Hi Sandeep More, Larry Mccay! Thank you for help. This was my mistake, of course I should use *javax.net.ssl.trustStrore*. This worked! Added it in to gateway.sh.
Thanks again. Regards, Andrey 2018-01-07 21:02 GMT+03:00 larry mccay <[email protected]>: > LDAPS truststore configuration is separate from truststore for client > certs [1]. > > " 3. Trusting the LDAP Server’s public key - if the LDAP Server’s > identity certificate is issued by a well known and trusted certificate > authority and is already represented in the JRE’s cacerts truststore then > you don’t need to do anything for trusting the LDAP server’s cert. If, > however, the cert is selfsigned or issued by an untrusted authority you > will need to either add it to the cacerts keystore or to another truststore > that you may direct Knox to utilize through a system property." > > I believe the mentioned truststore system property would be the standard " > javax.net.ssl.trustStrore". > > HTH. > > 1. https://knox.apache.org/books/knox-0-14-0/user-guide. > html#LDAP+over+SSL+(LDAPS)+Configuration > > > On Sat, Jan 6, 2018 at 7:30 PM, Sandeep More <[email protected]> > wrote: > >> Hello Andrey, >> >> Sorry, missed your email somehow. >> Using the gateway.truststore.path property should have worked, also I >> have had success with -Djavax.net.ssl.trustStore (note, truststore). >> >> I think there is something funny going on, gateway.truststore.path should >> work, check gateway.log with DEBUG enabled, I believe it should log the >> keystore/truststore location used by Knox. >> can you try with -Djavax.net.ssl.trustStore =my_truststore_path when you >> start gateway (updating gateway.sh) ? and share the logs, that should help >> troubleshooting. >> >> Best, >> Sandeep >> >> >> On Fri, Jan 5, 2018 at 12:41 PM, Markovich <[email protected]> wrote: >> >>> Any ideas? >>> >>> Regards, >>> Andrey >>> >>> 2017-12-30 2:37 GMT+03:00 Андрей Ривкин <[email protected]>: >>> >>>> Hello Knox users! >>>> >>>> >>>> >>>> I’d like to use Knox with LDAPS, but with corporate certificate. >>>> >>>> I don’t want to add this cert to Java trustStore. I have another one. >>>> >>>> How to tell Knox (shiro) to use my truststore? >>>> >>>> >>>> >>>> All my experiments failed with: >>>> >>>> >>>> >>>> *Root exception is javax.net.ssl.SSLHandshakeException: >>>> sun.security.validator.ValidatorException: PKIX path building failed: >>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >>>> valid certification path to requested target* >>>> >>>> >>>> >>>> Then I’ve enabled *-Djavax.net.debug=all* and was able to see this: >>>> >>>> >>>> >>>> SEND TLSv1.2 ALERT: fatal, description = certificate_unknown >>>> >>>> handling exception: javax.net.ssl.SSLHandshakeException: >>>> sun.security.validator.ValidatorException: PKIX path building failed: >>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to >>>> find valid certification path to requested target >>>> >>>> >>>> >>>> And finally this: >>>> >>>> >>>> >>>> trustStore is: /usr/jdk64/jdk1.8.0_112/jre/lib/security/cacerts >>>> >>>> trustStore type is : jks >>>> >>>> trustStore provider is : >>>> >>>> init truststore >>>> >>>> >>>> >>>> Also I’ve tried to *add -Djavax.net.ssl.keyStore=my_truststore_path >>>> -Djavax.net.ssl.keyStorePassword=my_truststore_password* after >>>> *-Djavax.net.debug=all. >>>> * >>>> >>>> Result - trustStore is: /usr/jdk64/jdk1.8.0_112/jre/li >>>> b/security/cacerts >>>> >>>> >>>> >>>> I’ve also told knox to use my truststore using this: >>>> >>>> >>>> >>>> gateway.truststore.path >>>> >>>> Fully qualified path to the trust store to use. Default is the >>>> gateway.jks. >>>> >>>> >>>> >>>> And this >>>> >>>> knoxcli.sh create-alias gateway-truststore-password --value {pwd} >>>> >>>> >>>> >>>> Result - trustStore is: /usr/jdk64/jdk1.8.0_112/jre/li >>>> b/security/cacerts >>>> >>>> >>>> >>>> >>>> >>>> So now I’m out of ideas… >>>> >>>> I’ve also wanted to tell right shiro where my trustStore is, but got >>>> this: >>>> >>>> >>>> >>>> 2017-12-29 18:21:33,091 ERROR env.EnvironmentLoader >>>> (EnvironmentLoader.java:initEnvironment(146)) - Shiro environment >>>> initialization failed >>>> >>>> org.apache.shiro.config.ConfigurationException: Property 'trustStore' >>>> does not exist for object of type org.apache.hadoop.gateway.shir >>>> orealm.KnoxLdapRealm. >>>> >>>> >>>> >>>> >>>> >>>> So, how to tell Shiro to use my truststore? >>>> >>>> >>>> >>>> Best regards, >>>> >>>> Andrey >>>> >>> >>> >> >
