You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@bookkeeper.apache.org by GitBox <gi...@apache.org> on 2020/07/15 21:02:13 UTC

[GitHub] [bookkeeper] abroddle opened a new issue #2375: How to properly configure transportation level TLS in BookKeeper - Documentation does not work

abroddle opened a new issue #2375:
URL: https://github.com/apache/bookkeeper/issues/2375


   As part of our Apache Pulsar cluster, we are trying to configure the Apache Bookkeeper to support TLS encryption.  We have tried both PEM and JKS configurations and we have seen that the data on the channel is NOT encrypted.  
   
   We see in log files (journal) that the Bookie and Broker say they are using TLS and we originally thought we were good.  
   
   When we run a tcpdump to look at the network traffic on the bookkeeper and broker, we see plain text data as sent from our test client.
   
   We want to understand the general community approach to Bookkeeper and the use of TLS.  Within our organization, TLS encryption of data channel is an expectation for all components of the cluster.  
   
   Questions:  
   - Are enterprises using plain text Pulsar clusters with non-TLS bookkeepers
   - Is there any documentation in the Apache Pulsar project for configuring TLS for Pulsar Brokers and Apache Bookkeeper.  We have not found it.
   - Ref:  https://bookkeeper.apache.org/docs/4.9.2/security/tls/
     - The openssl command does not work against a properly configured BookKeeper from what we see in documentation and Slack chats.  (openssl s_client -debug -connect localhost:3181 -tls1)
     - Is there any documentation for the configuration of PEM based security on bookkeeper?
   
   We have posted questions on the Slack channels for Pulsar, Bookkeeper and are attempting to follow the instructions but are unsuccessful so far.  
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] rudy2steiner edited a comment on issue #2375: How to properly configure transportation level TLS in BookKeeper - Documentation does not work

Posted by GitBox <gi...@apache.org>.
rudy2steiner edited a comment on issue #2375:
URL: https://github.com/apache/bookkeeper/issues/2375#issuecomment-661592557


   I'd like to help to look inside how to config TLS correctly, @abroddle  if you still failed to config TLS?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] rudy2steiner commented on issue #2375: How to properly configure transportation level TLS in BookKeeper - Documentation does not work

Posted by GitBox <gi...@apache.org>.
rudy2steiner commented on issue #2375:
URL: https://github.com/apache/bookkeeper/issues/2375#issuecomment-661592557


   I'd like to look inside how to config TLS correctly, @abroddle  if you still failed to config TLS?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] spova commented on issue #2375: How to properly configure transportation level TLS in BookKeeper - Documentation does not work

Posted by GitBox <gi...@apache.org>.
spova commented on issue #2375:
URL: https://github.com/apache/bookkeeper/issues/2375#issuecomment-937528124


   I'm facing the same issue. Looks like there is no TLS on the server side or something is missed in documentation.
   Tried with `openssl s_client -debug -connect localhost:3181`, here's the server output:
   
   `2021-10-07 10:27:30,290 - INFO  - [bookie-io-1-9:AuthHandler$ServerSideHandler$AuthHandshakeCompleteCallback@223] - Authentication success on server side
   2021-10-07 10:27:30,290 - INFO  - [bookie-io-1-9:BookieRequestHandler@50] - Channel connected  [id: 0x4511f341, L:/127.0.0.1:3181 - R:/127.0.0.1:56552]
   2021-10-07 10:27:30,303 - ERROR - [bookie-io-1-9:BookieRequestHandler@70] - Unhandled exception occurred in I/O thread or handler on [id: 0x4511f341, L:/127.0.0.1:3181 - R:/127.0.0.1:56552]
   io.netty.handler.codec.TooLongFrameException: Adjusted frame length exceeds 5242880: 369295621 - discarded
           at io.netty.handler.codec.LengthFieldBasedFrameDecoder.fail(LengthFieldBasedFrameDecoder.java:503)
           at io.netty.handler.codec.LengthFieldBasedFrameDecoder.failIfNecessary(LengthFieldBasedFrameDecoder.java:489)
           at io.netty.handler.codec.LengthFieldBasedFrameDecoder.exceededFrameLength(LengthFieldBasedFrameDecoder.java:376)
           at io.netty.handler.codec.LengthFieldBasedFrameDecoder.decode(LengthFieldBasedFrameDecoder.java:419)
           at io.netty.handler.codec.LengthFieldBasedFrameDecoder.decode(LengthFieldBasedFrameDecoder.java:332)
           at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:508)
           at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:447)
           at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
           at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
           at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
           at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
           at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
           at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
           at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
           at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
           at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:795)
           at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:480)
           at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:378)
           at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
           at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
           at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
           at java.base/java.lang.Thread.run(Thread.java:829)
   2021-10-07 10:27:30,304 - INFO  - [bookie-io-1-9:BookieRequestHandler@61] - Channels disconnected: [id: 0x4511f341, L:/127.0.0.1:3181 ! R:/127.0.0.1:56552]`


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@bookkeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] itskannanraj commented on issue #2375: How to properly configure transportation level TLS in BookKeeper - Documentation does not work

Posted by GitBox <gi...@apache.org>.
itskannanraj commented on issue #2375:
URL: https://github.com/apache/bookkeeper/issues/2375#issuecomment-934292385


   @abroddle could you please let me know how did you fix the issue, I have the same exact issue and am unable to start the bookkeeper with TLS. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@bookkeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] spova commented on issue #2375: How to properly configure transportation level TLS in BookKeeper - Documentation does not work

Posted by GitBox <gi...@apache.org>.
spova commented on issue #2375:
URL: https://github.com/apache/bookkeeper/issues/2375#issuecomment-937528124






-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@bookkeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] spova commented on issue #2375: How to properly configure transportation level TLS in BookKeeper - Documentation does not work

Posted by GitBox <gi...@apache.org>.
spova commented on issue #2375:
URL: https://github.com/apache/bookkeeper/issues/2375#issuecomment-937712007


   Ok, almost got it.
   
   1. You can't simply use openssl command to check the certificate because of BK protocol. Run `bookkeeper shell bookieinfo` and see the exchange.
   2. You can establish plain text connection even if bookie is secured. I've no idea how to disable it. Should I?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@bookkeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org