *** Finished > > verify_data: { 149, 140, 49, 23, 238, 152, 45, 212, 158, 44, 189, 155 } > > *** > > %% Cached client session: [Session-12, TLS_RSA_WITH_AES_128_CBC_SHA256] > > nioEventLoopGroup-2-4, WRITE: TLSv1.2 Application Data, length = 21 > > nioEventLoopGroup-2-4, called closeOutbound() > > ….. > > Caused by: com.basho.riak.client.core.NoNodesAvailableException > > at > com.basho.riak.client.core.RiakCluster.retryOperation(RiakCluster.java:469) > > at > com.basho.riak.client.core.RiakCluster.access$1000(RiakCluster.java:48) > > at > com.basho.riak.client.core.RiakCluster$RetryTask.run(RiakCluster.java:554) > > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > > ... 1 more ___ riak-users mailing list riak-users@lists.basho.com http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
RE: Need help with Riak-KV (2.1.4) certificate based authentication using Java client
Update – Handshake was successfully after I opted out mutual authentication option, client no longer sends its certificate to riak. However, getting the following error after TLS is established: *** Finished verify_data: { 149, 140, 49, 23, 238, 152, 45, 212, 158, 44, 189, 155 } *** %% Cached client session: [Session-12, TLS_RSA_WITH_AES_128_CBC_SHA256] nioEventLoopGroup-2-4, WRITE: TLSv1.2 Application Data, length = 21 nioEventLoopGroup-2-4, called closeOutbound() ….. Caused by: com.basho.riak.client.core.NoNodesAvailableException at com.basho.riak.client.core.RiakCluster.retryOperation(RiakCluster.java:469) at com.basho.riak.client.core.RiakCluster.access$1000(RiakCluster.java:48) at com.basho.riak.client.core.RiakCluster$RetryTask.run(RiakCluster.java:554) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) ... 1 more From: Jonathan Joseph [mailto:jonbjos...@gmail.com] Sent: Thursday, August 25, 2016 5:53 PM To: Nguyen, Kyle Cc: Riak Users Subject: Re: Need help with Riak-KV (2.1.4) certificate based authentication using Java client Try adding the following Java property setting when launching your java client in order to see SSL Handshake related debug information: -Djavax.net.debug=ssl:handshake Or to see all ssl related debug output: -Djavax.net.debug=ssl On Thu, Aug 25, 2016 at 4:24 PM, Nguyen, Kyle mailto:kyle.ngu...@philips.com>> wrote: Hi all, I was trying to implement client certificate based authentication following http://docs.basho.com/riak/kv/2.1.4/using/security/basics/ but kept getting the following SSL Handshake exception. I believe I have the client keystore, truststore and riak server cert/key setup properly. Both client cert and riak server cert are signed with the same CA. Any advice and suggestions will be greatly appreciated! 2016-08-25 12:53:24 DEBUG InternalLoggerFactory:71 - Using SLF4J as the default logging framework 2016-08-25 12:53:24 DEBUG MultithreadEventLoopGroup:76 - -Dio.netty.eventLoopThreads: 16 2016-08-25 12:53:24 DEBUG PlatformDependent0:76 - java.nio.Buffer.address: available 2016-08-25 12:53:24 DEBUG PlatformDependent0:76 - sun.misc.Unsafe.theUnsafe: available 2016-08-25 12:53:24 DEBUG PlatformDependent0:71 - sun.misc.Unsafe.copyMemory: available 2016-08-25 12:53:24 DEBUG PlatformDependent0:76 - java.nio.Bits.unaligned: true 2016-08-25 12:53:24 DEBUG PlatformDependent:71 - Platform: Windows 2016-08-25 12:53:24 DEBUG PlatformDependent:76 - Java version: 8 2016-08-25 12:53:24 DEBUG PlatformDependent:76 - -Dio.netty.noUnsafe: false 2016-08-25 12:53:24 DEBUG PlatformDependent:76 - sun.misc.Unsafe: available 2016-08-25 12:53:24 DEBUG PlatformDependent:76 - -Dio.netty.noJavassist: false 2016-08-25 12:53:24 DEBUG PlatformDependent:71 - Javassist: unavailable 2016-08-25 12:53:24 DEBUG PlatformDependent:71 - You don't have Javassist in your class path or you don't have enough permission to load dynamically generated classes. Please check the configuration for better performance. 2016-08-25 12:53:24 DEBUG PlatformDependent:76 - -Dio.netty.tmpdir: C:\apache-tomcat-7.0.54\temp (java.io.tmpdir) 2016-08-25 12:53:24 DEBUG PlatformDependent:76 - -Dio.netty.bitMode: 64 (sun.arch.data.model) 2016-08-25 12:53:24 DEBUG PlatformDependent:76 - -Dio.netty.noPreferDirect: false 2016-08-25 12:53:24 DEBUG NioEventLoop:76 - -Dio.netty.noKeySetOptimization: false 2016-08-25 12:53:24 DEBUG NioEventLoop:76 - -Dio.netty.selectorAutoRebuildThreshold: 512 2016-08-25 12:53:24 INFO RiakJKSConnection:73 - initializeRiak Cluster is OK 2016-08-25 12:53:24 DEBUG ThreadLocalRandom:71 - -Dio.netty.initialSeedUniquifier: 0xac658e47a52a7794 (took 3 ms) 2016-08-25 12:53:24 DEBUG ByteBufUtil:76 - -Dio.netty.allocator.type: unpooled 2016-08-25 12:53:24 DEBUG ByteBufUtil:76 - -Dio.netty.threadLocalDirectBufferSize: 65536 2016-08-25 12:53:24 DEBUG ByteBufUtil:76 - -Dio.netty.maxThreadLocalCharBufferSize: 16384 2016-08-25 12:53:24 DEBUG RiakNode:762 - Using TLSv1.2 2016-08-25 12:53:24 DEBUG RiakSecurityDecoder:166 - Handler Added 2016-08-25 12:53:24 DEBUG RiakNode:777 - Waiting on SSL Promise 2016-08-25 12:53:24 DEBUG AbstractByteBuf:81 - -Dio.netty.buffer.bytebuf.checkAccessible: true 2016-08-25 12:53:24 DEBUG ResourceLeakDetector:81 - -Dio.netty.leakDetection.level: simple 2016-08-25 12:53:24 DEBUG ResourceLeakDetector:81 - -Dio.netty.leakDetection.maxRecords: 4 2016-08-25 12:53:24 D
Re: Need help with Riak-KV (2.1.4) certificate based authentication using Java client
Try adding the following Java property setting when launching your java client in order to see SSL Handshake related debug information: -Djavax.net.debug=ssl:handshake Or to see all ssl related debug output: -Djavax.net.debug=ssl On Thu, Aug 25, 2016 at 4:24 PM, Nguyen, Kyle wrote: > Hi all, > > > > I was trying to implement client certificate based authentication > following http://docs.basho.com/riak/kv/2.1.4/using/security/basics/ but > kept getting the following SSL Handshake exception. I believe I have the > client keystore, truststore and riak server cert/key setup properly. Both > client cert and riak server cert are signed with the same CA. Any advice > and suggestions will be greatly appreciated! > > > > 2016-08-25 12:53:24 DEBUG InternalLoggerFactory:71 - Using SLF4J as the > default logging framework > > 2016-08-25 12:53:24 DEBUG MultithreadEventLoopGroup:76 - > -Dio.netty.eventLoopThreads: 16 > > 2016-08-25 12:53:24 DEBUG PlatformDependent0:76 - java.nio.Buffer.address: > available > > 2016-08-25 12:53:24 DEBUG PlatformDependent0:76 - > sun.misc.Unsafe.theUnsafe: available > > 2016-08-25 12:53:24 DEBUG PlatformDependent0:71 - > sun.misc.Unsafe.copyMemory: available > > 2016-08-25 12:53:24 DEBUG PlatformDependent0:76 - java.nio.Bits.unaligned: > true > > 2016-08-25 12:53:24 DEBUG PlatformDependent:71 - Platform: Windows > > 2016-08-25 12:53:24 DEBUG PlatformDependent:76 - Java version: 8 > > 2016-08-25 12:53:24 DEBUG PlatformDependent:76 - -Dio.netty.noUnsafe: false > > 2016-08-25 12:53:24 DEBUG PlatformDependent:76 - sun.misc.Unsafe: available > > 2016-08-25 12:53:24 DEBUG PlatformDependent:76 - -Dio.netty.noJavassist: > false > > 2016-08-25 12:53:24 DEBUG PlatformDependent:71 - Javassist: unavailable > > 2016-08-25 12:53:24 DEBUG PlatformDependent:71 - You don't have Javassist > in your class path or you don't have enough permission to load dynamically > generated classes. Please check the configuration for better performance. > > 2016-08-25 12:53:24 DEBUG PlatformDependent:76 - -Dio.netty.tmpdir: > C:\apache-tomcat-7.0.54\temp (java.io.tmpdir) > > 2016-08-25 12:53:24 DEBUG PlatformDependent:76 - -Dio.netty.bitMode: 64 > (sun.arch.data.model) > > 2016-08-25 12:53:24 DEBUG PlatformDependent:76 - > -Dio.netty.noPreferDirect: false > > 2016-08-25 12:53:24 DEBUG NioEventLoop:76 - -Dio.netty.noKeySetOptimization: > false > > 2016-08-25 12:53:24 DEBUG NioEventLoop:76 - > -Dio.netty.selectorAutoRebuildThreshold: > 512 > > 2016-08-25 12:53:24 INFO RiakJKSConnection:73 - initializeRiak Cluster is > OK > > 2016-08-25 12:53:24 DEBUG ThreadLocalRandom:71 - > -Dio.netty.initialSeedUniquifier: > 0xac658e47a52a7794 (took 3 ms) > > 2016-08-25 12:53:24 DEBUG ByteBufUtil:76 - -Dio.netty.allocator.type: > unpooled > > 2016-08-25 12:53:24 DEBUG ByteBufUtil:76 - > -Dio.netty.threadLocalDirectBufferSize: > 65536 > > 2016-08-25 12:53:24 DEBUG ByteBufUtil:76 - > -Dio.netty.maxThreadLocalCharBufferSize: > 16384 > > 2016-08-25 12:53:24 DEBUG RiakNode:762 - Using TLSv1.2 > > 2016-08-25 12:53:24 DEBUG RiakSecurityDecoder:166 - Handler Added > > 2016-08-25 12:53:24 DEBUG RiakNode:777 - Waiting on SSL Promise > > 2016-08-25 12:53:24 DEBUG AbstractByteBuf:81 - > -Dio.netty.buffer.bytebuf.checkAccessible: > true > > 2016-08-25 12:53:24 DEBUG ResourceLeakDetector:81 - > -Dio.netty.leakDetection.level: simple > > 2016-08-25 12:53:24 DEBUG ResourceLeakDetector:81 - > -Dio.netty.leakDetection.maxRecords: 4 > > 2016-08-25 12:53:24 DEBUG Recycler:76 - > -Dio.netty.recycler.maxCapacity.default: > 262144 > > 2016-08-25 12:53:24 DEBUG Cleaner0:76 - java.nio.ByteBuffer.cleaner(): > available > > 2016-08-25 12:53:24 DEBUG RiakSecurityDecoder:69 - RiakSecurityDecoder > decode > > 2016-08-25 12:53:24 DEBUG RiakSecurityDecoder:93 - Received > MSG_RpbStartTls reply > > 2016-08-25 12:53:24 ERROR RiakSecurityDecoder:230 - SSL Handshake failed: > > java.nio.channels.ClosedChannelException > > 2016-08-25 12:53:24 ERROR RiakNode:787 - Failure during Auth; > 127.0.0.1:8087 java.nio.channels.ClosedChannelException > > 2016-08-25 12:53:24 DEBUG RiakSecurityDecoder:181 - Channel Inactive > > > > RiakNode builder setup: > > > > *public* *static* RiakCluster getRiakCluster(String riakUserName, String > userPassword, String storePath, String storePasswd, String keyPasswd) > *throws* UnknownHostException{ > > > >KeyStore keyStore = *loadKeystore*(storePath,storePasswd); > >//riak with one node > >RiakNode.Builder builder = *new* RiakNode.Builder(). > withRemoteAddress("127.0.0.1").withRemotePort(8087); > >builder.withAuth(riakUserName, userPassword, *trustStore*, keyStore, > keyPasswd); > >builder.withConnectionTimeout(3); > >RiakCluster cluster = *cluster = new > RiakCluster.Builder(builder.build()).build();* > > * cluster.start();* > >*return* cluster; > > > > > > } > > > > Thanks > > > > -Kyle- > > -- > The information contained in this