Need help with Riak-KV (2.1.4) certificate based authentication using Java client

Nguyen, Kyle kyle.nguyen at philips.com
Mon Aug 29 17:07:32 EDT 2016


Thanks a lot, Luke! I finally got the mutual certificate based authentication working by setting check_clr = off since I don't see any documentation on how to set this up and we might not need this feature. Another thing that I added to make it work is to add the correct entry for cidr. I was using 127.0.0.1/32 instead of 10.0.2.2/32 which is the Ubuntu ip that my laptop localhost is sending the request to.

+--------------------+------------+-----------+----------+
|       users        |    cidr    |  source   | options  |
+--------------------+------------+-----------+----------+
|        kyle        |10.0.2.2/32 |certificate|    []

TLS also works without using the DNS-resolvable hostname with protocol buffer. Hence, I thought you must have referred to HTTPS.

-Kyle-

-----Original Message-----
From: Luke Bakken [mailto:lbakken at basho.com]
Sent: Monday, August 29, 2016 7:59 AM
To: Nguyen, Kyle
Cc: Riak Users
Subject: Re: Need help with Riak-KV (2.1.4) certificate based authentication using Java client

Kyle -

What is the output of these commands?

riak-admin security print-users
riak-admin security print-sources

http://docs.basho.com/riak/kv/2.1.4/using/security/basics/#user-management

Please note that setting up certificate authentication *requires* that you have set up SSL / TLS in Riak as well.

http://docs.basho.com/riak/kv/2.1.4/using/security/basics/#enabling-ssl

The SSL certificates used by Riak *must* have their "CN=" section match the server's DNS-resolvable host name. This is an SSL/TLS requirement, not specific to Riak. Then, when you connect via the Java client, you must use the DNS name and not IP address. The client must have the appropriate public key information to validate the server cert as well (from Get a Cert).

--
Luke Bakken
Engineer
lbakken at basho.com

On Fri, Aug 26, 2016 at 3:34 PM, Nguyen, Kyle <kyle.nguyen at philips.com> wrote:
> Update – Handshake was successfully after I opted out mutual
> authentication option, client no longer sends its certificate to riak.
> However, getting the following error after TLS is established:
>
>
>
> *** Finished
>
> verify_data:  { 149, 140, 49, 23, 238, 152, 45, 212, 158, 44, 189, 155
> }
>
> ***
>
> %% Cached client session: [Session-12,
> TLS_RSA_WITH_AES_128_CBC_SHA256]
>
> nioEventLoopGroup-2-4, WRITE: TLSv1.2 Application Data, length = 21
>
> nioEventLoopGroup-2-4, called closeOutbound()
>
> …..
>
> Caused by: com.basho.riak.client.core.NoNodesAvailableException
>
>         at
> com.basho.riak.client.core.RiakCluster.retryOperation(RiakCluster.java
> :469)
>
>         at
> com.basho.riak.client.core.RiakCluster.access$1000(RiakCluster.java:48
> )
>
>         at
> com.basho.riak.client.core.RiakCluster$RetryTask.run(RiakCluster.java:
> 554)
>
>         at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511
> )
>
>         at java.util.concurrent.FutureTask.run(FutureTask.java:266)
>
>         at
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.a
> ccess$201(ScheduledThreadPoolExecutor.java:180)
>
>         at
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.r
> un(ScheduledThreadPoolExecutor.java:293)
>
>         at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.j
> ava:1142)
>
>         at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.
> java:617)
>
>         ... 1 more

________________________________
The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.


More information about the riak-users mailing list