Need help with Riak-KV (2.1.4) certificate based authentication using Java client

Nguyen, Kyle kyle.nguyen at philips.com
Fri Aug 26 18:34:34 EDT 2016


Update – Handshake was successfully after I opted out mutual authentication option, client no longer sends its certificate to riak. However, getting the following error after TLS is established:

*** Finished
verify_data:  { 149, 140, 49, 23, 238, 152, 45, 212, 158, 44, 189, 155 }
***
%% Cached client session: [Session-12, TLS_RSA_WITH_AES_128_CBC_SHA256]
nioEventLoopGroup-2-4, WRITE: TLSv1.2 Application Data, length = 21
nioEventLoopGroup-2-4, called closeOutbound()
…..
Caused by: com.basho.riak.client.core.NoNodesAvailableException
        at com.basho.riak.client.core.RiakCluster.retryOperation(RiakCluster.java:469)
        at com.basho.riak.client.core.RiakCluster.access$1000(RiakCluster.java:48)
        at com.basho.riak.client.core.RiakCluster$RetryTask.run(RiakCluster.java:554)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        ... 1 more

From: Jonathan Joseph [mailto:jonbjoseph at gmail.com]
Sent: Thursday, August 25, 2016 5:53 PM
To: Nguyen, Kyle
Cc: Riak Users
Subject: Re: Need help with Riak-KV (2.1.4) certificate based authentication using Java client

Try adding the following Java property setting when launching your java client in order to see SSL Handshake related debug information:

-Djavax.net.debug=ssl:handshake
Or to see all ssl related debug output:

-Djavax.net.debug=ssl


On Thu, Aug 25, 2016 at 4:24 PM, Nguyen, Kyle <kyle.nguyen at philips.com<mailto:kyle.nguyen at philips.com>> wrote:
Hi all,

I was trying to implement client certificate based authentication following http://docs.basho.com/riak/kv/2.1.4/using/security/basics/ but kept getting the following SSL Handshake exception. I believe I have the client keystore, truststore and riak server cert/key setup properly. Both client cert and riak server cert are signed with the same CA. Any advice and suggestions will be greatly appreciated!

2016-08-25 12:53:24 DEBUG InternalLoggerFactory:71 - Using SLF4J as the default logging framework
2016-08-25 12:53:24 DEBUG MultithreadEventLoopGroup:76 - -Dio.netty.eventLoopThreads: 16
2016-08-25 12:53:24 DEBUG PlatformDependent0:76 - java.nio.Buffer.address: available
2016-08-25 12:53:24 DEBUG PlatformDependent0:76 - sun.misc.Unsafe.theUnsafe: available
2016-08-25 12:53:24 DEBUG PlatformDependent0:71 - sun.misc.Unsafe.copyMemory: available
2016-08-25 12:53:24 DEBUG PlatformDependent0:76 - java.nio.Bits.unaligned: true
2016-08-25 12:53:24 DEBUG PlatformDependent:71 - Platform: Windows
2016-08-25 12:53:24 DEBUG PlatformDependent:76 - Java version: 8
2016-08-25 12:53:24 DEBUG PlatformDependent:76 - -Dio.netty.noUnsafe: false
2016-08-25 12:53:24 DEBUG PlatformDependent:76 - sun.misc.Unsafe: available
2016-08-25 12:53:24 DEBUG PlatformDependent:76 - -Dio.netty.noJavassist: false
2016-08-25 12:53:24 DEBUG PlatformDependent:71 - Javassist: unavailable
2016-08-25 12:53:24 DEBUG PlatformDependent:71 - You don't have Javassist in your class path or you don't have enough permission to load dynamically generated classes.  Please check the configuration for better performance.
2016-08-25 12:53:24 DEBUG PlatformDependent:76 - -Dio.netty.tmpdir: C:\apache-tomcat-7.0.54\temp (java.io.tmpdir)
2016-08-25 12:53:24 DEBUG PlatformDependent:76 - -Dio.netty.bitMode: 64 (sun.arch.data.model)
2016-08-25 12:53:24 DEBUG PlatformDependent:76 - -Dio.netty.noPreferDirect: false
2016-08-25 12:53:24 DEBUG NioEventLoop:76 - -Dio.netty.noKeySetOptimization: false
2016-08-25 12:53:24 DEBUG NioEventLoop:76 - -Dio.netty.selectorAutoRebuildThreshold: 512
2016-08-25 12:53:24 INFO  RiakJKSConnection:73 - initializeRiak Cluster is OK
2016-08-25 12:53:24 DEBUG ThreadLocalRandom:71 - -Dio.netty.initialSeedUniquifier: 0xac658e47a52a7794 (took 3 ms)
2016-08-25 12:53:24 DEBUG ByteBufUtil:76 - -Dio.netty.allocator.type: unpooled
2016-08-25 12:53:24 DEBUG ByteBufUtil:76 - -Dio.netty.threadLocalDirectBufferSize: 65536
2016-08-25 12:53:24 DEBUG ByteBufUtil:76 - -Dio.netty.maxThreadLocalCharBufferSize: 16384
2016-08-25 12:53:24 DEBUG RiakNode:762 - Using TLSv1.2
2016-08-25 12:53:24 DEBUG RiakSecurityDecoder:166 - Handler Added
2016-08-25 12:53:24 DEBUG RiakNode:777 - Waiting on SSL Promise
2016-08-25 12:53:24 DEBUG AbstractByteBuf:81 - -Dio.netty.buffer.bytebuf.checkAccessible: true
2016-08-25 12:53:24 DEBUG ResourceLeakDetector:81 - -Dio.netty.leakDetection.level: simple
2016-08-25 12:53:24 DEBUG ResourceLeakDetector:81 - -Dio.netty.leakDetection.maxRecords: 4
2016-08-25 12:53:24 DEBUG Recycler:76 - -Dio.netty.recycler.maxCapacity.default: 262144
2016-08-25 12:53:24 DEBUG Cleaner0:76 - java.nio.ByteBuffer.cleaner(): available
2016-08-25 12:53:24 DEBUG RiakSecurityDecoder:69 - RiakSecurityDecoder decode
2016-08-25 12:53:24 DEBUG RiakSecurityDecoder:93 - Received MSG_RpbStartTls reply
2016-08-25 12:53:24 ERROR RiakSecurityDecoder:230 - SSL Handshake failed:
java.nio.channels.ClosedChannelException
2016-08-25 12:53:24 ERROR RiakNode:787 - Failure during Auth; 127.0.0.1:8087<http://127.0.0.1:8087> java.nio.channels.ClosedChannelException
2016-08-25 12:53:24 DEBUG RiakSecurityDecoder:181 - Channel Inactive

RiakNode builder setup:

public static RiakCluster getRiakCluster(String riakUserName, String userPassword, String storePath, String storePasswd, String keyPasswd) throws UnknownHostException{

       KeyStore keyStore = loadKeystore(storePath,storePasswd);
       //riak with one node
       RiakNode.Builder builder = new RiakNode.Builder().withRemoteAddress("127.0.0.1").withRemotePort(8087);
       builder.withAuth(riakUserName, userPassword, trustStore, keyStore, keyPasswd);
       builder.withConnectionTimeout(30000);
       RiakCluster cluster = cluster = new RiakCluster.Builder(builder.build()).build();
       cluster.start();
       return cluster;


    }

Thanks

-Kyle-

________________________________
The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.

_______________________________________________
riak-users mailing list
riak-users at lists.basho.com<mailto:riak-users at lists.basho.com>
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.basho.com/pipermail/riak-users_lists.basho.com/attachments/20160826/6165f0d5/attachment-0002.html>


More information about the riak-users mailing list