Need help with Riak-KV (2.1.4) certificate based authentication using Java client

Luke Bakken lbakken at
Mon Aug 29 17:19:43 EDT 2016

Hi Kyle -

Thanks for the info. Just so you know, setting check_clr = off means
that Riak will not validate the signing chain of your client

What value are you using for "CN=" for the certificates pointed to by
the various "ssl.*" settings in riak.conf?

I ask because the validation of the server certificate by the client
during the TLS handshake depends on the CN= value.

Luke Bakken
lbakken at

On Mon, Aug 29, 2016 at 2:07 PM, Nguyen, Kyle <kyle.nguyen at> wrote:
> Thanks a lot, Luke! I finally got the mutual certificate based authentication working by setting check_clr = off since I don't see any documentation on how to set this up and we might not need this feature. Another thing that I added to make it work is to add the correct entry for cidr. I was using instead of which is the Ubuntu ip that my laptop localhost is sending the request to.
> +--------------------+------------+-----------+----------+
> |       users        |    cidr    |  source   | options  |
> +--------------------+------------+-----------+----------+
> |        kyle        | |certificate|    []
> TLS also works without using the DNS-resolvable hostname with protocol buffer. Hence, I thought you must have referred to HTTPS.
> -Kyle-
> -----Original Message-----
> From: Luke Bakken [mailto:lbakken at]
> Sent: Monday, August 29, 2016 7:59 AM
> To: Nguyen, Kyle
> Cc: Riak Users
> Subject: Re: Need help with Riak-KV (2.1.4) certificate based authentication using Java client
> Kyle -
> What is the output of these commands?
> riak-admin security print-users
> riak-admin security print-sources
> Please note that setting up certificate authentication *requires* that you have set up SSL / TLS in Riak as well.
> The SSL certificates used by Riak *must* have their "CN=" section match the server's DNS-resolvable host name. This is an SSL/TLS requirement, not specific to Riak. Then, when you connect via the Java client, you must use the DNS name and not IP address. The client must have the appropriate public key information to validate the server cert as well (from Get a Cert).
> --
> Luke Bakken
> Engineer
> lbakken at

More information about the riak-users mailing list