You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geode.apache.org by Liron Ben Ari <Li...@amdocs.com> on 2018/06/11 10:31:44 UTC
trying to implement SSL configuration
Hello team.
I am trying to move my Client server to work with SSL as part of Security POC we are running .
I was moving on GEODE documents (there are a lot! :)) and there was a lot of different options...
This is the configuration I used:
I've generated Keystore & certificate using a private tool (that uses the openssl + Keytools)
For client:
A file containing PEM encoded X.509 certificate and PEM encoded PKCS#8 encrypted private key
For server:
PKCS#12 - this part works
as we could see openssl s_client to return the chain
On the gemfire.proerties file - I used:
ssl-enabled-components=all
ssl-protocols=any
ssl-ciphers=SSL_RSA_WITH_NULL_SHA //I've tries both option (empty as well)
ssl-keystore-type=PKCS12
ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA/pki/private/server4.p12
ssl-keystore-password=changeme
ssl-truststore-type=JKS
ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.jks
ssl-truststore-password=changeit
on the Client Side I used the PEM format:
gfcpp1.properties:
ssl-enabled=true
ssl-keystore=/tmp/server4.pem
ssl-keystore-password=changeme
ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.pem
this is the error I am getting from the server when client is trying to connect (locator):
[info 2018/06/11 11:46:40.907 IDT eaasrt-locator <locator request thread[16]> tid=0x55] Exception in processing request from 192.168.2.100
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification
path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1906)
at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:233)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.apache.geode.internal.net.SocketCreator.configureServerSSLSocket(SocketCreator.java:1013)
at org.apache.geode.distributed.internal.tcpserver.TcpServer.lambda$processRequest$0(TcpServer.java:366)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:227)
at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:118)
at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1888)
... 12 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
:
this are the errors I am getting from the client:
ACE_SSL (45715|140151217246912) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
ACE_SSL (45715|140151217246912) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
ACE_SSL (45715|140151217246912) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
ACE_SSL (45715|140147953735424) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
ACE_SSL (45715|140148921374464) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
ACE_SSL (45715|140148896196352) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
ACE_SSL (45715|140148004091648) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
ACE_SSL (45715|140147978913536) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
ACE_SSL (45715|140148398352128) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
ACE_SSL (45715|140148373174016) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
Any help will be appreciated !!
Thanks.
This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>
Re: trying to implement SSL configuration
Posted by Anthony Baker <ab...@pivotal.io>.
You may want to enable ssl debugging: -Djavax.net.debug=all
https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html
Anthony
> On Jun 11, 2018, at 3:49 PM, Udo Kohlmeyer <uk...@pivotal.io> wrote:
>
> Hi there,
>
> Have you tried the following?
>
> https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/index.html
>
> I have not tried to use a PKCS12 keystore type. Was there a particular reason why you are using it? Could you try with a JKS?
>
> --Udo
>
> On 6/11/18 03:31, Liron Ben Ari wrote:
>> Hello team.
>> I am trying to move my Client server to work with SSL as part of Security POC we are running .
>> I was moving on GEODE documents (there are a lot! :)) and there was a lot of different options...
>>
>>
>>
>> This is the configuration I used:
>>
>> I've generated Keystore & certificate using a private tool (that uses the openssl + Keytools)
>>
>> For client:
>> A file containing PEM encoded X.509 certificate and PEM encoded PKCS#8 encrypted private key
>> For server:
>> PKCS#12 - this part works
>> as we could see openssl s_client to return the chain
>>
>>
>>
>> On the gemfire.proerties file - I used:
>>
>> ssl-enabled-components=all
>> ssl-protocols=any
>> ssl-ciphers=SSL_RSA_WITH_NULL_SHA //I've tries both option (empty as well)
>> ssl-keystore-type=PKCS12
>> ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA/pki/private/server4.p12
>> ssl-keystore-password=changeme
>> ssl-truststore-type=JKS
>> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.jks
>> ssl-truststore-password=changeit
>>
>>
>>
>> on the Client Side I used the PEM format:
>> gfcpp1.properties:
>> ssl-enabled=true
>> ssl-keystore=/tmp/server4.pem
>> ssl-keystore-password=changeme
>> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.pem
>>
>>
>> this is the error I am getting from the server when client is trying to connect (locator):
>> [info 2018/06/11 11:46:40.907 IDT eaasrt-locator <locator request thread[16]> tid=0x55] Exception in processing request from 192.168.2.100
>> javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification
>> path to requested target
>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
>> at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1906)
>> at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:233)
>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
>> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
>> at org.apache.geode.internal.net.SocketCreator.configureServerSSLSocket(SocketCreator.java:1013)
>> at org.apache.geode.distributed.internal.tcpserver.TcpServer.lambda$processRequest$0(TcpServer.java:366)
>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>> at java.lang.Thread.run(Thread.java:748)
>> Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
>> at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
>> at sun.security.validator.Validator.validate(Validator.java:260)
>> at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
>> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:227)
>> at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:118)
>> at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1888)
>> ... 12 more
>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
>> at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
>> :
>>
>> this are the errors I am getting from the client:
>>
>> ACE_SSL (45715|140151217246912) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>> ACE_SSL (45715|140151217246912) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>> ACE_SSL (45715|140151217246912) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>> ACE_SSL (45715|140147953735424) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>> ACE_SSL (45715|140148921374464) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>> ACE_SSL (45715|140148896196352) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>> ACE_SSL (45715|140148004091648) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>> ACE_SSL (45715|140147978913536) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>> ACE_SSL (45715|140148398352128) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>> ACE_SSL (45715|140148373174016) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>>
>>
>>
>>
>>
>>
>> Any help will be appreciated !!
>>
>> Thanks.
>>
>>
>> This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
>>
>> you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>
>>
>
Re: trying to implement SSL configuration
Posted by Anthony Baker <ab...@pivotal.io>.
You may want to enable ssl debugging: -Djavax.net.debug=all
https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html
Anthony
> On Jun 11, 2018, at 3:49 PM, Udo Kohlmeyer <uk...@pivotal.io> wrote:
>
> Hi there,
>
> Have you tried the following?
>
> https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/index.html
>
> I have not tried to use a PKCS12 keystore type. Was there a particular reason why you are using it? Could you try with a JKS?
>
> --Udo
>
> On 6/11/18 03:31, Liron Ben Ari wrote:
>> Hello team.
>> I am trying to move my Client server to work with SSL as part of Security POC we are running .
>> I was moving on GEODE documents (there are a lot! :)) and there was a lot of different options...
>>
>>
>>
>> This is the configuration I used:
>>
>> I've generated Keystore & certificate using a private tool (that uses the openssl + Keytools)
>>
>> For client:
>> A file containing PEM encoded X.509 certificate and PEM encoded PKCS#8 encrypted private key
>> For server:
>> PKCS#12 - this part works
>> as we could see openssl s_client to return the chain
>>
>>
>>
>> On the gemfire.proerties file - I used:
>>
>> ssl-enabled-components=all
>> ssl-protocols=any
>> ssl-ciphers=SSL_RSA_WITH_NULL_SHA //I've tries both option (empty as well)
>> ssl-keystore-type=PKCS12
>> ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA/pki/private/server4.p12
>> ssl-keystore-password=changeme
>> ssl-truststore-type=JKS
>> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.jks
>> ssl-truststore-password=changeit
>>
>>
>>
>> on the Client Side I used the PEM format:
>> gfcpp1.properties:
>> ssl-enabled=true
>> ssl-keystore=/tmp/server4.pem
>> ssl-keystore-password=changeme
>> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.pem
>>
>>
>> this is the error I am getting from the server when client is trying to connect (locator):
>> [info 2018/06/11 11:46:40.907 IDT eaasrt-locator <locator request thread[16]> tid=0x55] Exception in processing request from 192.168.2.100
>> javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification
>> path to requested target
>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
>> at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1906)
>> at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:233)
>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
>> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
>> at org.apache.geode.internal.net.SocketCreator.configureServerSSLSocket(SocketCreator.java:1013)
>> at org.apache.geode.distributed.internal.tcpserver.TcpServer.lambda$processRequest$0(TcpServer.java:366)
>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>> at java.lang.Thread.run(Thread.java:748)
>> Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
>> at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
>> at sun.security.validator.Validator.validate(Validator.java:260)
>> at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
>> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:227)
>> at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:118)
>> at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1888)
>> ... 12 more
>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
>> at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
>> :
>>
>> this are the errors I am getting from the client:
>>
>> ACE_SSL (45715|140151217246912) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>> ACE_SSL (45715|140151217246912) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>> ACE_SSL (45715|140151217246912) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>> ACE_SSL (45715|140147953735424) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>> ACE_SSL (45715|140148921374464) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>> ACE_SSL (45715|140148896196352) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>> ACE_SSL (45715|140148004091648) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>> ACE_SSL (45715|140147978913536) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>> ACE_SSL (45715|140148398352128) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>> ACE_SSL (45715|140148373174016) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>>
>>
>>
>>
>>
>>
>> Any help will be appreciated !!
>>
>> Thanks.
>>
>>
>> This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
>>
>> you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>
>>
>
Re: trying to implement SSL configuration
Posted by Jacob Barrett <jb...@pivotal.io>.
C++ client does not support certificate chaining. See GEODE-3415. Should be an easy fix if you want to submit a PR.
> On Jun 20, 2018, at 8:46 AM, Liron Ben Ari <Li...@amdocs.com> wrote:
>
> Hi ,
> Well , I managed!! All my processes are talking with SSL configuration (hip hip Horay ☺)
> I figure out – that I need client authentication and server authentication in the server certificate EKU , and that I need a single depth hierarchy ,
> I am not sure it will be the case when I wil need to implement it in the customer site…
>
> Does anyone have id why it was used like this?
>
>
> Last question…
> I am trying to configure the gfsh to connect to my locator.
> I’ve added to the connect command the needed properties…
>
>
> ${GEMFIRE_HOME}/bin/gfsh -e "connect --locator=192.168.2.100[1028] --use-ssl --security-properties-file=$GF_SERVER_DIR/properties/gemfire.sec.properties
>
> I can see that he is able to connect to the locator – but I see that it is trying to connect to the manager without success.
> Does anyone know if I need to add another certificate or key for the manager?
>
>
> 1) Executing - connect --locator=192.168.2.100[1028] --use-ssl --security-properties-file=/users/xpiwrk1/GemFire/Server/properties/gemfire.sec.properties
>
> Connecting to Locator at [host=192.168.2.100, port=1028] ..
> Connecting to Manager at [host=eaasrt, port=1029] ..
> Could not connect to : [host=eaasrt, port=1029]. Failed to retrieve RMIServer stub: javax.naming.CommunicationException [Root exception is java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is:
> javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure]
>
>
>
> Thank you so much!!!
> From: Ernest Burghardt [mailto:eburghardt@pivotal.io]
> Sent: Tuesday, June 12, 2018 7:27 PM
> To: user@geode.apache.org
> Cc: Udo Kohlmeyer <uk...@pivotal.io>; dev@geode.apache.org; Gregory Vortman <Gr...@Amdocs.com>; Vladi Polonsky <Vl...@Amdocs.com>; Alon Bar-Lev <Al...@amdocs.com>
> Subject: Re: trying to implement SSL configuration
>
> Hello,
>
> For "native" C++ interaction have a look at geode-native/cppcache/integration-test/testThinClientSSL
> This should provide an example of connecting with SSL enabled...
>
> EB
>
> On Tue, Jun 12, 2018 at 2:48 AM, Liron Ben Ari <Li...@amdocs.com>> wrote:
>
> We check - the PKCS12 works - (as we saw it in the s_client)
> It looks like the server did not found a valid certificate...
>
> Maybe you have a working example? When the client is native c++?
>
> Thanks!!
>
> -----Original Message-----
> From: Liron Ben Ari
> Sent: Tuesday, June 12, 2018 11:25 AM
> To: Udo Kohlmeyer <uk...@pivotal.io>>; dev@geode.apache.org<ma...@geode.apache.org>; user@geode.apache.org<ma...@geode.apache.org>
> Cc: Gregory Vortman <Gr...@Amdocs.com>>; Vladi Polonsky <Vl...@Amdocs.com>>; Alon Bar-Lev <Al...@amdocs.com>>
> Subject: RE: trying to implement SSL configuration
>
> Hi ,
> Thanks you for the quick respond.
> So according to the link you send, the keystore type is jks as well.
> I will try and update...
> But according the client configuration (I found this document for it: http://pubs.vmware.com/vfabric53/topic/com.vmware.ICbase/PDF/vfabric-gemfire-nc-ug-7.0.1.pdf)
>
> The keystore for the native client should be in PEM format.
>
>
>
> -----Original Message-----
> From: Udo Kohlmeyer [mailto:ukohlmeyer@pivotal.io<ma...@pivotal.io>]
> Sent: Tuesday, June 12, 2018 1:49 AM
> To: dev@geode.apache.org<ma...@geode.apache.org>; Liron Ben Ari <Li...@amdocs.com>>; user@geode.apache.org<ma...@geode.apache.org>
> Cc: Gregory Vortman <Gr...@Amdocs.com>>; Vladi Polonsky <Vl...@Amdocs.com>>; Alon Bar-Lev <Al...@amdocs.com>>
> Subject: Re: trying to implement SSL configuration
>
> Hi there,
>
> Have you tried the following?
>
> https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/index.html
>
> I have not tried to use a PKCS12 keystore type. Was there a particular reason why you are using it? Could you try with a JKS?
>
> --Udo
>
>> On 6/11/18 03:31, Liron Ben Ari wrote:
>> Hello team.
>> I am trying to move my Client server to work with SSL as part of Security POC we are running .
>> I was moving on GEODE documents (there are a lot! :)) and there was a lot of different options...
>>
>>
>>
>> This is the configuration I used:
>>
>> I've generated Keystore & certificate using a private tool (that uses
>> the openssl + Keytools)
>>
>> For client:
>> A file containing PEM encoded X.509 certificate and PEM encoded
>> PKCS#8 encrypted private key For server:
>> PKCS#12 - this part works
>> as we could see openssl s_client to return the chain
>>
>>
>>
>> On the gemfire.proerties file - I used:
>>
>> ssl-enabled-components=all
>> ssl-protocols=any
>> ssl-ciphers=SSL_RSA_WITH_NULL_SHA //I've tries both option (empty as well)
>> ssl-keystore-type=PKCS12
>> ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA/pki/private/server4.p12
>> ssl-keystore-password=changeme
>> ssl-truststore-type=JKS
>> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.jks
>> ssl-truststore-password=changeit
>>
>>
>>
>> on the Client Side I used the PEM format:
>> gfcpp1.properties:
>> ssl-enabled=true
>> ssl-keystore=/tmp/server4.pem
>> ssl-keystore-password=changeme
>> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.pem
>>
>>
>> this is the error I am getting from the server when client is trying to connect (locator):
>> [info 2018/06/11 11:46:40.907 IDT eaasrt-locator <locator request
>> thread[16]> tid=0x55] Exception in processing request from
>> 192.168.2.100
>> javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
>> at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1906)
>> at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:233)
>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
>> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
>> at org.apache.geode.internal.net<http://org.apache.geode.internal.net>.SocketCreator.configureServerSSLSocket(SocketCreator.java:1013)
>> at org.apache.geode.distributed.internal.tcpserver.TcpServer.lambda$processRequest$0(TcpServer.java:366)
>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>> at java.lang.Thread.run(Thread.java:748)
>> Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
>> at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
>> at sun.security.validator.Validator.validate(Validator.java:260)
>> at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
>> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:227)
>> at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:118)
>> at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1888)
>> ... 12 more
>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
>> at
>> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBui
>> lder.java:141)
>> :
>>
>> this are the errors I am getting from the client:
>>
>> ACE_SSL (45715|140151217246912) error code: 336151574 -
>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>> unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>> unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>> unknown ACE_SSL (45715|140147953735424) error code: 336151574 -
>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>> unknown ACE_SSL (45715|140148921374464) error code: 336151574 -
>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>> unknown ACE_SSL (45715|140148896196352) error code: 336151574 -
>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>> unknown ACE_SSL (45715|140148004091648) error code: 336151574 -
>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>> unknown ACE_SSL (45715|140147978913536) error code: 336151574 -
>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>> unknown ACE_SSL (45715|140148398352128) error code: 336151574 -
>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>> unknown ACE_SSL (45715|140148373174016) error code: 336151574 -
>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>> unknown
>>
>>
>>
>>
>>
>>
>> Any help will be appreciated !!
>>
>> Thanks.
>>
>>
>> This message and the information contained herein is proprietary and
>> confidential and subject to the Amdocs policy statement,
>>
>> you may review at https://www.amdocs.com/about/email-disclaimer
>> <https://www.amdocs.com/about/email-disclaimer>
>>
>
> This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
>
> you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>
>
> This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
>
> you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>
Re: trying to implement SSL configuration
Posted by Jacob Barrett <jb...@pivotal.io>.
C++ client does not support certificate chaining. See GEODE-3415. Should be an easy fix if you want to submit a PR.
> On Jun 20, 2018, at 8:46 AM, Liron Ben Ari <Li...@amdocs.com> wrote:
>
> Hi ,
> Well , I managed!! All my processes are talking with SSL configuration (hip hip Horay ☺)
> I figure out – that I need client authentication and server authentication in the server certificate EKU , and that I need a single depth hierarchy ,
> I am not sure it will be the case when I wil need to implement it in the customer site…
>
> Does anyone have id why it was used like this?
>
>
> Last question…
> I am trying to configure the gfsh to connect to my locator.
> I’ve added to the connect command the needed properties…
>
>
> ${GEMFIRE_HOME}/bin/gfsh -e "connect --locator=192.168.2.100[1028] --use-ssl --security-properties-file=$GF_SERVER_DIR/properties/gemfire.sec.properties
>
> I can see that he is able to connect to the locator – but I see that it is trying to connect to the manager without success.
> Does anyone know if I need to add another certificate or key for the manager?
>
>
> 1) Executing - connect --locator=192.168.2.100[1028] --use-ssl --security-properties-file=/users/xpiwrk1/GemFire/Server/properties/gemfire.sec.properties
>
> Connecting to Locator at [host=192.168.2.100, port=1028] ..
> Connecting to Manager at [host=eaasrt, port=1029] ..
> Could not connect to : [host=eaasrt, port=1029]. Failed to retrieve RMIServer stub: javax.naming.CommunicationException [Root exception is java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is:
> javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure]
>
>
>
> Thank you so much!!!
> From: Ernest Burghardt [mailto:eburghardt@pivotal.io]
> Sent: Tuesday, June 12, 2018 7:27 PM
> To: user@geode.apache.org
> Cc: Udo Kohlmeyer <uk...@pivotal.io>; dev@geode.apache.org; Gregory Vortman <Gr...@Amdocs.com>; Vladi Polonsky <Vl...@Amdocs.com>; Alon Bar-Lev <Al...@amdocs.com>
> Subject: Re: trying to implement SSL configuration
>
> Hello,
>
> For "native" C++ interaction have a look at geode-native/cppcache/integration-test/testThinClientSSL
> This should provide an example of connecting with SSL enabled...
>
> EB
>
> On Tue, Jun 12, 2018 at 2:48 AM, Liron Ben Ari <Li...@amdocs.com>> wrote:
>
> We check - the PKCS12 works - (as we saw it in the s_client)
> It looks like the server did not found a valid certificate...
>
> Maybe you have a working example? When the client is native c++?
>
> Thanks!!
>
> -----Original Message-----
> From: Liron Ben Ari
> Sent: Tuesday, June 12, 2018 11:25 AM
> To: Udo Kohlmeyer <uk...@pivotal.io>>; dev@geode.apache.org<ma...@geode.apache.org>; user@geode.apache.org<ma...@geode.apache.org>
> Cc: Gregory Vortman <Gr...@Amdocs.com>>; Vladi Polonsky <Vl...@Amdocs.com>>; Alon Bar-Lev <Al...@amdocs.com>>
> Subject: RE: trying to implement SSL configuration
>
> Hi ,
> Thanks you for the quick respond.
> So according to the link you send, the keystore type is jks as well.
> I will try and update...
> But according the client configuration (I found this document for it: http://pubs.vmware.com/vfabric53/topic/com.vmware.ICbase/PDF/vfabric-gemfire-nc-ug-7.0.1.pdf)
>
> The keystore for the native client should be in PEM format.
>
>
>
> -----Original Message-----
> From: Udo Kohlmeyer [mailto:ukohlmeyer@pivotal.io<ma...@pivotal.io>]
> Sent: Tuesday, June 12, 2018 1:49 AM
> To: dev@geode.apache.org<ma...@geode.apache.org>; Liron Ben Ari <Li...@amdocs.com>>; user@geode.apache.org<ma...@geode.apache.org>
> Cc: Gregory Vortman <Gr...@Amdocs.com>>; Vladi Polonsky <Vl...@Amdocs.com>>; Alon Bar-Lev <Al...@amdocs.com>>
> Subject: Re: trying to implement SSL configuration
>
> Hi there,
>
> Have you tried the following?
>
> https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/index.html
>
> I have not tried to use a PKCS12 keystore type. Was there a particular reason why you are using it? Could you try with a JKS?
>
> --Udo
>
>> On 6/11/18 03:31, Liron Ben Ari wrote:
>> Hello team.
>> I am trying to move my Client server to work with SSL as part of Security POC we are running .
>> I was moving on GEODE documents (there are a lot! :)) and there was a lot of different options...
>>
>>
>>
>> This is the configuration I used:
>>
>> I've generated Keystore & certificate using a private tool (that uses
>> the openssl + Keytools)
>>
>> For client:
>> A file containing PEM encoded X.509 certificate and PEM encoded
>> PKCS#8 encrypted private key For server:
>> PKCS#12 - this part works
>> as we could see openssl s_client to return the chain
>>
>>
>>
>> On the gemfire.proerties file - I used:
>>
>> ssl-enabled-components=all
>> ssl-protocols=any
>> ssl-ciphers=SSL_RSA_WITH_NULL_SHA //I've tries both option (empty as well)
>> ssl-keystore-type=PKCS12
>> ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA/pki/private/server4.p12
>> ssl-keystore-password=changeme
>> ssl-truststore-type=JKS
>> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.jks
>> ssl-truststore-password=changeit
>>
>>
>>
>> on the Client Side I used the PEM format:
>> gfcpp1.properties:
>> ssl-enabled=true
>> ssl-keystore=/tmp/server4.pem
>> ssl-keystore-password=changeme
>> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.pem
>>
>>
>> this is the error I am getting from the server when client is trying to connect (locator):
>> [info 2018/06/11 11:46:40.907 IDT eaasrt-locator <locator request
>> thread[16]> tid=0x55] Exception in processing request from
>> 192.168.2.100
>> javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
>> at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1906)
>> at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:233)
>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
>> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
>> at org.apache.geode.internal.net<http://org.apache.geode.internal.net>.SocketCreator.configureServerSSLSocket(SocketCreator.java:1013)
>> at org.apache.geode.distributed.internal.tcpserver.TcpServer.lambda$processRequest$0(TcpServer.java:366)
>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>> at java.lang.Thread.run(Thread.java:748)
>> Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
>> at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
>> at sun.security.validator.Validator.validate(Validator.java:260)
>> at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
>> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:227)
>> at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:118)
>> at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1888)
>> ... 12 more
>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
>> at
>> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBui
>> lder.java:141)
>> :
>>
>> this are the errors I am getting from the client:
>>
>> ACE_SSL (45715|140151217246912) error code: 336151574 -
>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>> unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>> unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>> unknown ACE_SSL (45715|140147953735424) error code: 336151574 -
>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>> unknown ACE_SSL (45715|140148921374464) error code: 336151574 -
>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>> unknown ACE_SSL (45715|140148896196352) error code: 336151574 -
>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>> unknown ACE_SSL (45715|140148004091648) error code: 336151574 -
>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>> unknown ACE_SSL (45715|140147978913536) error code: 336151574 -
>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>> unknown ACE_SSL (45715|140148398352128) error code: 336151574 -
>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>> unknown ACE_SSL (45715|140148373174016) error code: 336151574 -
>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>> unknown
>>
>>
>>
>>
>>
>>
>> Any help will be appreciated !!
>>
>> Thanks.
>>
>>
>> This message and the information contained herein is proprietary and
>> confidential and subject to the Amdocs policy statement,
>>
>> you may review at https://www.amdocs.com/about/email-disclaimer
>> <https://www.amdocs.com/about/email-disclaimer>
>>
>
> This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
>
> you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>
>
> This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
>
> you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>
RE: trying to implement SSL configuration
Posted by Liron Ben Ari <Li...@amdocs.com>.
The locator is coming up.
The server isn't - this is the exception (when not using 0):
er --J=-DIMDG_PROP_FILE=/users/xpiwrk1/GemFire/Server/properties/IMDGServer.properties --J=-DACTIVE_ENABLE=true
..............................................The Cache Server process terminated unexpectedly with exit status 1. Please refer to the log file in /users/xpiwrk1/GemFire/Server/servers/server1 for full details.
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option PermSize=64m; support was removed in 8.0
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=256m; support was removed in 8.0
Exception in thread "main" java.lang.IllegalArgumentException: Selector thread pooling can not be used with client/server SSL. The selector can be disabled by setting max-threads=0.
at org.apache.geode.internal.cache.tier.sockets.AcceptorImpl.<init>(AcceptorImpl.java:436)
at org.apache.geode.internal.cache.CacheServerImpl.start(CacheServerImpl.java:354)
at org.apache.geode.internal.cache.xmlcache.CacheCreation.startCacheServers(CacheCreation.java:634)
at org.apache.geode.internal.cache.xmlcache.CacheCreation.create(CacheCreation.java:529)
at org.apache.geode.internal.cache.xmlcache.CacheXmlParser.create(CacheXmlParser.java:338)
at org.apache.geode.internal.cache.GemFireCacheImpl.loadCacheXml(GemFireCacheImpl.java:4313)
at org.apache.geode.internal.cache.GemFireCacheImpl.initializeDeclarativeCache(GemFireCacheImpl.java:1403)
at org.apache.geode.internal.cache.GemFireCacheImpl.initialize(GemFireCacheImpl.java:1203)
at org.apache.geode.internal.cache.GemFireCacheImpl.basicCreate(GemFireCacheImpl.java:778)
-----Original Message-----
From: Anthony Baker <ab...@pivotal.io>
Sent: Monday, July 2, 2018 7:07 PM
To: dev@geode.apache.org
Cc: Gregory Vortman <Gr...@Amdocs.com>; Ori Levy <OR...@Amdocs.com>; Ari Erev <Ar...@amdocs.com>
Subject: Re: trying to implement SSL configuration
Why did you change the number of threads to 0 (and which setting did you change)? AFAIK this is not a requirement.
Anthony
> On Jul 1, 2018, at 10:29 PM, Liron Ben Ari <Li...@amdocs.com> wrote:
>
> Hi again...
> After some functional test on the SSL configuration, we saw degradation of 300% on performance!!
> Does anyone have an experience?
> Is there a some special tuning that I can do?
>
> We used this In our configuration - from documentation it looks like this is the only possible option to use...
> (we must use the "all" option according to the GPRD regulations...)
>
> ssl-enabled-components=all
> ssl-protocols=any
> ssl-ciphers=SSL_RSA_WITH_NULL_SHA
> we have also change the number of threads to 0 (so it will be thread
> per connection - there was no other way...)
>
>
> thanks a lot for any help :)
>
> -----Original Message-----
> From: Liron Ben Ari
> Sent: Sunday, June 24, 2018 12:58 PM
> To: dev@geode.apache.org <ma...@geode.apache.org>
> Cc: Gregory Vortman <Gregory.Vortman@Amdocs.com
> <ma...@Amdocs.com>>
> Subject: RE: trying to implement SSL configuration
>
> Thanks a lot for your respond Ryan,
> I've used the ssl-enabled-components=all parameter.
> All my c++ clients are able to connect to the locator and to send ssl events..
> I have another java client that connects to the locator and I gave him the same parameters...
> I will try changing it and will update :) thanks
>
> Here are the parameters I used for the server side:
>
> ssl-enabled-components=all
> ssl-protocols=any
> ssl-ciphers=SSL_RSA_WITH_NULL_SHA
> ssl-keystore-type=PKCS12
> ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA-simple/pki/private/test1.p1
> 2
> ssl-keystore-password=*****
> ssl-truststore-type=JKS
> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA-simple/Amdocs-Test-CA-sim
> ple.jks
> ssl-truststore-password=changeit
>
> -----Original Message-----
> From: Ryan McMahon [mailto:rmcmahon@pivotal.io
> <ma...@pivotal.io>]
> Sent: Wednesday, June 20, 2018 6:57 PM
> To: dev@geode.apache.org <ma...@geode.apache.org>
> Subject: Re: trying to implement SSL configuration
>
> Hi Liron,
>
>
> The first thing that jumps out to me when you say that GFSH could not connect to the JMX manager is that you need to have `jmx` in addition to `locator` in your `ssl-enabled-components` Geode system property. For example, you'd need ssl-enabled-components=locator,jmx at a minimum for GFSH to connect. it's a bit different if you pass --use-http to your `connect` command, but it doesn't appear you are doing that.
>
>
> Ryan
>
> On Wed, Jun 20, 2018 at 8:46 AM, Liron Ben Ari
> <Liron.BenAri@amdocs.com <ma...@amdocs.com>>
> wrote:
>
>> Hi ,
>> Well , I managed!! All my processes are talking with SSL
>> configuration (hip hip Horay ☺) I figure out – that I need client
>> authentication and server authentication in the server certificate
>> EKU , and that I need a single depth hierarchy , I am not sure it
>> will be the case when I wil need to implement it in the customer
>> site…
>>
>> Does anyone have id why it was used like this?
>>
>>
>> Last question…
>> I am trying to configure the gfsh to connect to my locator.
>> I’ve added to the connect command the needed properties…
>>
> native" C++ interaction have a look at geode-native/cppcache/
>> integration-test/testThinClientSSL
>> This should provide an example of connecting with SSL enabled...
>>
>> EB
>>
>> On Tue, Jun 12, 2018 at 2:48 AM, Liron Ben Ari
>> <Liron.BenAri@amdocs.com< mailto:Liron.BenAri@amdocs.com>> wrote:
>>
>> We check - the PKCS12 works - (as we saw it in the s_client) It
>> looks like the server did not found a valid certificate...
>>
>> Maybe you have a working example? When the client is native c++?
>>
>> Thanks!!
>>
>> -----Original Message-----
>> From: Liron Ben Ari
>> Sent: Tuesday, June 12, 2018 11:25 AM
>> To: Udo Kohlmeyer
>> <uk...@pivotal.io>>;
>> dev@geode.apache.org<ma...@geode.apache.org>;
>> user@geode.apache.org <ma...@geode.apache.org>
>> Cc: Gregory Vortman <Gregory.Vortman@Amdocs.com<mailto:
>> Gregory.Vortman@Amdocs.com>>; Vladi Polonsky
>> <Vladi.Polonsky@Amdocs.com< mailto:Vladi.Polonsky@Amdocs.com>>; Alon
>> Bar-Lev <Alon.BarLev@amdocs.com< mailto:Alon.BarLev@amdocs.com>>
>> Subject: RE: trying to implement SSL configuration
>>
>> Hi ,
>> Thanks you for the quick respond.
>> So according to the link you send, the keystore type is jks as well.
>> I will try and update...
>> But according the client configuration (I found this document for it:
>> http://pubs.vmware.com/vfabric53/topic/com.vmware.
>> ICbase/PDF/vfabric-gemfire-nc-ug-7.0.1.pdf)
>>
>> The keystore for the native client should be in PEM format.
>>
>>
>>
>> -----Original Message-----
>> From: Udo Kohlmeyer [mailto:ukohlmeyer@pivotal.io<mailto:
>> ukohlmeyer@pivotal.io>]
>> Sent: Tuesday, June 12, 2018 1:49 AM
>> To: dev@geode.apache.org<ma...@geode.apache.org>; Liron Ben Ari
>> < Liron.BenAri@amdocs.com<ma...@amdocs.com>>;
>> user@geode.apache.org<ma...@geode.apache.org>
>> Cc: Gregory Vortman <Gregory.Vortman@Amdocs.com<mailto:
>> Gregory.Vortman@Amdocs.com>>; Vladi Polonsky
>> <Vladi.Polonsky@Amdocs.com< mailto:Vladi.Polonsky@Amdocs.com>>; Alon
>> Bar-Lev <Alon.BarLev@amdocs.com< mailto:Alon.BarLev@amdocs.com>>
>> Subject: Re: trying to implement SSL configuration
>>
>> Hi there,
>>
>> Have you tried the following?
>>
>> https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/index.html
>>
>> I have not tried to use a PKCS12 keystore type. Was there a
>> particular reason why you are using it? Could you try with a JKS?
>>
>> --Udo
>>
>> On 6/11/18 03:31, Liron Ben Ari wrote:
>>> Hello team.
>>> I am trying to move my Client server to work with SSL as part of
>> Security POC we are running .
>>> I was moving on GEODE documents (there are a lot! :)) and there was
>>> a
>> lot of different options...
>>>
>>>
>>>
>>> This is the configuration I used:
>>>
>>> I've generated Keystore & certificate using a private tool (that
>>> uses the openssl + Keytools)
>>>
>>> For client:
>>> A file containing PEM encoded X.509 certificate and PEM encoded
>>> PKCS#8 encrypted private key For server:
>>> PKCS#12 - this part works
>>> as we could see openssl s_client to return the chain
>>>
>>>
>>>
>>> On the gemfire.proerties file - I used:
>>>
>>> ssl-enabled-components=all
>>> ssl-protocols=any
>>> ssl-ciphers=SSL_RSA_WITH_NULL_SHA //I've tries both option (empty
>> as well)
>>> ssl-keystore-type=PKCS12
>>> ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA/pki/private/server4.p12
>>> ssl-keystore-password=changeme
>>> ssl-truststore-type=JKS
>>> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.jks
>>> ssl-truststore-password=changeit
>>>
>>>
>>>
>>> on the Client Side I used the PEM format:
>>> gfcpp1.properties:
>>> ssl-enabled=true
>>> ssl-keystore=/tmp/server4.pem
>>> ssl-keystore-password=changeme
>>> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.pem
>>>
>>>
>>> this is the error I am getting from the server when client is trying
>>> to
>> connect (locator):
>>> [info 2018/06/11 11:46:40.907 IDT eaasrt-locator <locator request
>>> thread[16]> tid=0x55] Exception in processing request from
>>> 192.168.2.100
>>> javax.net.ssl.SSLHandshakeException:
>>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>> find valid certification path to requested target
>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>>> at sun.security.ssl.SSLSocketImpl.fatal(
>> SSLSocketImpl.java:1949)
>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
>>> at sun.security.ssl.ServerHandshaker.clientCertificate(
>> ServerHandshaker.java:1906)
>>> at sun.security.ssl.ServerHandshaker.processMessage(
>> ServerHandshaker.java:233)
>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:
>> 1026)
>>> at sun.security.ssl.Handshaker.process_record(Handshaker.
>> java:961)
>>> at sun.security.ssl.SSLSocketImpl.readRecord(
>> SSLSocketImpl.java:1062)
>>> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(
>> SSLSocketImpl.java:1375)
>>> at sun.security.ssl.SSLSocketImpl.startHandshake(
>> SSLSocketImpl.java:1403)
>>> at sun.security.ssl.SSLSocketImpl.startHandshake(
>> SSLSocketImpl.java:1387)
>>> at org.apache.geode.internal.net<http://org.apache.geode.
>> internal.net>.SocketCreator.configureServerSSLSocket(
>> SocketCreator.java:1013)
>>> at org.apache.geode.distributed.internal.tcpserver.TcpServer.
>> lambda$processRequest$0(TcpServer.java:366)
>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(
>> ThreadPoolExecutor.java:1142)
>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(
>> ThreadPoolExecutor.java:617)
>>> at java.lang.Thread.run(Thread.java:748)
>>> Caused by: sun.security.validator.ValidatorException: PKIX path
>> building failed: sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>>> at sun.security.validator.PKIXValidator.doBuild(
>> PKIXValidator.java:387)
>>> at sun.security.validator.PKIXValidator.engineValidate(
>> PKIXValidator.java:292)
>>> at sun.security.validator.Validator.validate(Validator.
>> java:260)
>>> at sun.security.ssl.X509TrustManagerImpl.validate(
>> X509TrustManagerImpl.java:324)
>>> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(
>> X509TrustManagerImpl.java:227)
>>> at
>>> sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(
>> X509TrustManagerImpl.java:118)
>>> at sun.security.ssl.ServerHandshaker.clientCertificate(
>> ServerHandshaker.java:1888)
>>> ... 12 more
>>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>>> at
>>> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathB
>>> ui
>>> lder.java:141)
>>> :
>>>
>>> this are the errors I am getting from the client:
>>>
>>> ACE_SSL (45715|140151217246912) error code: 336151574 -
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>> unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>> unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>> unknown ACE_SSL (45715|140147953735424) error code: 336151574 -
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>> unknown ACE_SSL (45715|140148921374464) error code: 336151574 -
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>> unknown ACE_SSL (45715|140148896196352) error code: 336151574 -
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>> unknown ACE_SSL (45715|140148004091648) error code: 336151574 -
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>> unknown ACE_SSL (45715|140147978913536) error code: 336151574 -
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>> unknown ACE_SSL (45715|140148398352128) error code: 336151574 -
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>> unknown ACE_SSL (45715|140148373174016) error code: 336151574 -
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>> unknown
>>>
>>>
>>>
>>>
>>>
>>>
>>> Any help will be appreciated !!
>>>
>>> Thanks.
>>>
>>>
>>> This message and the information contained herein is proprietary and
>>> confidential and subject to the Amdocs policy statement,
>>>
>>> you may review at https://www.amdocs.com/about/email-disclaimer
>>> <https://www.amdocs.com/about/email-disclaimer>
>>>
>>
>> This message and the information contained herein is proprietary and
>> confidential and subject to the Amdocs policy statement,
>>
>> you may review at https://www.amdocs.com/about/email-disclaimer <
>> https://www.amdocs.com/about/email-disclaimer>
>>
>> This message and the information contained herein is proprietary and
>> confidential and subject to the Amdocs policy statement,
>>
>> you may review at https://www.amdocs.com/about/email-disclaimer <
>> https://www.amdocs.com/about/email-disclaimer>
>>
> This message and the information contained herein is proprietary and
> confidential and subject to the Amdocs policy statement,
>
> you may review at https://www.amdocs.com/about/email-disclaimer
> <https://www.amdocs.com/about/email-disclaimer>
> This message and the information contained herein is proprietary and
> confidential and subject to the Amdocs policy statement,
>
> you may review at https://www.amdocs.com/about/email-disclaimer
> <https://www.amdocs.com/about/email-disclaimer>
> <https://www.amdocs.com/about/email-disclaimer
> <https://www.amdocs.com/about/email-disclaimer>>
This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>
Re: trying to implement SSL configuration
Posted by Udo Kohlmeyer <ud...@apache.org>.
Hi there Liron,
Given that if you set a connection per thread, and by that I assume you
mean that you set the min size on the thread pool to 0, you will incur
the overhead of SSL negotiation EVERY time you create a connection.
Now I'm not sure what your thread pool configuration is, I'm only really
make a wild educated guess.
Any possibility you could share your configuration with us? That would
include thread-pool config, etc....
--Udo
On 7/2/18 09:06, Anthony Baker wrote:
> Why did you change the number of threads to 0 (and which setting did you change)? AFAIK this is not a requirement.
>
> Anthony
>
>
>> On Jul 1, 2018, at 10:29 PM, Liron Ben Ari <Li...@amdocs.com> wrote:
>>
>> Hi again...
>> After some functional test on the SSL configuration, we saw degradation of 300% on performance!!
>> Does anyone have an experience?
>> Is there a some special tuning that I can do?
>>
>> We used this In our configuration - from documentation it looks like this is the only possible option to use...
>> (we must use the "all" option according to the GPRD regulations...)
>>
>> ssl-enabled-components=all
>> ssl-protocols=any
>> ssl-ciphers=SSL_RSA_WITH_NULL_SHA
>> we have also change the number of threads to 0 (so it will be thread per connection - there was no other way...)
>>
>>
>> thanks a lot for any help :)
>>
>> -----Original Message-----
>> From: Liron Ben Ari
>> Sent: Sunday, June 24, 2018 12:58 PM
>> To: dev@geode.apache.org <ma...@geode.apache.org>
>> Cc: Gregory Vortman <Gregory.Vortman@Amdocs.com <ma...@Amdocs.com>>
>> Subject: RE: trying to implement SSL configuration
>>
>> Thanks a lot for your respond Ryan,
>> I've used the ssl-enabled-components=all parameter.
>> All my c++ clients are able to connect to the locator and to send ssl events..
>> I have another java client that connects to the locator and I gave him the same parameters...
>> I will try changing it and will update :) thanks
>>
>> Here are the parameters I used for the server side:
>>
>> ssl-enabled-components=all
>> ssl-protocols=any
>> ssl-ciphers=SSL_RSA_WITH_NULL_SHA
>> ssl-keystore-type=PKCS12
>> ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA-simple/pki/private/test1.p12
>> ssl-keystore-password=*****
>> ssl-truststore-type=JKS
>> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA-simple/Amdocs-Test-CA-simple.jks
>> ssl-truststore-password=changeit
>>
>> -----Original Message-----
>> From: Ryan McMahon [mailto:rmcmahon@pivotal.io <ma...@pivotal.io>]
>> Sent: Wednesday, June 20, 2018 6:57 PM
>> To: dev@geode.apache.org <ma...@geode.apache.org>
>> Subject: Re: trying to implement SSL configuration
>>
>> Hi Liron,
>>
>>
>> The first thing that jumps out to me when you say that GFSH could not connect to the JMX manager is that you need to have `jmx` in addition to `locator` in your `ssl-enabled-components` Geode system property. For example, you'd need ssl-enabled-components=locator,jmx at a minimum for GFSH to connect. it's a bit different if you pass --use-http to your `connect` command, but it doesn't appear you are doing that.
>>
>>
>> Ryan
>>
>> On Wed, Jun 20, 2018 at 8:46 AM, Liron Ben Ari <Liron.BenAri@amdocs.com <ma...@amdocs.com>>
>> wrote:
>>
>>> Hi ,
>>> Well , I managed!! All my processes are talking with SSL configuration
>>> (hip hip Horay ☺) I figure out – that I need client authentication and
>>> server authentication in the server certificate EKU , and that I need
>>> a single depth hierarchy , I am not sure it will be the case when I
>>> wil need to implement it in the customer site…
>>>
>>> Does anyone have id why it was used like this?
>>>
>>>
>>> Last question…
>>> I am trying to configure the gfsh to connect to my locator.
>>> I’ve added to the connect command the needed properties…
>>>
>> native" C++ interaction have a look at geode-native/cppcache/
>>> integration-test/testThinClientSSL
>>> This should provide an example of connecting with SSL enabled...
>>>
>>> EB
>>>
>>> On Tue, Jun 12, 2018 at 2:48 AM, Liron Ben Ari
>>> <Liron.BenAri@amdocs.com< mailto:Liron.BenAri@amdocs.com>> wrote:
>>>
>>> We check - the PKCS12 works - (as we saw it in the s_client) It
>>> looks like the server did not found a valid certificate...
>>>
>>> Maybe you have a working example? When the client is native c++?
>>>
>>> Thanks!!
>>>
>>> -----Original Message-----
>>> From: Liron Ben Ari
>>> Sent: Tuesday, June 12, 2018 11:25 AM
>>> To: Udo Kohlmeyer
>>> <uk...@pivotal.io>>;
>>> dev@geode.apache.org<ma...@geode.apache.org>;
>>> user@geode.apache.org <ma...@geode.apache.org>
>>> Cc: Gregory Vortman <Gregory.Vortman@Amdocs.com<mailto:
>>> Gregory.Vortman@Amdocs.com>>; Vladi Polonsky
>>> <Vladi.Polonsky@Amdocs.com< mailto:Vladi.Polonsky@Amdocs.com>>; Alon
>>> Bar-Lev <Alon.BarLev@amdocs.com< mailto:Alon.BarLev@amdocs.com>>
>>> Subject: RE: trying to implement SSL configuration
>>>
>>> Hi ,
>>> Thanks you for the quick respond.
>>> So according to the link you send, the keystore type is jks as well.
>>> I will try and update...
>>> But according the client configuration (I found this document for it:
>>> http://pubs.vmware.com/vfabric53/topic/com.vmware.
>>> ICbase/PDF/vfabric-gemfire-nc-ug-7.0.1.pdf)
>>>
>>> The keystore for the native client should be in PEM format.
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: Udo Kohlmeyer [mailto:ukohlmeyer@pivotal.io<mailto:
>>> ukohlmeyer@pivotal.io>]
>>> Sent: Tuesday, June 12, 2018 1:49 AM
>>> To: dev@geode.apache.org<ma...@geode.apache.org>; Liron Ben Ari <
>>> Liron.BenAri@amdocs.com<ma...@amdocs.com>>;
>>> user@geode.apache.org<ma...@geode.apache.org>
>>> Cc: Gregory Vortman <Gregory.Vortman@Amdocs.com<mailto:
>>> Gregory.Vortman@Amdocs.com>>; Vladi Polonsky
>>> <Vladi.Polonsky@Amdocs.com< mailto:Vladi.Polonsky@Amdocs.com>>; Alon
>>> Bar-Lev <Alon.BarLev@amdocs.com< mailto:Alon.BarLev@amdocs.com>>
>>> Subject: Re: trying to implement SSL configuration
>>>
>>> Hi there,
>>>
>>> Have you tried the following?
>>>
>>> https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/index.html
>>>
>>> I have not tried to use a PKCS12 keystore type. Was there a particular
>>> reason why you are using it? Could you try with a JKS?
>>>
>>> --Udo
>>>
>>> On 6/11/18 03:31, Liron Ben Ari wrote:
>>>> Hello team.
>>>> I am trying to move my Client server to work with SSL as part of
>>> Security POC we are running .
>>>> I was moving on GEODE documents (there are a lot! :)) and there was
>>>> a
>>> lot of different options...
>>>>
>>>>
>>>> This is the configuration I used:
>>>>
>>>> I've generated Keystore & certificate using a private tool (that
>>>> uses the openssl + Keytools)
>>>>
>>>> For client:
>>>> A file containing PEM encoded X.509 certificate and PEM encoded
>>>> PKCS#8 encrypted private key For server:
>>>> PKCS#12 - this part works
>>>> as we could see openssl s_client to return the chain
>>>>
>>>>
>>>>
>>>> On the gemfire.proerties file - I used:
>>>>
>>>> ssl-enabled-components=all
>>>> ssl-protocols=any
>>>> ssl-ciphers=SSL_RSA_WITH_NULL_SHA //I've tries both option (empty
>>> as well)
>>>> ssl-keystore-type=PKCS12
>>>> ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA/pki/private/server4.p12
>>>> ssl-keystore-password=changeme
>>>> ssl-truststore-type=JKS
>>>> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.jks
>>>> ssl-truststore-password=changeit
>>>>
>>>>
>>>>
>>>> on the Client Side I used the PEM format:
>>>> gfcpp1.properties:
>>>> ssl-enabled=true
>>>> ssl-keystore=/tmp/server4.pem
>>>> ssl-keystore-password=changeme
>>>> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.pem
>>>>
>>>>
>>>> this is the error I am getting from the server when client is trying
>>>> to
>>> connect (locator):
>>>> [info 2018/06/11 11:46:40.907 IDT eaasrt-locator <locator request
>>>> thread[16]> tid=0x55] Exception in processing request from
>>>> 192.168.2.100
>>>> javax.net.ssl.SSLHandshakeException:
>>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>> find valid certification path to requested target
>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>>>> at sun.security.ssl.SSLSocketImpl.fatal(
>>> SSLSocketImpl.java:1949)
>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
>>>> at sun.security.ssl.ServerHandshaker.clientCertificate(
>>> ServerHandshaker.java:1906)
>>>> at sun.security.ssl.ServerHandshaker.processMessage(
>>> ServerHandshaker.java:233)
>>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:
>>> 1026)
>>>> at sun.security.ssl.Handshaker.process_record(Handshaker.
>>> java:961)
>>>> at sun.security.ssl.SSLSocketImpl.readRecord(
>>> SSLSocketImpl.java:1062)
>>>> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(
>>> SSLSocketImpl.java:1375)
>>>> at sun.security.ssl.SSLSocketImpl.startHandshake(
>>> SSLSocketImpl.java:1403)
>>>> at sun.security.ssl.SSLSocketImpl.startHandshake(
>>> SSLSocketImpl.java:1387)
>>>> at org.apache.geode.internal.net<http://org.apache.geode.
>>> internal.net>.SocketCreator.configureServerSSLSocket(
>>> SocketCreator.java:1013)
>>>> at org.apache.geode.distributed.internal.tcpserver.TcpServer.
>>> lambda$processRequest$0(TcpServer.java:366)
>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(
>>> ThreadPoolExecutor.java:1142)
>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(
>>> ThreadPoolExecutor.java:617)
>>>> at java.lang.Thread.run(Thread.java:748)
>>>> Caused by: sun.security.validator.ValidatorException: PKIX path
>>> building failed: sun.security.provider.certpath.SunCertPathBuilderException:
>>> unable to find valid certification path to requested target
>>>> at sun.security.validator.PKIXValidator.doBuild(
>>> PKIXValidator.java:387)
>>>> at sun.security.validator.PKIXValidator.engineValidate(
>>> PKIXValidator.java:292)
>>>> at sun.security.validator.Validator.validate(Validator.
>>> java:260)
>>>> at sun.security.ssl.X509TrustManagerImpl.validate(
>>> X509TrustManagerImpl.java:324)
>>>> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(
>>> X509TrustManagerImpl.java:227)
>>>> at
>>>> sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(
>>> X509TrustManagerImpl.java:118)
>>>> at sun.security.ssl.ServerHandshaker.clientCertificate(
>>> ServerHandshaker.java:1888)
>>>> ... 12 more
>>>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
>>> unable to find valid certification path to requested target
>>>> at
>>>> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathB
>>>> ui
>>>> lder.java:141)
>>>> :
>>>>
>>>> this are the errors I am getting from the client:
>>>>
>>>> ACE_SSL (45715|140151217246912) error code: 336151574 -
>>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>>> unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
>>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>>> unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
>>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>>> unknown ACE_SSL (45715|140147953735424) error code: 336151574 -
>>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>>> unknown ACE_SSL (45715|140148921374464) error code: 336151574 -
>>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>>> unknown ACE_SSL (45715|140148896196352) error code: 336151574 -
>>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>>> unknown ACE_SSL (45715|140148004091648) error code: 336151574 -
>>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>>> unknown ACE_SSL (45715|140147978913536) error code: 336151574 -
>>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>>> unknown ACE_SSL (45715|140148398352128) error code: 336151574 -
>>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>>> unknown ACE_SSL (45715|140148373174016) error code: 336151574 -
>>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>>> unknown
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Any help will be appreciated !!
>>>>
>>>> Thanks.
>>>>
>>>>
>>>> This message and the information contained herein is proprietary and
>>>> confidential and subject to the Amdocs policy statement,
>>>>
>>>> you may review at https://www.amdocs.com/about/email-disclaimer
>>>> <https://www.amdocs.com/about/email-disclaimer>
>>>>
>>> This message and the information contained herein is proprietary and
>>> confidential and subject to the Amdocs policy statement,
>>>
>>> you may review at https://www.amdocs.com/about/email-disclaimer <
>>> https://www.amdocs.com/about/email-disclaimer>
>>>
>>> This message and the information contained herein is proprietary and
>>> confidential and subject to the Amdocs policy statement,
>>>
>>> you may review at https://www.amdocs.com/about/email-disclaimer <
>>> https://www.amdocs.com/about/email-disclaimer>
>>>
>> This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
>>
>> you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>
>> This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
>>
>> you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer> <https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>>
>
Re: trying to implement SSL configuration
Posted by Anthony Baker <ab...@pivotal.io>.
Why did you change the number of threads to 0 (and which setting did you change)? AFAIK this is not a requirement.
Anthony
> On Jul 1, 2018, at 10:29 PM, Liron Ben Ari <Li...@amdocs.com> wrote:
>
> Hi again...
> After some functional test on the SSL configuration, we saw degradation of 300% on performance!!
> Does anyone have an experience?
> Is there a some special tuning that I can do?
>
> We used this In our configuration - from documentation it looks like this is the only possible option to use...
> (we must use the "all" option according to the GPRD regulations...)
>
> ssl-enabled-components=all
> ssl-protocols=any
> ssl-ciphers=SSL_RSA_WITH_NULL_SHA
> we have also change the number of threads to 0 (so it will be thread per connection - there was no other way...)
>
>
> thanks a lot for any help :)
>
> -----Original Message-----
> From: Liron Ben Ari
> Sent: Sunday, June 24, 2018 12:58 PM
> To: dev@geode.apache.org <ma...@geode.apache.org>
> Cc: Gregory Vortman <Gregory.Vortman@Amdocs.com <ma...@Amdocs.com>>
> Subject: RE: trying to implement SSL configuration
>
> Thanks a lot for your respond Ryan,
> I've used the ssl-enabled-components=all parameter.
> All my c++ clients are able to connect to the locator and to send ssl events..
> I have another java client that connects to the locator and I gave him the same parameters...
> I will try changing it and will update :) thanks
>
> Here are the parameters I used for the server side:
>
> ssl-enabled-components=all
> ssl-protocols=any
> ssl-ciphers=SSL_RSA_WITH_NULL_SHA
> ssl-keystore-type=PKCS12
> ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA-simple/pki/private/test1.p12
> ssl-keystore-password=*****
> ssl-truststore-type=JKS
> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA-simple/Amdocs-Test-CA-simple.jks
> ssl-truststore-password=changeit
>
> -----Original Message-----
> From: Ryan McMahon [mailto:rmcmahon@pivotal.io <ma...@pivotal.io>]
> Sent: Wednesday, June 20, 2018 6:57 PM
> To: dev@geode.apache.org <ma...@geode.apache.org>
> Subject: Re: trying to implement SSL configuration
>
> Hi Liron,
>
>
> The first thing that jumps out to me when you say that GFSH could not connect to the JMX manager is that you need to have `jmx` in addition to `locator` in your `ssl-enabled-components` Geode system property. For example, you'd need ssl-enabled-components=locator,jmx at a minimum for GFSH to connect. it's a bit different if you pass --use-http to your `connect` command, but it doesn't appear you are doing that.
>
>
> Ryan
>
> On Wed, Jun 20, 2018 at 8:46 AM, Liron Ben Ari <Liron.BenAri@amdocs.com <ma...@amdocs.com>>
> wrote:
>
>> Hi ,
>> Well , I managed!! All my processes are talking with SSL configuration
>> (hip hip Horay ☺) I figure out – that I need client authentication and
>> server authentication in the server certificate EKU , and that I need
>> a single depth hierarchy , I am not sure it will be the case when I
>> wil need to implement it in the customer site…
>>
>> Does anyone have id why it was used like this?
>>
>>
>> Last question…
>> I am trying to configure the gfsh to connect to my locator.
>> I’ve added to the connect command the needed properties…
>>
> native" C++ interaction have a look at geode-native/cppcache/
>> integration-test/testThinClientSSL
>> This should provide an example of connecting with SSL enabled...
>>
>> EB
>>
>> On Tue, Jun 12, 2018 at 2:48 AM, Liron Ben Ari
>> <Liron.BenAri@amdocs.com< mailto:Liron.BenAri@amdocs.com>> wrote:
>>
>> We check - the PKCS12 works - (as we saw it in the s_client) It
>> looks like the server did not found a valid certificate...
>>
>> Maybe you have a working example? When the client is native c++?
>>
>> Thanks!!
>>
>> -----Original Message-----
>> From: Liron Ben Ari
>> Sent: Tuesday, June 12, 2018 11:25 AM
>> To: Udo Kohlmeyer
>> <uk...@pivotal.io>>;
>> dev@geode.apache.org<ma...@geode.apache.org>;
>> user@geode.apache.org <ma...@geode.apache.org>
>> Cc: Gregory Vortman <Gregory.Vortman@Amdocs.com<mailto:
>> Gregory.Vortman@Amdocs.com>>; Vladi Polonsky
>> <Vladi.Polonsky@Amdocs.com< mailto:Vladi.Polonsky@Amdocs.com>>; Alon
>> Bar-Lev <Alon.BarLev@amdocs.com< mailto:Alon.BarLev@amdocs.com>>
>> Subject: RE: trying to implement SSL configuration
>>
>> Hi ,
>> Thanks you for the quick respond.
>> So according to the link you send, the keystore type is jks as well.
>> I will try and update...
>> But according the client configuration (I found this document for it:
>> http://pubs.vmware.com/vfabric53/topic/com.vmware.
>> ICbase/PDF/vfabric-gemfire-nc-ug-7.0.1.pdf)
>>
>> The keystore for the native client should be in PEM format.
>>
>>
>>
>> -----Original Message-----
>> From: Udo Kohlmeyer [mailto:ukohlmeyer@pivotal.io<mailto:
>> ukohlmeyer@pivotal.io>]
>> Sent: Tuesday, June 12, 2018 1:49 AM
>> To: dev@geode.apache.org<ma...@geode.apache.org>; Liron Ben Ari <
>> Liron.BenAri@amdocs.com<ma...@amdocs.com>>;
>> user@geode.apache.org<ma...@geode.apache.org>
>> Cc: Gregory Vortman <Gregory.Vortman@Amdocs.com<mailto:
>> Gregory.Vortman@Amdocs.com>>; Vladi Polonsky
>> <Vladi.Polonsky@Amdocs.com< mailto:Vladi.Polonsky@Amdocs.com>>; Alon
>> Bar-Lev <Alon.BarLev@amdocs.com< mailto:Alon.BarLev@amdocs.com>>
>> Subject: Re: trying to implement SSL configuration
>>
>> Hi there,
>>
>> Have you tried the following?
>>
>> https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/index.html
>>
>> I have not tried to use a PKCS12 keystore type. Was there a particular
>> reason why you are using it? Could you try with a JKS?
>>
>> --Udo
>>
>> On 6/11/18 03:31, Liron Ben Ari wrote:
>>> Hello team.
>>> I am trying to move my Client server to work with SSL as part of
>> Security POC we are running .
>>> I was moving on GEODE documents (there are a lot! :)) and there was
>>> a
>> lot of different options...
>>>
>>>
>>>
>>> This is the configuration I used:
>>>
>>> I've generated Keystore & certificate using a private tool (that
>>> uses the openssl + Keytools)
>>>
>>> For client:
>>> A file containing PEM encoded X.509 certificate and PEM encoded
>>> PKCS#8 encrypted private key For server:
>>> PKCS#12 - this part works
>>> as we could see openssl s_client to return the chain
>>>
>>>
>>>
>>> On the gemfire.proerties file - I used:
>>>
>>> ssl-enabled-components=all
>>> ssl-protocols=any
>>> ssl-ciphers=SSL_RSA_WITH_NULL_SHA //I've tries both option (empty
>> as well)
>>> ssl-keystore-type=PKCS12
>>> ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA/pki/private/server4.p12
>>> ssl-keystore-password=changeme
>>> ssl-truststore-type=JKS
>>> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.jks
>>> ssl-truststore-password=changeit
>>>
>>>
>>>
>>> on the Client Side I used the PEM format:
>>> gfcpp1.properties:
>>> ssl-enabled=true
>>> ssl-keystore=/tmp/server4.pem
>>> ssl-keystore-password=changeme
>>> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.pem
>>>
>>>
>>> this is the error I am getting from the server when client is trying
>>> to
>> connect (locator):
>>> [info 2018/06/11 11:46:40.907 IDT eaasrt-locator <locator request
>>> thread[16]> tid=0x55] Exception in processing request from
>>> 192.168.2.100
>>> javax.net.ssl.SSLHandshakeException:
>>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>> find valid certification path to requested target
>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>>> at sun.security.ssl.SSLSocketImpl.fatal(
>> SSLSocketImpl.java:1949)
>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
>>> at sun.security.ssl.ServerHandshaker.clientCertificate(
>> ServerHandshaker.java:1906)
>>> at sun.security.ssl.ServerHandshaker.processMessage(
>> ServerHandshaker.java:233)
>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:
>> 1026)
>>> at sun.security.ssl.Handshaker.process_record(Handshaker.
>> java:961)
>>> at sun.security.ssl.SSLSocketImpl.readRecord(
>> SSLSocketImpl.java:1062)
>>> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(
>> SSLSocketImpl.java:1375)
>>> at sun.security.ssl.SSLSocketImpl.startHandshake(
>> SSLSocketImpl.java:1403)
>>> at sun.security.ssl.SSLSocketImpl.startHandshake(
>> SSLSocketImpl.java:1387)
>>> at org.apache.geode.internal.net<http://org.apache.geode.
>> internal.net>.SocketCreator.configureServerSSLSocket(
>> SocketCreator.java:1013)
>>> at org.apache.geode.distributed.internal.tcpserver.TcpServer.
>> lambda$processRequest$0(TcpServer.java:366)
>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(
>> ThreadPoolExecutor.java:1142)
>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(
>> ThreadPoolExecutor.java:617)
>>> at java.lang.Thread.run(Thread.java:748)
>>> Caused by: sun.security.validator.ValidatorException: PKIX path
>> building failed: sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>>> at sun.security.validator.PKIXValidator.doBuild(
>> PKIXValidator.java:387)
>>> at sun.security.validator.PKIXValidator.engineValidate(
>> PKIXValidator.java:292)
>>> at sun.security.validator.Validator.validate(Validator.
>> java:260)
>>> at sun.security.ssl.X509TrustManagerImpl.validate(
>> X509TrustManagerImpl.java:324)
>>> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(
>> X509TrustManagerImpl.java:227)
>>> at
>>> sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(
>> X509TrustManagerImpl.java:118)
>>> at sun.security.ssl.ServerHandshaker.clientCertificate(
>> ServerHandshaker.java:1888)
>>> ... 12 more
>>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>>> at
>>> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathB
>>> ui
>>> lder.java:141)
>>> :
>>>
>>> this are the errors I am getting from the client:
>>>
>>> ACE_SSL (45715|140151217246912) error code: 336151574 -
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>> unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>> unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>> unknown ACE_SSL (45715|140147953735424) error code: 336151574 -
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>> unknown ACE_SSL (45715|140148921374464) error code: 336151574 -
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>> unknown ACE_SSL (45715|140148896196352) error code: 336151574 -
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>> unknown ACE_SSL (45715|140148004091648) error code: 336151574 -
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>> unknown ACE_SSL (45715|140147978913536) error code: 336151574 -
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>> unknown ACE_SSL (45715|140148398352128) error code: 336151574 -
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>> unknown ACE_SSL (45715|140148373174016) error code: 336151574 -
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>> unknown
>>>
>>>
>>>
>>>
>>>
>>>
>>> Any help will be appreciated !!
>>>
>>> Thanks.
>>>
>>>
>>> This message and the information contained herein is proprietary and
>>> confidential and subject to the Amdocs policy statement,
>>>
>>> you may review at https://www.amdocs.com/about/email-disclaimer
>>> <https://www.amdocs.com/about/email-disclaimer>
>>>
>>
>> This message and the information contained herein is proprietary and
>> confidential and subject to the Amdocs policy statement,
>>
>> you may review at https://www.amdocs.com/about/email-disclaimer <
>> https://www.amdocs.com/about/email-disclaimer>
>>
>> This message and the information contained herein is proprietary and
>> confidential and subject to the Amdocs policy statement,
>>
>> you may review at https://www.amdocs.com/about/email-disclaimer <
>> https://www.amdocs.com/about/email-disclaimer>
>>
> This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
>
> you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>
> This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
>
> you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer> <https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>>
RE: trying to implement SSL configuration
Posted by Liron Ben Ari <Li...@amdocs.com>.
Hi again...
After some functional test on the SSL configuration, we saw degradation of 300% on performance!!
Does anyone have an experience?
Is there a some special tuning that I can do?
We used this In our configuration - from documentation it looks like this is the only possible option to use...
(we must use the "all" option according to the GPRD regulations...)
ssl-enabled-components=all
ssl-protocols=any
ssl-ciphers=SSL_RSA_WITH_NULL_SHA
we have also change the number of threads to 0 (so it will be thread per connection - there was no other way...)
thanks a lot for any help :)
-----Original Message-----
From: Liron Ben Ari
Sent: Sunday, June 24, 2018 12:58 PM
To: dev@geode.apache.org
Cc: Gregory Vortman <Gr...@Amdocs.com>
Subject: RE: trying to implement SSL configuration
Thanks a lot for your respond Ryan,
I've used the ssl-enabled-components=all parameter.
All my c++ clients are able to connect to the locator and to send ssl events..
I have another java client that connects to the locator and I gave him the same parameters...
I will try changing it and will update :) thanks
Here are the parameters I used for the server side:
ssl-enabled-components=all
ssl-protocols=any
ssl-ciphers=SSL_RSA_WITH_NULL_SHA
ssl-keystore-type=PKCS12
ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA-simple/pki/private/test1.p12
ssl-keystore-password=*****
ssl-truststore-type=JKS
ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA-simple/Amdocs-Test-CA-simple.jks
ssl-truststore-password=changeit
-----Original Message-----
From: Ryan McMahon [mailto:rmcmahon@pivotal.io]
Sent: Wednesday, June 20, 2018 6:57 PM
To: dev@geode.apache.org
Subject: Re: trying to implement SSL configuration
Hi Liron,
The first thing that jumps out to me when you say that GFSH could not connect to the JMX manager is that you need to have `jmx` in addition to `locator` in your `ssl-enabled-components` Geode system property. For example, you'd need ssl-enabled-components=locator,jmx at a minimum for GFSH to connect. it's a bit different if you pass --use-http to your `connect` command, but it doesn't appear you are doing that.
Ryan
On Wed, Jun 20, 2018 at 8:46 AM, Liron Ben Ari <Li...@amdocs.com>
wrote:
> Hi ,
> Well , I managed!! All my processes are talking with SSL configuration
> (hip hip Horay ☺) I figure out – that I need client authentication and
> server authentication in the server certificate EKU , and that I need
> a single depth hierarchy , I am not sure it will be the case when I
> wil need to implement it in the customer site…
>
> Does anyone have id why it was used like this?
>
>
> Last question…
> I am trying to configure the gfsh to connect to my locator.
> I’ve added to the connect command the needed properties…
>
native" C++ interaction have a look at geode-native/cppcache/
> integration-test/testThinClientSSL
> This should provide an example of connecting with SSL enabled...
>
> EB
>
> On Tue, Jun 12, 2018 at 2:48 AM, Liron Ben Ari
> <Liron.BenAri@amdocs.com< mailto:Liron.BenAri@amdocs.com>> wrote:
>
> We check - the PKCS12 works - (as we saw it in the s_client) It
> looks like the server did not found a valid certificate...
>
> Maybe you have a working example? When the client is native c++?
>
> Thanks!!
>
> -----Original Message-----
> From: Liron Ben Ari
> Sent: Tuesday, June 12, 2018 11:25 AM
> To: Udo Kohlmeyer
> <uk...@pivotal.io>>;
> dev@geode.apache.org<ma...@geode.apache.org>;
> user@geode.apache.org <ma...@geode.apache.org>
> Cc: Gregory Vortman <Gregory.Vortman@Amdocs.com<mailto:
> Gregory.Vortman@Amdocs.com>>; Vladi Polonsky
> <Vladi.Polonsky@Amdocs.com< mailto:Vladi.Polonsky@Amdocs.com>>; Alon
> Bar-Lev <Alon.BarLev@amdocs.com< mailto:Alon.BarLev@amdocs.com>>
> Subject: RE: trying to implement SSL configuration
>
> Hi ,
> Thanks you for the quick respond.
> So according to the link you send, the keystore type is jks as well.
> I will try and update...
> But according the client configuration (I found this document for it:
> http://pubs.vmware.com/vfabric53/topic/com.vmware.
> ICbase/PDF/vfabric-gemfire-nc-ug-7.0.1.pdf)
>
> The keystore for the native client should be in PEM format.
>
>
>
> -----Original Message-----
> From: Udo Kohlmeyer [mailto:ukohlmeyer@pivotal.io<mailto:
> ukohlmeyer@pivotal.io>]
> Sent: Tuesday, June 12, 2018 1:49 AM
> To: dev@geode.apache.org<ma...@geode.apache.org>; Liron Ben Ari <
> Liron.BenAri@amdocs.com<ma...@amdocs.com>>;
> user@geode.apache.org<ma...@geode.apache.org>
> Cc: Gregory Vortman <Gregory.Vortman@Amdocs.com<mailto:
> Gregory.Vortman@Amdocs.com>>; Vladi Polonsky
> <Vladi.Polonsky@Amdocs.com< mailto:Vladi.Polonsky@Amdocs.com>>; Alon
> Bar-Lev <Alon.BarLev@amdocs.com< mailto:Alon.BarLev@amdocs.com>>
> Subject: Re: trying to implement SSL configuration
>
> Hi there,
>
> Have you tried the following?
>
> https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/index.html
>
> I have not tried to use a PKCS12 keystore type. Was there a particular
> reason why you are using it? Could you try with a JKS?
>
> --Udo
>
> On 6/11/18 03:31, Liron Ben Ari wrote:
> > Hello team.
> > I am trying to move my Client server to work with SSL as part of
> Security POC we are running .
> > I was moving on GEODE documents (there are a lot! :)) and there was
> > a
> lot of different options...
> >
> >
> >
> > This is the configuration I used:
> >
> > I've generated Keystore & certificate using a private tool (that
> > uses the openssl + Keytools)
> >
> > For client:
> > A file containing PEM encoded X.509 certificate and PEM encoded
> > PKCS#8 encrypted private key For server:
> > PKCS#12 - this part works
> > as we could see openssl s_client to return the chain
> >
> >
> >
> > On the gemfire.proerties file - I used:
> >
> > ssl-enabled-components=all
> > ssl-protocols=any
> > ssl-ciphers=SSL_RSA_WITH_NULL_SHA //I've tries both option (empty
> as well)
> > ssl-keystore-type=PKCS12
> > ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA/pki/private/server4.p12
> > ssl-keystore-password=changeme
> > ssl-truststore-type=JKS
> > ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.jks
> > ssl-truststore-password=changeit
> >
> >
> >
> > on the Client Side I used the PEM format:
> > gfcpp1.properties:
> > ssl-enabled=true
> > ssl-keystore=/tmp/server4.pem
> > ssl-keystore-password=changeme
> > ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.pem
> >
> >
> > this is the error I am getting from the server when client is trying
> > to
> connect (locator):
> > [info 2018/06/11 11:46:40.907 IDT eaasrt-locator <locator request
> > thread[16]> tid=0x55] Exception in processing request from
> > 192.168.2.100
> > javax.net.ssl.SSLHandshakeException:
> > sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
> > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> > at sun.security.ssl.SSLSocketImpl.fatal(
> SSLSocketImpl.java:1949)
> > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
> > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
> > at sun.security.ssl.ServerHandshaker.clientCertificate(
> ServerHandshaker.java:1906)
> > at sun.security.ssl.ServerHandshaker.processMessage(
> ServerHandshaker.java:233)
> > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:
> 1026)
> > at sun.security.ssl.Handshaker.process_record(Handshaker.
> java:961)
> > at sun.security.ssl.SSLSocketImpl.readRecord(
> SSLSocketImpl.java:1062)
> > at sun.security.ssl.SSLSocketImpl.performInitialHandshake(
> SSLSocketImpl.java:1375)
> > at sun.security.ssl.SSLSocketImpl.startHandshake(
> SSLSocketImpl.java:1403)
> > at sun.security.ssl.SSLSocketImpl.startHandshake(
> SSLSocketImpl.java:1387)
> > at org.apache.geode.internal.net<http://org.apache.geode.
> internal.net>.SocketCreator.configureServerSSLSocket(
> SocketCreator.java:1013)
> > at org.apache.geode.distributed.internal.tcpserver.TcpServer.
> lambda$processRequest$0(TcpServer.java:366)
> > at java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1142)
> > at java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:617)
> > at java.lang.Thread.run(Thread.java:748)
> > Caused by: sun.security.validator.ValidatorException: PKIX path
> building failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> > at sun.security.validator.PKIXValidator.doBuild(
> PKIXValidator.java:387)
> > at sun.security.validator.PKIXValidator.engineValidate(
> PKIXValidator.java:292)
> > at sun.security.validator.Validator.validate(Validator.
> java:260)
> > at sun.security.ssl.X509TrustManagerImpl.validate(
> X509TrustManagerImpl.java:324)
> > at sun.security.ssl.X509TrustManagerImpl.checkTrusted(
> X509TrustManagerImpl.java:227)
> > at
> > sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(
> X509TrustManagerImpl.java:118)
> > at sun.security.ssl.ServerHandshaker.clientCertificate(
> ServerHandshaker.java:1888)
> > ... 12 more
> > Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> > at
> > sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathB
> > ui
> > lder.java:141)
> > :
> >
> > this are the errors I am getting from the client:
> >
> > ACE_SSL (45715|140151217246912) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140147953735424) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140148921374464) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140148896196352) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140148004091648) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140147978913536) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140148398352128) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140148373174016) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown
> >
> >
> >
> >
> >
> >
> > Any help will be appreciated !!
> >
> > Thanks.
> >
> >
> > This message and the information contained herein is proprietary and
> > confidential and subject to the Amdocs policy statement,
> >
> > you may review at https://www.amdocs.com/about/email-disclaimer
> > <https://www.amdocs.com/about/email-disclaimer>
> >
>
> This message and the information contained herein is proprietary and
> confidential and subject to the Amdocs policy statement,
>
> you may review at https://www.amdocs.com/about/email-disclaimer <
> https://www.amdocs.com/about/email-disclaimer>
>
> This message and the information contained herein is proprietary and
> confidential and subject to the Amdocs policy statement,
>
> you may review at https://www.amdocs.com/about/email-disclaimer <
> https://www.amdocs.com/about/email-disclaimer>
>
This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>
This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>
RE: trying to implement SSL configuration
Posted by Liron Ben Ari <Li...@amdocs.com>.
Thanks a lot for your respond Ryan,
I've used the ssl-enabled-components=all parameter.
All my c++ clients are able to connect to the locator and to send ssl events..
I have another java client that connects to the locator and I gave him the same parameters...
I will try changing it and will update :)
thanks
Here are the parameters I used for the server side:
ssl-enabled-components=all
ssl-protocols=any
ssl-ciphers=SSL_RSA_WITH_NULL_SHA
ssl-keystore-type=PKCS12
ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA-simple/pki/private/test1.p12
ssl-keystore-password=Unix11!
ssl-truststore-type=JKS
ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA-simple/Amdocs-Test-CA-simple.jks
ssl-truststore-password=changeit
-----Original Message-----
From: Ryan McMahon [mailto:rmcmahon@pivotal.io]
Sent: Wednesday, June 20, 2018 6:57 PM
To: dev@geode.apache.org
Subject: Re: trying to implement SSL configuration
Hi Liron,
The first thing that jumps out to me when you say that GFSH could not connect to the JMX manager is that you need to have `jmx` in addition to `locator` in your `ssl-enabled-components` Geode system property. For example, you'd need ssl-enabled-components=locator,jmx at a minimum for GFSH to connect. it's a bit different if you pass --use-http to your `connect` command, but it doesn't appear you are doing that.
Ryan
On Wed, Jun 20, 2018 at 8:46 AM, Liron Ben Ari <Li...@amdocs.com>
wrote:
> Hi ,
> Well , I managed!! All my processes are talking with SSL configuration
> (hip hip Horay ☺) I figure out – that I need client authentication and
> server authentication in the server certificate EKU , and that I need
> a single depth hierarchy , I am not sure it will be the case when I
> wil need to implement it in the customer site…
>
> Does anyone have id why it was used like this?
>
>
> Last question…
> I am trying to configure the gfsh to connect to my locator.
> I’ve added to the connect command the needed properties…
>
>
> ${GEMFIRE_HOME}/bin/gfsh -e "connect --locator=192.168.2.100[1028]
> --use-ssl --security-properties-file=$GF_SERVER_DIR/properties/
> gemfire.sec.properties
>
> I can see that he is able to connect to the locator – but I see that
> it is trying to connect to the manager without success.
> Does anyone know if I need to add another certificate or key for the
> manager?
>
>
> 1) Executing - connect --locator=192.168.2.100[1028] --use-ssl
> --security-properties-file=/users/xpiwrk1/GemFire/Server/
> properties/gemfire.sec.properties
>
> Connecting to Locator at [host=192.168.2.100, port=1028] ..
> Connecting to Manager at [host=eaasrt, port=1029] ..
> Could not connect to : [host=eaasrt, port=1029]. Failed to retrieve
> RMIServer stub: javax.naming.CommunicationException [Root exception is
> java.rmi.ConnectIOException: error during JRMP connection
> establishment; nested exception is:
> javax.net.ssl.SSLHandshakeException: Received fatal alert:
> handshake_failure]
>
>
>
> Thank you so much!!!
> From: Ernest Burghardt [mailto:eburghardt@pivotal.io]
> Sent: Tuesday, June 12, 2018 7:27 PM
> To: user@geode.apache.org
> Cc: Udo Kohlmeyer <uk...@pivotal.io>; dev@geode.apache.org;
> Gregory Vortman <Gr...@Amdocs.com>; Vladi Polonsky
> <Vl...@Amdocs.com>; Alon Bar-Lev <Al...@amdocs.com>
> Subject: Re: trying to implement SSL configuration
>
> Hello,
>
> For "native" C++ interaction have a look at geode-native/cppcache/
> integration-test/testThinClientSSL
> This should provide an example of connecting with SSL enabled...
>
> EB
>
> On Tue, Jun 12, 2018 at 2:48 AM, Liron Ben Ari
> <Liron.BenAri@amdocs.com< mailto:Liron.BenAri@amdocs.com>> wrote:
>
> We check - the PKCS12 works - (as we saw it in the s_client) It
> looks like the server did not found a valid certificate...
>
> Maybe you have a working example? When the client is native c++?
>
> Thanks!!
>
> -----Original Message-----
> From: Liron Ben Ari
> Sent: Tuesday, June 12, 2018 11:25 AM
> To: Udo Kohlmeyer
> <uk...@pivotal.io>>;
> dev@geode.apache.org<ma...@geode.apache.org>;
> user@geode.apache.org <ma...@geode.apache.org>
> Cc: Gregory Vortman <Gregory.Vortman@Amdocs.com<mailto:
> Gregory.Vortman@Amdocs.com>>; Vladi Polonsky
> <Vladi.Polonsky@Amdocs.com< mailto:Vladi.Polonsky@Amdocs.com>>; Alon
> Bar-Lev <Alon.BarLev@amdocs.com< mailto:Alon.BarLev@amdocs.com>>
> Subject: RE: trying to implement SSL configuration
>
> Hi ,
> Thanks you for the quick respond.
> So according to the link you send, the keystore type is jks as well.
> I will try and update...
> But according the client configuration (I found this document for it:
> http://pubs.vmware.com/vfabric53/topic/com.vmware.
> ICbase/PDF/vfabric-gemfire-nc-ug-7.0.1.pdf)
>
> The keystore for the native client should be in PEM format.
>
>
>
> -----Original Message-----
> From: Udo Kohlmeyer [mailto:ukohlmeyer@pivotal.io<mailto:
> ukohlmeyer@pivotal.io>]
> Sent: Tuesday, June 12, 2018 1:49 AM
> To: dev@geode.apache.org<ma...@geode.apache.org>; Liron Ben Ari <
> Liron.BenAri@amdocs.com<ma...@amdocs.com>>;
> user@geode.apache.org<ma...@geode.apache.org>
> Cc: Gregory Vortman <Gregory.Vortman@Amdocs.com<mailto:
> Gregory.Vortman@Amdocs.com>>; Vladi Polonsky
> <Vladi.Polonsky@Amdocs.com< mailto:Vladi.Polonsky@Amdocs.com>>; Alon
> Bar-Lev <Alon.BarLev@amdocs.com< mailto:Alon.BarLev@amdocs.com>>
> Subject: Re: trying to implement SSL configuration
>
> Hi there,
>
> Have you tried the following?
>
> https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/index.html
>
> I have not tried to use a PKCS12 keystore type. Was there a particular
> reason why you are using it? Could you try with a JKS?
>
> --Udo
>
> On 6/11/18 03:31, Liron Ben Ari wrote:
> > Hello team.
> > I am trying to move my Client server to work with SSL as part of
> Security POC we are running .
> > I was moving on GEODE documents (there are a lot! :)) and there was
> > a
> lot of different options...
> >
> >
> >
> > This is the configuration I used:
> >
> > I've generated Keystore & certificate using a private tool (that
> > uses the openssl + Keytools)
> >
> > For client:
> > A file containing PEM encoded X.509 certificate and PEM encoded
> > PKCS#8 encrypted private key For server:
> > PKCS#12 - this part works
> > as we could see openssl s_client to return the chain
> >
> >
> >
> > On the gemfire.proerties file - I used:
> >
> > ssl-enabled-components=all
> > ssl-protocols=any
> > ssl-ciphers=SSL_RSA_WITH_NULL_SHA //I've tries both option (empty
> as well)
> > ssl-keystore-type=PKCS12
> > ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA/pki/private/server4.p12
> > ssl-keystore-password=changeme
> > ssl-truststore-type=JKS
> > ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.jks
> > ssl-truststore-password=changeit
> >
> >
> >
> > on the Client Side I used the PEM format:
> > gfcpp1.properties:
> > ssl-enabled=true
> > ssl-keystore=/tmp/server4.pem
> > ssl-keystore-password=changeme
> > ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.pem
> >
> >
> > this is the error I am getting from the server when client is trying
> > to
> connect (locator):
> > [info 2018/06/11 11:46:40.907 IDT eaasrt-locator <locator request
> > thread[16]> tid=0x55] Exception in processing request from
> > 192.168.2.100
> > javax.net.ssl.SSLHandshakeException:
> > sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
> > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> > at sun.security.ssl.SSLSocketImpl.fatal(
> SSLSocketImpl.java:1949)
> > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
> > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
> > at sun.security.ssl.ServerHandshaker.clientCertificate(
> ServerHandshaker.java:1906)
> > at sun.security.ssl.ServerHandshaker.processMessage(
> ServerHandshaker.java:233)
> > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:
> 1026)
> > at sun.security.ssl.Handshaker.process_record(Handshaker.
> java:961)
> > at sun.security.ssl.SSLSocketImpl.readRecord(
> SSLSocketImpl.java:1062)
> > at sun.security.ssl.SSLSocketImpl.performInitialHandshake(
> SSLSocketImpl.java:1375)
> > at sun.security.ssl.SSLSocketImpl.startHandshake(
> SSLSocketImpl.java:1403)
> > at sun.security.ssl.SSLSocketImpl.startHandshake(
> SSLSocketImpl.java:1387)
> > at org.apache.geode.internal.net<http://org.apache.geode.
> internal.net>.SocketCreator.configureServerSSLSocket(
> SocketCreator.java:1013)
> > at org.apache.geode.distributed.internal.tcpserver.TcpServer.
> lambda$processRequest$0(TcpServer.java:366)
> > at java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1142)
> > at java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:617)
> > at java.lang.Thread.run(Thread.java:748)
> > Caused by: sun.security.validator.ValidatorException: PKIX path
> building failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> > at sun.security.validator.PKIXValidator.doBuild(
> PKIXValidator.java:387)
> > at sun.security.validator.PKIXValidator.engineValidate(
> PKIXValidator.java:292)
> > at sun.security.validator.Validator.validate(Validator.
> java:260)
> > at sun.security.ssl.X509TrustManagerImpl.validate(
> X509TrustManagerImpl.java:324)
> > at sun.security.ssl.X509TrustManagerImpl.checkTrusted(
> X509TrustManagerImpl.java:227)
> > at
> > sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(
> X509TrustManagerImpl.java:118)
> > at sun.security.ssl.ServerHandshaker.clientCertificate(
> ServerHandshaker.java:1888)
> > ... 12 more
> > Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> > at
> > sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathB
> > ui
> > lder.java:141)
> > :
> >
> > this are the errors I am getting from the client:
> >
> > ACE_SSL (45715|140151217246912) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140147953735424) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140148921374464) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140148896196352) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140148004091648) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140147978913536) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140148398352128) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140148373174016) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown
> >
> >
> >
> >
> >
> >
> > Any help will be appreciated !!
> >
> > Thanks.
> >
> >
> > This message and the information contained herein is proprietary and
> > confidential and subject to the Amdocs policy statement,
> >
> > you may review at https://www.amdocs.com/about/email-disclaimer
> > <https://www.amdocs.com/about/email-disclaimer>
> >
>
> This message and the information contained herein is proprietary and
> confidential and subject to the Amdocs policy statement,
>
> you may review at https://www.amdocs.com/about/email-disclaimer <
> https://www.amdocs.com/about/email-disclaimer>
>
> This message and the information contained herein is proprietary and
> confidential and subject to the Amdocs policy statement,
>
> you may review at https://www.amdocs.com/about/email-disclaimer <
> https://www.amdocs.com/about/email-disclaimer>
>
This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>
Re: trying to implement SSL configuration
Posted by Ryan McMahon <rm...@pivotal.io>.
Hi Liron,
The first thing that jumps out to me when you say that GFSH could not
connect to the JMX manager is that you need to have `jmx` in addition to
`locator` in your `ssl-enabled-components` Geode system property. For
example, you'd need ssl-enabled-components=locator,jmx at a minimum for
GFSH to connect. it's a bit different if you pass --use-http to your
`connect` command, but it doesn't appear you are doing that.
Ryan
On Wed, Jun 20, 2018 at 8:46 AM, Liron Ben Ari <Li...@amdocs.com>
wrote:
> Hi ,
> Well , I managed!! All my processes are talking with SSL configuration
> (hip hip Horay ☺)
> I figure out – that I need client authentication and server authentication
> in the server certificate EKU , and that I need a single depth hierarchy ,
> I am not sure it will be the case when I wil need to implement it in the
> customer site…
>
> Does anyone have id why it was used like this?
>
>
> Last question…
> I am trying to configure the gfsh to connect to my locator.
> I’ve added to the connect command the needed properties…
>
>
> ${GEMFIRE_HOME}/bin/gfsh -e "connect --locator=192.168.2.100[1028]
> --use-ssl --security-properties-file=$GF_SERVER_DIR/properties/
> gemfire.sec.properties
>
> I can see that he is able to connect to the locator – but I see that it is
> trying to connect to the manager without success.
> Does anyone know if I need to add another certificate or key for the
> manager?
>
>
> 1) Executing - connect --locator=192.168.2.100[1028] --use-ssl
> --security-properties-file=/users/xpiwrk1/GemFire/Server/
> properties/gemfire.sec.properties
>
> Connecting to Locator at [host=192.168.2.100, port=1028] ..
> Connecting to Manager at [host=eaasrt, port=1029] ..
> Could not connect to : [host=eaasrt, port=1029]. Failed to retrieve
> RMIServer stub: javax.naming.CommunicationException [Root exception is
> java.rmi.ConnectIOException: error during JRMP connection establishment;
> nested exception is:
> javax.net.ssl.SSLHandshakeException: Received fatal alert:
> handshake_failure]
>
>
>
> Thank you so much!!!
> From: Ernest Burghardt [mailto:eburghardt@pivotal.io]
> Sent: Tuesday, June 12, 2018 7:27 PM
> To: user@geode.apache.org
> Cc: Udo Kohlmeyer <uk...@pivotal.io>; dev@geode.apache.org; Gregory
> Vortman <Gr...@Amdocs.com>; Vladi Polonsky
> <Vl...@Amdocs.com>; Alon Bar-Lev <Al...@amdocs.com>
> Subject: Re: trying to implement SSL configuration
>
> Hello,
>
> For "native" C++ interaction have a look at geode-native/cppcache/
> integration-test/testThinClientSSL
> This should provide an example of connecting with SSL enabled...
>
> EB
>
> On Tue, Jun 12, 2018 at 2:48 AM, Liron Ben Ari <Liron.BenAri@amdocs.com<
> mailto:Liron.BenAri@amdocs.com>> wrote:
>
> We check - the PKCS12 works - (as we saw it in the s_client)
> It looks like the server did not found a valid certificate...
>
> Maybe you have a working example? When the client is native c++?
>
> Thanks!!
>
> -----Original Message-----
> From: Liron Ben Ari
> Sent: Tuesday, June 12, 2018 11:25 AM
> To: Udo Kohlmeyer <uk...@pivotal.io>>;
> dev@geode.apache.org<ma...@geode.apache.org>; user@geode.apache.org
> <ma...@geode.apache.org>
> Cc: Gregory Vortman <Gregory.Vortman@Amdocs.com<mailto:
> Gregory.Vortman@Amdocs.com>>; Vladi Polonsky <Vladi.Polonsky@Amdocs.com<
> mailto:Vladi.Polonsky@Amdocs.com>>; Alon Bar-Lev <Alon.BarLev@amdocs.com<
> mailto:Alon.BarLev@amdocs.com>>
> Subject: RE: trying to implement SSL configuration
>
> Hi ,
> Thanks you for the quick respond.
> So according to the link you send, the keystore type is jks as well.
> I will try and update...
> But according the client configuration (I found this document for it:
> http://pubs.vmware.com/vfabric53/topic/com.vmware.
> ICbase/PDF/vfabric-gemfire-nc-ug-7.0.1.pdf)
>
> The keystore for the native client should be in PEM format.
>
>
>
> -----Original Message-----
> From: Udo Kohlmeyer [mailto:ukohlmeyer@pivotal.io<mailto:
> ukohlmeyer@pivotal.io>]
> Sent: Tuesday, June 12, 2018 1:49 AM
> To: dev@geode.apache.org<ma...@geode.apache.org>; Liron Ben Ari <
> Liron.BenAri@amdocs.com<ma...@amdocs.com>>;
> user@geode.apache.org<ma...@geode.apache.org>
> Cc: Gregory Vortman <Gregory.Vortman@Amdocs.com<mailto:
> Gregory.Vortman@Amdocs.com>>; Vladi Polonsky <Vladi.Polonsky@Amdocs.com<
> mailto:Vladi.Polonsky@Amdocs.com>>; Alon Bar-Lev <Alon.BarLev@amdocs.com<
> mailto:Alon.BarLev@amdocs.com>>
> Subject: Re: trying to implement SSL configuration
>
> Hi there,
>
> Have you tried the following?
>
> https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/index.html
>
> I have not tried to use a PKCS12 keystore type. Was there a particular
> reason why you are using it? Could you try with a JKS?
>
> --Udo
>
> On 6/11/18 03:31, Liron Ben Ari wrote:
> > Hello team.
> > I am trying to move my Client server to work with SSL as part of
> Security POC we are running .
> > I was moving on GEODE documents (there are a lot! :)) and there was a
> lot of different options...
> >
> >
> >
> > This is the configuration I used:
> >
> > I've generated Keystore & certificate using a private tool (that uses
> > the openssl + Keytools)
> >
> > For client:
> > A file containing PEM encoded X.509 certificate and PEM encoded
> > PKCS#8 encrypted private key For server:
> > PKCS#12 - this part works
> > as we could see openssl s_client to return the chain
> >
> >
> >
> > On the gemfire.proerties file - I used:
> >
> > ssl-enabled-components=all
> > ssl-protocols=any
> > ssl-ciphers=SSL_RSA_WITH_NULL_SHA //I've tries both option (empty
> as well)
> > ssl-keystore-type=PKCS12
> > ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA/pki/private/server4.p12
> > ssl-keystore-password=changeme
> > ssl-truststore-type=JKS
> > ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.jks
> > ssl-truststore-password=changeit
> >
> >
> >
> > on the Client Side I used the PEM format:
> > gfcpp1.properties:
> > ssl-enabled=true
> > ssl-keystore=/tmp/server4.pem
> > ssl-keystore-password=changeme
> > ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.pem
> >
> >
> > this is the error I am getting from the server when client is trying to
> connect (locator):
> > [info 2018/06/11 11:46:40.907 IDT eaasrt-locator <locator request
> > thread[16]> tid=0x55] Exception in processing request from
> > 192.168.2.100
> > javax.net.ssl.SSLHandshakeException:
> > sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
> > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> > at sun.security.ssl.SSLSocketImpl.fatal(
> SSLSocketImpl.java:1949)
> > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
> > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
> > at sun.security.ssl.ServerHandshaker.clientCertificate(
> ServerHandshaker.java:1906)
> > at sun.security.ssl.ServerHandshaker.processMessage(
> ServerHandshaker.java:233)
> > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:
> 1026)
> > at sun.security.ssl.Handshaker.process_record(Handshaker.
> java:961)
> > at sun.security.ssl.SSLSocketImpl.readRecord(
> SSLSocketImpl.java:1062)
> > at sun.security.ssl.SSLSocketImpl.performInitialHandshake(
> SSLSocketImpl.java:1375)
> > at sun.security.ssl.SSLSocketImpl.startHandshake(
> SSLSocketImpl.java:1403)
> > at sun.security.ssl.SSLSocketImpl.startHandshake(
> SSLSocketImpl.java:1387)
> > at org.apache.geode.internal.net<http://org.apache.geode.
> internal.net>.SocketCreator.configureServerSSLSocket(
> SocketCreator.java:1013)
> > at org.apache.geode.distributed.internal.tcpserver.TcpServer.
> lambda$processRequest$0(TcpServer.java:366)
> > at java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1142)
> > at java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:617)
> > at java.lang.Thread.run(Thread.java:748)
> > Caused by: sun.security.validator.ValidatorException: PKIX path
> building failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> > at sun.security.validator.PKIXValidator.doBuild(
> PKIXValidator.java:387)
> > at sun.security.validator.PKIXValidator.engineValidate(
> PKIXValidator.java:292)
> > at sun.security.validator.Validator.validate(Validator.
> java:260)
> > at sun.security.ssl.X509TrustManagerImpl.validate(
> X509TrustManagerImpl.java:324)
> > at sun.security.ssl.X509TrustManagerImpl.checkTrusted(
> X509TrustManagerImpl.java:227)
> > at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(
> X509TrustManagerImpl.java:118)
> > at sun.security.ssl.ServerHandshaker.clientCertificate(
> ServerHandshaker.java:1888)
> > ... 12 more
> > Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> > at
> > sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBui
> > lder.java:141)
> > :
> >
> > this are the errors I am getting from the client:
> >
> > ACE_SSL (45715|140151217246912) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140147953735424) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140148921374464) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140148896196352) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140148004091648) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140147978913536) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140148398352128) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140148373174016) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown
> >
> >
> >
> >
> >
> >
> > Any help will be appreciated !!
> >
> > Thanks.
> >
> >
> > This message and the information contained herein is proprietary and
> > confidential and subject to the Amdocs policy statement,
> >
> > you may review at https://www.amdocs.com/about/email-disclaimer
> > <https://www.amdocs.com/about/email-disclaimer>
> >
>
> This message and the information contained herein is proprietary and
> confidential and subject to the Amdocs policy statement,
>
> you may review at https://www.amdocs.com/about/email-disclaimer <
> https://www.amdocs.com/about/email-disclaimer>
>
> This message and the information contained herein is proprietary and
> confidential and subject to the Amdocs policy statement,
>
> you may review at https://www.amdocs.com/about/email-disclaimer <
> https://www.amdocs.com/about/email-disclaimer>
>
RE: trying to implement SSL configuration
Posted by Liron Ben Ari <Li...@amdocs.com>.
Hi ,
Well , I managed!! All my processes are talking with SSL configuration (hip hip Horay ☺)
I figure out – that I need client authentication and server authentication in the server certificate EKU , and that I need a single depth hierarchy ,
I am not sure it will be the case when I wil need to implement it in the customer site…
Does anyone have id why it was used like this?
Last question…
I am trying to configure the gfsh to connect to my locator.
I’ve added to the connect command the needed properties…
${GEMFIRE_HOME}/bin/gfsh -e "connect --locator=192.168.2.100[1028] --use-ssl --security-properties-file=$GF_SERVER_DIR/properties/gemfire.sec.properties
I can see that he is able to connect to the locator – but I see that it is trying to connect to the manager without success.
Does anyone know if I need to add another certificate or key for the manager?
1) Executing - connect --locator=192.168.2.100[1028] --use-ssl --security-properties-file=/users/xpiwrk1/GemFire/Server/properties/gemfire.sec.properties
Connecting to Locator at [host=192.168.2.100, port=1028] ..
Connecting to Manager at [host=eaasrt, port=1029] ..
Could not connect to : [host=eaasrt, port=1029]. Failed to retrieve RMIServer stub: javax.naming.CommunicationException [Root exception is java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure]
Thank you so much!!!
From: Ernest Burghardt [mailto:eburghardt@pivotal.io]
Sent: Tuesday, June 12, 2018 7:27 PM
To: user@geode.apache.org
Cc: Udo Kohlmeyer <uk...@pivotal.io>; dev@geode.apache.org; Gregory Vortman <Gr...@Amdocs.com>; Vladi Polonsky <Vl...@Amdocs.com>; Alon Bar-Lev <Al...@amdocs.com>
Subject: Re: trying to implement SSL configuration
Hello,
For "native" C++ interaction have a look at geode-native/cppcache/integration-test/testThinClientSSL
This should provide an example of connecting with SSL enabled...
EB
On Tue, Jun 12, 2018 at 2:48 AM, Liron Ben Ari <Li...@amdocs.com>> wrote:
We check - the PKCS12 works - (as we saw it in the s_client)
It looks like the server did not found a valid certificate...
Maybe you have a working example? When the client is native c++?
Thanks!!
-----Original Message-----
From: Liron Ben Ari
Sent: Tuesday, June 12, 2018 11:25 AM
To: Udo Kohlmeyer <uk...@pivotal.io>>; dev@geode.apache.org<ma...@geode.apache.org>; user@geode.apache.org<ma...@geode.apache.org>
Cc: Gregory Vortman <Gr...@Amdocs.com>>; Vladi Polonsky <Vl...@Amdocs.com>>; Alon Bar-Lev <Al...@amdocs.com>>
Subject: RE: trying to implement SSL configuration
Hi ,
Thanks you for the quick respond.
So according to the link you send, the keystore type is jks as well.
I will try and update...
But according the client configuration (I found this document for it: http://pubs.vmware.com/vfabric53/topic/com.vmware.ICbase/PDF/vfabric-gemfire-nc-ug-7.0.1.pdf)
The keystore for the native client should be in PEM format.
-----Original Message-----
From: Udo Kohlmeyer [mailto:ukohlmeyer@pivotal.io<ma...@pivotal.io>]
Sent: Tuesday, June 12, 2018 1:49 AM
To: dev@geode.apache.org<ma...@geode.apache.org>; Liron Ben Ari <Li...@amdocs.com>>; user@geode.apache.org<ma...@geode.apache.org>
Cc: Gregory Vortman <Gr...@Amdocs.com>>; Vladi Polonsky <Vl...@Amdocs.com>>; Alon Bar-Lev <Al...@amdocs.com>>
Subject: Re: trying to implement SSL configuration
Hi there,
Have you tried the following?
https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/index.html
I have not tried to use a PKCS12 keystore type. Was there a particular reason why you are using it? Could you try with a JKS?
--Udo
On 6/11/18 03:31, Liron Ben Ari wrote:
> Hello team.
> I am trying to move my Client server to work with SSL as part of Security POC we are running .
> I was moving on GEODE documents (there are a lot! :)) and there was a lot of different options...
>
>
>
> This is the configuration I used:
>
> I've generated Keystore & certificate using a private tool (that uses
> the openssl + Keytools)
>
> For client:
> A file containing PEM encoded X.509 certificate and PEM encoded
> PKCS#8 encrypted private key For server:
> PKCS#12 - this part works
> as we could see openssl s_client to return the chain
>
>
>
> On the gemfire.proerties file - I used:
>
> ssl-enabled-components=all
> ssl-protocols=any
> ssl-ciphers=SSL_RSA_WITH_NULL_SHA //I've tries both option (empty as well)
> ssl-keystore-type=PKCS12
> ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA/pki/private/server4.p12
> ssl-keystore-password=changeme
> ssl-truststore-type=JKS
> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.jks
> ssl-truststore-password=changeit
>
>
>
> on the Client Side I used the PEM format:
> gfcpp1.properties:
> ssl-enabled=true
> ssl-keystore=/tmp/server4.pem
> ssl-keystore-password=changeme
> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.pem
>
>
> this is the error I am getting from the server when client is trying to connect (locator):
> [info 2018/06/11 11:46:40.907 IDT eaasrt-locator <locator request
> thread[16]> tid=0x55] Exception in processing request from
> 192.168.2.100
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
> at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1906)
> at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:233)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
> at org.apache.geode.internal.net<http://org.apache.geode.internal.net>.SocketCreator.configureServerSSLSocket(SocketCreator.java:1013)
> at org.apache.geode.distributed.internal.tcpserver.TcpServer.lambda$processRequest$0(TcpServer.java:366)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
> at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
> at sun.security.validator.Validator.validate(Validator.java:260)
> at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:227)
> at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:118)
> at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1888)
> ... 12 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at
> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBui
> lder.java:141)
> :
>
> this are the errors I am getting from the client:
>
> ACE_SSL (45715|140151217246912) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140147953735424) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140148921374464) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140148896196352) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140148004091648) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140147978913536) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140148398352128) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140148373174016) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown
>
>
>
>
>
>
> Any help will be appreciated !!
>
> Thanks.
>
>
> This message and the information contained herein is proprietary and
> confidential and subject to the Amdocs policy statement,
>
> you may review at https://www.amdocs.com/about/email-disclaimer
> <https://www.amdocs.com/about/email-disclaimer>
>
This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>
This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>
RE: trying to implement SSL configuration
Posted by Liron Ben Ari <Li...@amdocs.com>.
Hi ,
Well , I managed!! All my processes are talking with SSL configuration (hip hip Horay ☺)
I figure out – that I need client authentication and server authentication in the server certificate EKU , and that I need a single depth hierarchy ,
I am not sure it will be the case when I wil need to implement it in the customer site…
Does anyone have id why it was used like this?
Last question…
I am trying to configure the gfsh to connect to my locator.
I’ve added to the connect command the needed properties…
${GEMFIRE_HOME}/bin/gfsh -e "connect --locator=192.168.2.100[1028] --use-ssl --security-properties-file=$GF_SERVER_DIR/properties/gemfire.sec.properties
I can see that he is able to connect to the locator – but I see that it is trying to connect to the manager without success.
Does anyone know if I need to add another certificate or key for the manager?
1) Executing - connect --locator=192.168.2.100[1028] --use-ssl --security-properties-file=/users/xpiwrk1/GemFire/Server/properties/gemfire.sec.properties
Connecting to Locator at [host=192.168.2.100, port=1028] ..
Connecting to Manager at [host=eaasrt, port=1029] ..
Could not connect to : [host=eaasrt, port=1029]. Failed to retrieve RMIServer stub: javax.naming.CommunicationException [Root exception is java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure]
Thank you so much!!!
From: Ernest Burghardt [mailto:eburghardt@pivotal.io]
Sent: Tuesday, June 12, 2018 7:27 PM
To: user@geode.apache.org
Cc: Udo Kohlmeyer <uk...@pivotal.io>; dev@geode.apache.org; Gregory Vortman <Gr...@Amdocs.com>; Vladi Polonsky <Vl...@Amdocs.com>; Alon Bar-Lev <Al...@amdocs.com>
Subject: Re: trying to implement SSL configuration
Hello,
For "native" C++ interaction have a look at geode-native/cppcache/integration-test/testThinClientSSL
This should provide an example of connecting with SSL enabled...
EB
On Tue, Jun 12, 2018 at 2:48 AM, Liron Ben Ari <Li...@amdocs.com>> wrote:
We check - the PKCS12 works - (as we saw it in the s_client)
It looks like the server did not found a valid certificate...
Maybe you have a working example? When the client is native c++?
Thanks!!
-----Original Message-----
From: Liron Ben Ari
Sent: Tuesday, June 12, 2018 11:25 AM
To: Udo Kohlmeyer <uk...@pivotal.io>>; dev@geode.apache.org<ma...@geode.apache.org>; user@geode.apache.org<ma...@geode.apache.org>
Cc: Gregory Vortman <Gr...@Amdocs.com>>; Vladi Polonsky <Vl...@Amdocs.com>>; Alon Bar-Lev <Al...@amdocs.com>>
Subject: RE: trying to implement SSL configuration
Hi ,
Thanks you for the quick respond.
So according to the link you send, the keystore type is jks as well.
I will try and update...
But according the client configuration (I found this document for it: http://pubs.vmware.com/vfabric53/topic/com.vmware.ICbase/PDF/vfabric-gemfire-nc-ug-7.0.1.pdf)
The keystore for the native client should be in PEM format.
-----Original Message-----
From: Udo Kohlmeyer [mailto:ukohlmeyer@pivotal.io<ma...@pivotal.io>]
Sent: Tuesday, June 12, 2018 1:49 AM
To: dev@geode.apache.org<ma...@geode.apache.org>; Liron Ben Ari <Li...@amdocs.com>>; user@geode.apache.org<ma...@geode.apache.org>
Cc: Gregory Vortman <Gr...@Amdocs.com>>; Vladi Polonsky <Vl...@Amdocs.com>>; Alon Bar-Lev <Al...@amdocs.com>>
Subject: Re: trying to implement SSL configuration
Hi there,
Have you tried the following?
https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/index.html
I have not tried to use a PKCS12 keystore type. Was there a particular reason why you are using it? Could you try with a JKS?
--Udo
On 6/11/18 03:31, Liron Ben Ari wrote:
> Hello team.
> I am trying to move my Client server to work with SSL as part of Security POC we are running .
> I was moving on GEODE documents (there are a lot! :)) and there was a lot of different options...
>
>
>
> This is the configuration I used:
>
> I've generated Keystore & certificate using a private tool (that uses
> the openssl + Keytools)
>
> For client:
> A file containing PEM encoded X.509 certificate and PEM encoded
> PKCS#8 encrypted private key For server:
> PKCS#12 - this part works
> as we could see openssl s_client to return the chain
>
>
>
> On the gemfire.proerties file - I used:
>
> ssl-enabled-components=all
> ssl-protocols=any
> ssl-ciphers=SSL_RSA_WITH_NULL_SHA //I've tries both option (empty as well)
> ssl-keystore-type=PKCS12
> ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA/pki/private/server4.p12
> ssl-keystore-password=changeme
> ssl-truststore-type=JKS
> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.jks
> ssl-truststore-password=changeit
>
>
>
> on the Client Side I used the PEM format:
> gfcpp1.properties:
> ssl-enabled=true
> ssl-keystore=/tmp/server4.pem
> ssl-keystore-password=changeme
> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.pem
>
>
> this is the error I am getting from the server when client is trying to connect (locator):
> [info 2018/06/11 11:46:40.907 IDT eaasrt-locator <locator request
> thread[16]> tid=0x55] Exception in processing request from
> 192.168.2.100
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
> at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1906)
> at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:233)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
> at org.apache.geode.internal.net<http://org.apache.geode.internal.net>.SocketCreator.configureServerSSLSocket(SocketCreator.java:1013)
> at org.apache.geode.distributed.internal.tcpserver.TcpServer.lambda$processRequest$0(TcpServer.java:366)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
> at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
> at sun.security.validator.Validator.validate(Validator.java:260)
> at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:227)
> at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:118)
> at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1888)
> ... 12 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at
> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBui
> lder.java:141)
> :
>
> this are the errors I am getting from the client:
>
> ACE_SSL (45715|140151217246912) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140147953735424) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140148921374464) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140148896196352) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140148004091648) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140147978913536) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140148398352128) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140148373174016) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown
>
>
>
>
>
>
> Any help will be appreciated !!
>
> Thanks.
>
>
> This message and the information contained herein is proprietary and
> confidential and subject to the Amdocs policy statement,
>
> you may review at https://www.amdocs.com/about/email-disclaimer
> <https://www.amdocs.com/about/email-disclaimer>
>
This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>
This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>
Re: trying to implement SSL configuration
Posted by Ernest Burghardt <eb...@pivotal.io>.
Hello,
For "native" C++ interaction have a look at
geode-native/cppcache/integration-test/testThinClientSSL
This should provide an example of connecting with SSL enabled...
EB
On Tue, Jun 12, 2018 at 2:48 AM, Liron Ben Ari <Li...@amdocs.com>
wrote:
>
> We check - the PKCS12 works - (as we saw it in the s_client)
> It looks like the server did not found a valid certificate...
>
> Maybe you have a working example? When the client is native c++?
>
> Thanks!!
>
> -----Original Message-----
> From: Liron Ben Ari
> Sent: Tuesday, June 12, 2018 11:25 AM
> To: Udo Kohlmeyer <uk...@pivotal.io>; dev@geode.apache.org;
> user@geode.apache.org
> Cc: Gregory Vortman <Gr...@Amdocs.com>; Vladi Polonsky
> <Vl...@Amdocs.com>; Alon Bar-Lev <Al...@amdocs.com>
> Subject: RE: trying to implement SSL configuration
>
> Hi ,
> Thanks you for the quick respond.
> So according to the link you send, the keystore type is jks as well.
> I will try and update...
> But according the client configuration (I found this document for it:
> http://pubs.vmware.com/vfabric53/topic/com.vmware.
> ICbase/PDF/vfabric-gemfire-nc-ug-7.0.1.pdf)
>
> The keystore for the native client should be in PEM format.
>
>
>
> -----Original Message-----
> From: Udo Kohlmeyer [mailto:ukohlmeyer@pivotal.io]
> Sent: Tuesday, June 12, 2018 1:49 AM
> To: dev@geode.apache.org; Liron Ben Ari <Li...@amdocs.com>;
> user@geode.apache.org
> Cc: Gregory Vortman <Gr...@Amdocs.com>; Vladi Polonsky
> <Vl...@Amdocs.com>; Alon Bar-Lev <Al...@amdocs.com>
> Subject: Re: trying to implement SSL configuration
>
> Hi there,
>
> Have you tried the following?
>
> https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/index.html
>
> I have not tried to use a PKCS12 keystore type. Was there a particular
> reason why you are using it? Could you try with a JKS?
>
> --Udo
>
> On 6/11/18 03:31, Liron Ben Ari wrote:
> > Hello team.
> > I am trying to move my Client server to work with SSL as part of
> Security POC we are running .
> > I was moving on GEODE documents (there are a lot! :)) and there was a
> lot of different options...
> >
> >
> >
> > This is the configuration I used:
> >
> > I've generated Keystore & certificate using a private tool (that uses
> > the openssl + Keytools)
> >
> > For client:
> > A file containing PEM encoded X.509 certificate and PEM encoded
> > PKCS#8 encrypted private key For server:
> > PKCS#12 - this part works
> > as we could see openssl s_client to return the chain
> >
> >
> >
> > On the gemfire.proerties file - I used:
> >
> > ssl-enabled-components=all
> > ssl-protocols=any
> > ssl-ciphers=SSL_RSA_WITH_NULL_SHA //I've tries both option (empty
> as well)
> > ssl-keystore-type=PKCS12
> > ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA/pki/private/server4.p12
> > ssl-keystore-password=changeme
> > ssl-truststore-type=JKS
> > ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.jks
> > ssl-truststore-password=changeit
> >
> >
> >
> > on the Client Side I used the PEM format:
> > gfcpp1.properties:
> > ssl-enabled=true
> > ssl-keystore=/tmp/server4.pem
> > ssl-keystore-password=changeme
> > ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.pem
> >
> >
> > this is the error I am getting from the server when client is trying to
> connect (locator):
> > [info 2018/06/11 11:46:40.907 IDT eaasrt-locator <locator request
> > thread[16]> tid=0x55] Exception in processing request from
> > 192.168.2.100
> > javax.net.ssl.SSLHandshakeException:
> > sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
> > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> > at sun.security.ssl.SSLSocketImpl.fatal(
> SSLSocketImpl.java:1949)
> > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
> > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
> > at sun.security.ssl.ServerHandshaker.clientCertificate(
> ServerHandshaker.java:1906)
> > at sun.security.ssl.ServerHandshaker.processMessage(
> ServerHandshaker.java:233)
> > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:
> 1026)
> > at sun.security.ssl.Handshaker.process_record(Handshaker.
> java:961)
> > at sun.security.ssl.SSLSocketImpl.readRecord(
> SSLSocketImpl.java:1062)
> > at sun.security.ssl.SSLSocketImpl.performInitialHandshake(
> SSLSocketImpl.java:1375)
> > at sun.security.ssl.SSLSocketImpl.startHandshake(
> SSLSocketImpl.java:1403)
> > at sun.security.ssl.SSLSocketImpl.startHandshake(
> SSLSocketImpl.java:1387)
> > at org.apache.geode.internal.net.SocketCreator.
> configureServerSSLSocket(SocketCreator.java:1013)
> > at org.apache.geode.distributed.internal.tcpserver.TcpServer.
> lambda$processRequest$0(TcpServer.java:366)
> > at java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1142)
> > at java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:617)
> > at java.lang.Thread.run(Thread.java:748)
> > Caused by: sun.security.validator.ValidatorException: PKIX path
> building failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> > at sun.security.validator.PKIXValidator.doBuild(
> PKIXValidator.java:387)
> > at sun.security.validator.PKIXValidator.engineValidate(
> PKIXValidator.java:292)
> > at sun.security.validator.Validator.validate(Validator.
> java:260)
> > at sun.security.ssl.X509TrustManagerImpl.validate(
> X509TrustManagerImpl.java:324)
> > at sun.security.ssl.X509TrustManagerImpl.checkTrusted(
> X509TrustManagerImpl.java:227)
> > at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(
> X509TrustManagerImpl.java:118)
> > at sun.security.ssl.ServerHandshaker.clientCertificate(
> ServerHandshaker.java:1888)
> > ... 12 more
> > Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> > at
> > sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBui
> > lder.java:141)
> > :
> >
> > this are the errors I am getting from the client:
> >
> > ACE_SSL (45715|140151217246912) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140147953735424) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140148921374464) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140148896196352) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140148004091648) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140147978913536) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140148398352128) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140148373174016) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown
> >
> >
> >
> >
> >
> >
> > Any help will be appreciated !!
> >
> > Thanks.
> >
> >
> > This message and the information contained herein is proprietary and
> > confidential and subject to the Amdocs policy statement,
> >
> > you may review at https://www.amdocs.com/about/email-disclaimer
> > <https://www.amdocs.com/about/email-disclaimer>
> >
>
> This message and the information contained herein is proprietary and
> confidential and subject to the Amdocs policy statement,
>
> you may review at https://www.amdocs.com/about/email-disclaimer <
> https://www.amdocs.com/about/email-disclaimer>
>
>
Re: trying to implement SSL configuration
Posted by Ernest Burghardt <eb...@pivotal.io>.
Hello,
For "native" C++ interaction have a look at
geode-native/cppcache/integration-test/testThinClientSSL
This should provide an example of connecting with SSL enabled...
EB
On Tue, Jun 12, 2018 at 2:48 AM, Liron Ben Ari <Li...@amdocs.com>
wrote:
>
> We check - the PKCS12 works - (as we saw it in the s_client)
> It looks like the server did not found a valid certificate...
>
> Maybe you have a working example? When the client is native c++?
>
> Thanks!!
>
> -----Original Message-----
> From: Liron Ben Ari
> Sent: Tuesday, June 12, 2018 11:25 AM
> To: Udo Kohlmeyer <uk...@pivotal.io>; dev@geode.apache.org;
> user@geode.apache.org
> Cc: Gregory Vortman <Gr...@Amdocs.com>; Vladi Polonsky
> <Vl...@Amdocs.com>; Alon Bar-Lev <Al...@amdocs.com>
> Subject: RE: trying to implement SSL configuration
>
> Hi ,
> Thanks you for the quick respond.
> So according to the link you send, the keystore type is jks as well.
> I will try and update...
> But according the client configuration (I found this document for it:
> http://pubs.vmware.com/vfabric53/topic/com.vmware.
> ICbase/PDF/vfabric-gemfire-nc-ug-7.0.1.pdf)
>
> The keystore for the native client should be in PEM format.
>
>
>
> -----Original Message-----
> From: Udo Kohlmeyer [mailto:ukohlmeyer@pivotal.io]
> Sent: Tuesday, June 12, 2018 1:49 AM
> To: dev@geode.apache.org; Liron Ben Ari <Li...@amdocs.com>;
> user@geode.apache.org
> Cc: Gregory Vortman <Gr...@Amdocs.com>; Vladi Polonsky
> <Vl...@Amdocs.com>; Alon Bar-Lev <Al...@amdocs.com>
> Subject: Re: trying to implement SSL configuration
>
> Hi there,
>
> Have you tried the following?
>
> https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/index.html
>
> I have not tried to use a PKCS12 keystore type. Was there a particular
> reason why you are using it? Could you try with a JKS?
>
> --Udo
>
> On 6/11/18 03:31, Liron Ben Ari wrote:
> > Hello team.
> > I am trying to move my Client server to work with SSL as part of
> Security POC we are running .
> > I was moving on GEODE documents (there are a lot! :)) and there was a
> lot of different options...
> >
> >
> >
> > This is the configuration I used:
> >
> > I've generated Keystore & certificate using a private tool (that uses
> > the openssl + Keytools)
> >
> > For client:
> > A file containing PEM encoded X.509 certificate and PEM encoded
> > PKCS#8 encrypted private key For server:
> > PKCS#12 - this part works
> > as we could see openssl s_client to return the chain
> >
> >
> >
> > On the gemfire.proerties file - I used:
> >
> > ssl-enabled-components=all
> > ssl-protocols=any
> > ssl-ciphers=SSL_RSA_WITH_NULL_SHA //I've tries both option (empty
> as well)
> > ssl-keystore-type=PKCS12
> > ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA/pki/private/server4.p12
> > ssl-keystore-password=changeme
> > ssl-truststore-type=JKS
> > ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.jks
> > ssl-truststore-password=changeit
> >
> >
> >
> > on the Client Side I used the PEM format:
> > gfcpp1.properties:
> > ssl-enabled=true
> > ssl-keystore=/tmp/server4.pem
> > ssl-keystore-password=changeme
> > ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.pem
> >
> >
> > this is the error I am getting from the server when client is trying to
> connect (locator):
> > [info 2018/06/11 11:46:40.907 IDT eaasrt-locator <locator request
> > thread[16]> tid=0x55] Exception in processing request from
> > 192.168.2.100
> > javax.net.ssl.SSLHandshakeException:
> > sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
> > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> > at sun.security.ssl.SSLSocketImpl.fatal(
> SSLSocketImpl.java:1949)
> > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
> > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
> > at sun.security.ssl.ServerHandshaker.clientCertificate(
> ServerHandshaker.java:1906)
> > at sun.security.ssl.ServerHandshaker.processMessage(
> ServerHandshaker.java:233)
> > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:
> 1026)
> > at sun.security.ssl.Handshaker.process_record(Handshaker.
> java:961)
> > at sun.security.ssl.SSLSocketImpl.readRecord(
> SSLSocketImpl.java:1062)
> > at sun.security.ssl.SSLSocketImpl.performInitialHandshake(
> SSLSocketImpl.java:1375)
> > at sun.security.ssl.SSLSocketImpl.startHandshake(
> SSLSocketImpl.java:1403)
> > at sun.security.ssl.SSLSocketImpl.startHandshake(
> SSLSocketImpl.java:1387)
> > at org.apache.geode.internal.net.SocketCreator.
> configureServerSSLSocket(SocketCreator.java:1013)
> > at org.apache.geode.distributed.internal.tcpserver.TcpServer.
> lambda$processRequest$0(TcpServer.java:366)
> > at java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1142)
> > at java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:617)
> > at java.lang.Thread.run(Thread.java:748)
> > Caused by: sun.security.validator.ValidatorException: PKIX path
> building failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> > at sun.security.validator.PKIXValidator.doBuild(
> PKIXValidator.java:387)
> > at sun.security.validator.PKIXValidator.engineValidate(
> PKIXValidator.java:292)
> > at sun.security.validator.Validator.validate(Validator.
> java:260)
> > at sun.security.ssl.X509TrustManagerImpl.validate(
> X509TrustManagerImpl.java:324)
> > at sun.security.ssl.X509TrustManagerImpl.checkTrusted(
> X509TrustManagerImpl.java:227)
> > at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(
> X509TrustManagerImpl.java:118)
> > at sun.security.ssl.ServerHandshaker.clientCertificate(
> ServerHandshaker.java:1888)
> > ... 12 more
> > Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> > at
> > sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBui
> > lder.java:141)
> > :
> >
> > this are the errors I am getting from the client:
> >
> > ACE_SSL (45715|140151217246912) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140147953735424) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140148921374464) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140148896196352) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140148004091648) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140147978913536) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140148398352128) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown ACE_SSL (45715|140148373174016) error code: 336151574 -
> > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> > unknown
> >
> >
> >
> >
> >
> >
> > Any help will be appreciated !!
> >
> > Thanks.
> >
> >
> > This message and the information contained herein is proprietary and
> > confidential and subject to the Amdocs policy statement,
> >
> > you may review at https://www.amdocs.com/about/email-disclaimer
> > <https://www.amdocs.com/about/email-disclaimer>
> >
>
> This message and the information contained herein is proprietary and
> confidential and subject to the Amdocs policy statement,
>
> you may review at https://www.amdocs.com/about/email-disclaimer <
> https://www.amdocs.com/about/email-disclaimer>
>
>
RE: trying to implement SSL configuration
Posted by Liron Ben Ari <Li...@amdocs.com>.
We check - the PKCS12 works - (as we saw it in the s_client)
It looks like the server did not found a valid certificate...
Maybe you have a working example? When the client is native c++?
Thanks!!
-----Original Message-----
From: Liron Ben Ari
Sent: Tuesday, June 12, 2018 11:25 AM
To: Udo Kohlmeyer <uk...@pivotal.io>; dev@geode.apache.org; user@geode.apache.org
Cc: Gregory Vortman <Gr...@Amdocs.com>; Vladi Polonsky <Vl...@Amdocs.com>; Alon Bar-Lev <Al...@amdocs.com>
Subject: RE: trying to implement SSL configuration
Hi ,
Thanks you for the quick respond.
So according to the link you send, the keystore type is jks as well.
I will try and update...
But according the client configuration (I found this document for it: http://pubs.vmware.com/vfabric53/topic/com.vmware.ICbase/PDF/vfabric-gemfire-nc-ug-7.0.1.pdf)
The keystore for the native client should be in PEM format.
-----Original Message-----
From: Udo Kohlmeyer [mailto:ukohlmeyer@pivotal.io]
Sent: Tuesday, June 12, 2018 1:49 AM
To: dev@geode.apache.org; Liron Ben Ari <Li...@amdocs.com>; user@geode.apache.org
Cc: Gregory Vortman <Gr...@Amdocs.com>; Vladi Polonsky <Vl...@Amdocs.com>; Alon Bar-Lev <Al...@amdocs.com>
Subject: Re: trying to implement SSL configuration
Hi there,
Have you tried the following?
https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/index.html
I have not tried to use a PKCS12 keystore type. Was there a particular reason why you are using it? Could you try with a JKS?
--Udo
On 6/11/18 03:31, Liron Ben Ari wrote:
> Hello team.
> I am trying to move my Client server to work with SSL as part of Security POC we are running .
> I was moving on GEODE documents (there are a lot! :)) and there was a lot of different options...
>
>
>
> This is the configuration I used:
>
> I've generated Keystore & certificate using a private tool (that uses
> the openssl + Keytools)
>
> For client:
> A file containing PEM encoded X.509 certificate and PEM encoded
> PKCS#8 encrypted private key For server:
> PKCS#12 - this part works
> as we could see openssl s_client to return the chain
>
>
>
> On the gemfire.proerties file - I used:
>
> ssl-enabled-components=all
> ssl-protocols=any
> ssl-ciphers=SSL_RSA_WITH_NULL_SHA //I've tries both option (empty as well)
> ssl-keystore-type=PKCS12
> ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA/pki/private/server4.p12
> ssl-keystore-password=changeme
> ssl-truststore-type=JKS
> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.jks
> ssl-truststore-password=changeit
>
>
>
> on the Client Side I used the PEM format:
> gfcpp1.properties:
> ssl-enabled=true
> ssl-keystore=/tmp/server4.pem
> ssl-keystore-password=changeme
> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.pem
>
>
> this is the error I am getting from the server when client is trying to connect (locator):
> [info 2018/06/11 11:46:40.907 IDT eaasrt-locator <locator request
> thread[16]> tid=0x55] Exception in processing request from
> 192.168.2.100
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
> at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1906)
> at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:233)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
> at org.apache.geode.internal.net.SocketCreator.configureServerSSLSocket(SocketCreator.java:1013)
> at org.apache.geode.distributed.internal.tcpserver.TcpServer.lambda$processRequest$0(TcpServer.java:366)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
> at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
> at sun.security.validator.Validator.validate(Validator.java:260)
> at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:227)
> at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:118)
> at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1888)
> ... 12 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at
> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBui
> lder.java:141)
> :
>
> this are the errors I am getting from the client:
>
> ACE_SSL (45715|140151217246912) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140147953735424) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140148921374464) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140148896196352) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140148004091648) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140147978913536) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140148398352128) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140148373174016) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown
>
>
>
>
>
>
> Any help will be appreciated !!
>
> Thanks.
>
>
> This message and the information contained herein is proprietary and
> confidential and subject to the Amdocs policy statement,
>
> you may review at https://www.amdocs.com/about/email-disclaimer
> <https://www.amdocs.com/about/email-disclaimer>
>
This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>
RE: trying to implement SSL configuration
Posted by Liron Ben Ari <Li...@amdocs.com>.
We check - the PKCS12 works - (as we saw it in the s_client)
It looks like the server did not found a valid certificate...
Maybe you have a working example? When the client is native c++?
Thanks!!
-----Original Message-----
From: Liron Ben Ari
Sent: Tuesday, June 12, 2018 11:25 AM
To: Udo Kohlmeyer <uk...@pivotal.io>; dev@geode.apache.org; user@geode.apache.org
Cc: Gregory Vortman <Gr...@Amdocs.com>; Vladi Polonsky <Vl...@Amdocs.com>; Alon Bar-Lev <Al...@amdocs.com>
Subject: RE: trying to implement SSL configuration
Hi ,
Thanks you for the quick respond.
So according to the link you send, the keystore type is jks as well.
I will try and update...
But according the client configuration (I found this document for it: http://pubs.vmware.com/vfabric53/topic/com.vmware.ICbase/PDF/vfabric-gemfire-nc-ug-7.0.1.pdf)
The keystore for the native client should be in PEM format.
-----Original Message-----
From: Udo Kohlmeyer [mailto:ukohlmeyer@pivotal.io]
Sent: Tuesday, June 12, 2018 1:49 AM
To: dev@geode.apache.org; Liron Ben Ari <Li...@amdocs.com>; user@geode.apache.org
Cc: Gregory Vortman <Gr...@Amdocs.com>; Vladi Polonsky <Vl...@Amdocs.com>; Alon Bar-Lev <Al...@amdocs.com>
Subject: Re: trying to implement SSL configuration
Hi there,
Have you tried the following?
https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/index.html
I have not tried to use a PKCS12 keystore type. Was there a particular reason why you are using it? Could you try with a JKS?
--Udo
On 6/11/18 03:31, Liron Ben Ari wrote:
> Hello team.
> I am trying to move my Client server to work with SSL as part of Security POC we are running .
> I was moving on GEODE documents (there are a lot! :)) and there was a lot of different options...
>
>
>
> This is the configuration I used:
>
> I've generated Keystore & certificate using a private tool (that uses
> the openssl + Keytools)
>
> For client:
> A file containing PEM encoded X.509 certificate and PEM encoded
> PKCS#8 encrypted private key For server:
> PKCS#12 - this part works
> as we could see openssl s_client to return the chain
>
>
>
> On the gemfire.proerties file - I used:
>
> ssl-enabled-components=all
> ssl-protocols=any
> ssl-ciphers=SSL_RSA_WITH_NULL_SHA //I've tries both option (empty as well)
> ssl-keystore-type=PKCS12
> ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA/pki/private/server4.p12
> ssl-keystore-password=changeme
> ssl-truststore-type=JKS
> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.jks
> ssl-truststore-password=changeit
>
>
>
> on the Client Side I used the PEM format:
> gfcpp1.properties:
> ssl-enabled=true
> ssl-keystore=/tmp/server4.pem
> ssl-keystore-password=changeme
> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.pem
>
>
> this is the error I am getting from the server when client is trying to connect (locator):
> [info 2018/06/11 11:46:40.907 IDT eaasrt-locator <locator request
> thread[16]> tid=0x55] Exception in processing request from
> 192.168.2.100
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
> at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1906)
> at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:233)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
> at org.apache.geode.internal.net.SocketCreator.configureServerSSLSocket(SocketCreator.java:1013)
> at org.apache.geode.distributed.internal.tcpserver.TcpServer.lambda$processRequest$0(TcpServer.java:366)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
> at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
> at sun.security.validator.Validator.validate(Validator.java:260)
> at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:227)
> at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:118)
> at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1888)
> ... 12 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at
> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBui
> lder.java:141)
> :
>
> this are the errors I am getting from the client:
>
> ACE_SSL (45715|140151217246912) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140147953735424) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140148921374464) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140148896196352) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140148004091648) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140147978913536) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140148398352128) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140148373174016) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown
>
>
>
>
>
>
> Any help will be appreciated !!
>
> Thanks.
>
>
> This message and the information contained herein is proprietary and
> confidential and subject to the Amdocs policy statement,
>
> you may review at https://www.amdocs.com/about/email-disclaimer
> <https://www.amdocs.com/about/email-disclaimer>
>
This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>
RE: trying to implement SSL configuration
Posted by Liron Ben Ari <Li...@amdocs.com>.
Hi ,
Thanks you for the quick respond.
So according to the link you send, the keystore type is jks as well.
I will try and update...
But according the client configuration (I found this document for it: http://pubs.vmware.com/vfabric53/topic/com.vmware.ICbase/PDF/vfabric-gemfire-nc-ug-7.0.1.pdf)
The keystore for the native client should be in PEM format.
-----Original Message-----
From: Udo Kohlmeyer [mailto:ukohlmeyer@pivotal.io]
Sent: Tuesday, June 12, 2018 1:49 AM
To: dev@geode.apache.org; Liron Ben Ari <Li...@amdocs.com>; user@geode.apache.org
Cc: Gregory Vortman <Gr...@Amdocs.com>; Vladi Polonsky <Vl...@Amdocs.com>; Alon Bar-Lev <Al...@amdocs.com>
Subject: Re: trying to implement SSL configuration
Hi there,
Have you tried the following?
https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/index.html
I have not tried to use a PKCS12 keystore type. Was there a particular reason why you are using it? Could you try with a JKS?
--Udo
On 6/11/18 03:31, Liron Ben Ari wrote:
> Hello team.
> I am trying to move my Client server to work with SSL as part of Security POC we are running .
> I was moving on GEODE documents (there are a lot! :)) and there was a lot of different options...
>
>
>
> This is the configuration I used:
>
> I've generated Keystore & certificate using a private tool (that uses
> the openssl + Keytools)
>
> For client:
> A file containing PEM encoded X.509 certificate and PEM encoded
> PKCS#8 encrypted private key For server:
> PKCS#12 - this part works
> as we could see openssl s_client to return the chain
>
>
>
> On the gemfire.proerties file - I used:
>
> ssl-enabled-components=all
> ssl-protocols=any
> ssl-ciphers=SSL_RSA_WITH_NULL_SHA //I've tries both option (empty as well)
> ssl-keystore-type=PKCS12
> ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA/pki/private/server4.p12
> ssl-keystore-password=changeme
> ssl-truststore-type=JKS
> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.jks
> ssl-truststore-password=changeit
>
>
>
> on the Client Side I used the PEM format:
> gfcpp1.properties:
> ssl-enabled=true
> ssl-keystore=/tmp/server4.pem
> ssl-keystore-password=changeme
> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.pem
>
>
> this is the error I am getting from the server when client is trying to connect (locator):
> [info 2018/06/11 11:46:40.907 IDT eaasrt-locator <locator request
> thread[16]> tid=0x55] Exception in processing request from
> 192.168.2.100
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
> at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1906)
> at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:233)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
> at org.apache.geode.internal.net.SocketCreator.configureServerSSLSocket(SocketCreator.java:1013)
> at org.apache.geode.distributed.internal.tcpserver.TcpServer.lambda$processRequest$0(TcpServer.java:366)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
> at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
> at sun.security.validator.Validator.validate(Validator.java:260)
> at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:227)
> at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:118)
> at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1888)
> ... 12 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at
> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBui
> lder.java:141)
> :
>
> this are the errors I am getting from the client:
>
> ACE_SSL (45715|140151217246912) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140147953735424) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140148921374464) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140148896196352) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140148004091648) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140147978913536) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140148398352128) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140148373174016) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown
>
>
>
>
>
>
> Any help will be appreciated !!
>
> Thanks.
>
>
> This message and the information contained herein is proprietary and
> confidential and subject to the Amdocs policy statement,
>
> you may review at https://www.amdocs.com/about/email-disclaimer
> <https://www.amdocs.com/about/email-disclaimer>
>
This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>
RE: trying to implement SSL configuration
Posted by Liron Ben Ari <Li...@amdocs.com>.
Hi ,
Thanks you for the quick respond.
So according to the link you send, the keystore type is jks as well.
I will try and update...
But according the client configuration (I found this document for it: http://pubs.vmware.com/vfabric53/topic/com.vmware.ICbase/PDF/vfabric-gemfire-nc-ug-7.0.1.pdf)
The keystore for the native client should be in PEM format.
-----Original Message-----
From: Udo Kohlmeyer [mailto:ukohlmeyer@pivotal.io]
Sent: Tuesday, June 12, 2018 1:49 AM
To: dev@geode.apache.org; Liron Ben Ari <Li...@amdocs.com>; user@geode.apache.org
Cc: Gregory Vortman <Gr...@Amdocs.com>; Vladi Polonsky <Vl...@Amdocs.com>; Alon Bar-Lev <Al...@amdocs.com>
Subject: Re: trying to implement SSL configuration
Hi there,
Have you tried the following?
https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/index.html
I have not tried to use a PKCS12 keystore type. Was there a particular reason why you are using it? Could you try with a JKS?
--Udo
On 6/11/18 03:31, Liron Ben Ari wrote:
> Hello team.
> I am trying to move my Client server to work with SSL as part of Security POC we are running .
> I was moving on GEODE documents (there are a lot! :)) and there was a lot of different options...
>
>
>
> This is the configuration I used:
>
> I've generated Keystore & certificate using a private tool (that uses
> the openssl + Keytools)
>
> For client:
> A file containing PEM encoded X.509 certificate and PEM encoded
> PKCS#8 encrypted private key For server:
> PKCS#12 - this part works
> as we could see openssl s_client to return the chain
>
>
>
> On the gemfire.proerties file - I used:
>
> ssl-enabled-components=all
> ssl-protocols=any
> ssl-ciphers=SSL_RSA_WITH_NULL_SHA //I've tries both option (empty as well)
> ssl-keystore-type=PKCS12
> ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA/pki/private/server4.p12
> ssl-keystore-password=changeme
> ssl-truststore-type=JKS
> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.jks
> ssl-truststore-password=changeit
>
>
>
> on the Client Side I used the PEM format:
> gfcpp1.properties:
> ssl-enabled=true
> ssl-keystore=/tmp/server4.pem
> ssl-keystore-password=changeme
> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.pem
>
>
> this is the error I am getting from the server when client is trying to connect (locator):
> [info 2018/06/11 11:46:40.907 IDT eaasrt-locator <locator request
> thread[16]> tid=0x55] Exception in processing request from
> 192.168.2.100
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
> at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1906)
> at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:233)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
> at org.apache.geode.internal.net.SocketCreator.configureServerSSLSocket(SocketCreator.java:1013)
> at org.apache.geode.distributed.internal.tcpserver.TcpServer.lambda$processRequest$0(TcpServer.java:366)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
> at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
> at sun.security.validator.Validator.validate(Validator.java:260)
> at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:227)
> at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:118)
> at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1888)
> ... 12 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at
> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBui
> lder.java:141)
> :
>
> this are the errors I am getting from the client:
>
> ACE_SSL (45715|140151217246912) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140151217246912) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140147953735424) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140148921374464) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140148896196352) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140148004091648) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140147978913536) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140148398352128) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown ACE_SSL (45715|140148373174016) error code: 336151574 -
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown
>
>
>
>
>
>
> Any help will be appreciated !!
>
> Thanks.
>
>
> This message and the information contained herein is proprietary and
> confidential and subject to the Amdocs policy statement,
>
> you may review at https://www.amdocs.com/about/email-disclaimer
> <https://www.amdocs.com/about/email-disclaimer>
>
This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>
Re: trying to implement SSL configuration
Posted by Udo Kohlmeyer <uk...@pivotal.io>.
Hi there,
Have you tried the following?
https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/index.html
I have not tried to use a PKCS12 keystore type. Was there a particular
reason why you are using it? Could you try with a JKS?
--Udo
On 6/11/18 03:31, Liron Ben Ari wrote:
> Hello team.
> I am trying to move my Client server to work with SSL as part of Security POC we are running .
> I was moving on GEODE documents (there are a lot! :)) and there was a lot of different options...
>
>
>
> This is the configuration I used:
>
> I've generated Keystore & certificate using a private tool (that uses the openssl + Keytools)
>
> For client:
> A file containing PEM encoded X.509 certificate and PEM encoded PKCS#8 encrypted private key
> For server:
> PKCS#12 - this part works
> as we could see openssl s_client to return the chain
>
>
>
> On the gemfire.proerties file - I used:
>
> ssl-enabled-components=all
> ssl-protocols=any
> ssl-ciphers=SSL_RSA_WITH_NULL_SHA //I've tries both option (empty as well)
> ssl-keystore-type=PKCS12
> ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA/pki/private/server4.p12
> ssl-keystore-password=changeme
> ssl-truststore-type=JKS
> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.jks
> ssl-truststore-password=changeit
>
>
>
> on the Client Side I used the PEM format:
> gfcpp1.properties:
> ssl-enabled=true
> ssl-keystore=/tmp/server4.pem
> ssl-keystore-password=changeme
> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.pem
>
>
> this is the error I am getting from the server when client is trying to connect (locator):
> [info 2018/06/11 11:46:40.907 IDT eaasrt-locator <locator request thread[16]> tid=0x55] Exception in processing request from 192.168.2.100
> javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification
> path to requested target
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
> at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1906)
> at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:233)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
> at org.apache.geode.internal.net.SocketCreator.configureServerSSLSocket(SocketCreator.java:1013)
> at org.apache.geode.distributed.internal.tcpserver.TcpServer.lambda$processRequest$0(TcpServer.java:366)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
> at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
> at sun.security.validator.Validator.validate(Validator.java:260)
> at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:227)
> at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:118)
> at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1888)
> ... 12 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
> :
>
> this are the errors I am getting from the client:
>
> ACE_SSL (45715|140151217246912) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
> ACE_SSL (45715|140151217246912) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
> ACE_SSL (45715|140151217246912) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
> ACE_SSL (45715|140147953735424) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
> ACE_SSL (45715|140148921374464) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
> ACE_SSL (45715|140148896196352) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
> ACE_SSL (45715|140148004091648) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
> ACE_SSL (45715|140147978913536) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
> ACE_SSL (45715|140148398352128) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
> ACE_SSL (45715|140148373174016) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>
>
>
>
>
>
> Any help will be appreciated !!
>
> Thanks.
>
>
> This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
>
> you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>
>
Re: trying to implement SSL configuration
Posted by Udo Kohlmeyer <uk...@pivotal.io>.
Hi there,
Have you tried the following?
https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/index.html
I have not tried to use a PKCS12 keystore type. Was there a particular
reason why you are using it? Could you try with a JKS?
--Udo
On 6/11/18 03:31, Liron Ben Ari wrote:
> Hello team.
> I am trying to move my Client server to work with SSL as part of Security POC we are running .
> I was moving on GEODE documents (there are a lot! :)) and there was a lot of different options...
>
>
>
> This is the configuration I used:
>
> I've generated Keystore & certificate using a private tool (that uses the openssl + Keytools)
>
> For client:
> A file containing PEM encoded X.509 certificate and PEM encoded PKCS#8 encrypted private key
> For server:
> PKCS#12 - this part works
> as we could see openssl s_client to return the chain
>
>
>
> On the gemfire.proerties file - I used:
>
> ssl-enabled-components=all
> ssl-protocols=any
> ssl-ciphers=SSL_RSA_WITH_NULL_SHA //I've tries both option (empty as well)
> ssl-keystore-type=PKCS12
> ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA/pki/private/server4.p12
> ssl-keystore-password=changeme
> ssl-truststore-type=JKS
> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.jks
> ssl-truststore-password=changeit
>
>
>
> on the Client Side I used the PEM format:
> gfcpp1.properties:
> ssl-enabled=true
> ssl-keystore=/tmp/server4.pem
> ssl-keystore-password=changeme
> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.pem
>
>
> this is the error I am getting from the server when client is trying to connect (locator):
> [info 2018/06/11 11:46:40.907 IDT eaasrt-locator <locator request thread[16]> tid=0x55] Exception in processing request from 192.168.2.100
> javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification
> path to requested target
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
> at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1906)
> at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:233)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
> at org.apache.geode.internal.net.SocketCreator.configureServerSSLSocket(SocketCreator.java:1013)
> at org.apache.geode.distributed.internal.tcpserver.TcpServer.lambda$processRequest$0(TcpServer.java:366)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
> at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
> at sun.security.validator.Validator.validate(Validator.java:260)
> at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:227)
> at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:118)
> at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1888)
> ... 12 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
> :
>
> this are the errors I am getting from the client:
>
> ACE_SSL (45715|140151217246912) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
> ACE_SSL (45715|140151217246912) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
> ACE_SSL (45715|140151217246912) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
> ACE_SSL (45715|140147953735424) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
> ACE_SSL (45715|140148921374464) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
> ACE_SSL (45715|140148896196352) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
> ACE_SSL (45715|140148004091648) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
> ACE_SSL (45715|140147978913536) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
> ACE_SSL (45715|140148398352128) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
> ACE_SSL (45715|140148373174016) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>
>
>
>
>
>
> Any help will be appreciated !!
>
> Thanks.
>
>
> This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
>
> you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>
>