Need help with Riak-KV (2.1.4) certificate based authentication using Java client

Nguyen, Kyle kyle.nguyen at philips.com
Mon Aug 29 18:18:20 EDT 2016


Hi Luke,

The CN for client's certificate is "kyle" and the CN for riak cert (ssl.certfile) is "riak at 127.0.0.1" which matches the nodename in the riak.conf. Riak ssl.cacertfile.pem contains the same CA (getACert) which I used to sign both client and riak public keys. It appears that riak also validated the client certificate following this SSL debug info. I do see *** CertificateVerify (toward the end) after the client certificate is requested by Riak. Please let me know if it looks right to you.

*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1455658918 bytes = { 84, 30, 247, 202, 253, 204, 211, 99, 116, 241, 115, 146, 163, 127, 219, 193, 210, 102, 120, 79, 216, 223, 39,
 73, 47, 234, 46, 11 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_A
ES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WIT
H_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CB
C_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA
256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA25
6, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS
_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY
_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1,
 sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect23
9k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA,
SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
***
nioEventLoopGroup-2-1, WRITE: TLSv1.2 Handshake, length = 193
nioEventLoopGroup-2-1, READ: TLSv1.2 Handshake, length = 74
*** ServerHello, TLSv1.2
RandomCookie:  GMT: 1455658918 bytes = { 161, 184, 225, 9, 234, 196, 100, 226, 183, 193, 173, 77, 69, 146, 154, 177, 217, 181, 199, 116, 131, 238, 251
, 6, 175, 32, 167, 168 }
Session ID:  {72, 122, 216, 45, 157, 97, 206, 103, 78, 92, 170, 88, 24, 228, 194, 137, 2, 189, 21, 21, 43, 226, 255, 1, 209, 106, 83, 79, 18, 31, 113,
 165}
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Compression Method: 0
***
Warning: No renegotiation indication extension in ServerHello
%% Initialized:  [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA256]
** TLS_RSA_WITH_AES_128_CBC_SHA256
nioEventLoopGroup-2-1, READ: TLSv1.2 Handshake, length = 1816
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=riak at 127.0.0.1
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 1734252456709196905769264546268208807287639741993557874243686426336093048338342023359115620350020191882188762688713501564828147831012353246
762225728227598688752022229892534631596588364226023610031558527625250809188880211776863144390327460072296072345869234628650032243720984370649487016050
304324122705424265548376020919129252626224222193583717567721998128590650836474440323105170317450343775811931265966483915475330928631408977058069232916
319259305328777053109869192310465569515987399033447858641378107591803299672522120403683503268017306287972065517512675185750970892518260400211908689310
4761654254412818796780352013
  public exponent: 65537
  Validity: [From: Mon Aug 22 15:42:40 PDT 2016,
               To: Fri Oct 21 15:42:40 PDT 2016]
  Issuer: O=getaCert - www.getacert.com, L=Seattle, ST=Washington, C=US
  SerialNumber: [    1377]

Certificate Extensions: 3
[1]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[2]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  Key_Encipherment
]

[3]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
   SSL client
   SSL server
   S/MIME
   Object Signing
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 68 7A 98 CB C4 DD 08 B3   C0 D4 06 C8 BE 5F E3 29  hz..........._.)
0010: DE 80 B6 91 EE 11 3E 4D   DD 8F 68 4B AD CB FD AD  ......>M..hK....
0020: 23 6C B8 68 29 0A 57 E4   7F 4D 36 43 90 5A 59 F8  #l.h).W..M6C.ZY.
0030: CB F7 65 9C 9F CC 40 AB   11 D7 86 99 23 2A 45 B6  ..e... at .....#*E.
0040: 0C 0F FB 87 4E 23 19 18   18 EA 72 BB 15 A6 9E 54  ....N#....r....T
0050: 06 D7 6B 21 64 64 27 89   0C 87 25 54 63 F8 29 EA  ..k!dd'...%Tc.).
0060: B6 13 A2 6A 89 59 CA F4   DF 0D 24 23 D8 41 25 46  ...j.Y....$#.A%F
0070: 29 27 B4 E8 DB 57 99 18   BD 16 AB 3F 1D 68 54 43  )'...W.....?.hTC
0080: 41 AA 07 C0 F2 45 7B 6A   80 69 CA 3E 94 9A 8C 73  A....E.j.i.>...s
0090: FF 21 C0 0B 95 30 9D 7E   4E 7D F8 7D 65 3A B5 46  .!...0..N...e:.F
00A0: 0F 48 1A 2C BF 36 73 31   1F 74 8D F5 4A EC 01 85  .H.,.6s1.t..J...
00B0: 19 8F F9 72 EF 87 6C 3C   19 94 00 87 4E 9F 57 0C  ...r..l<....N.W.
00C0: 9A D1 DB 1B 4B 03 CC 42   D5 9B 54 50 B0 46 D0 22  ....K..B..TP.F."
00D0: 10 52 9B 79 7E 2C 63 74   8E 20 E2 73 91 02 E3 9D  .R.y.,ct. .s....
00E0: DE F5 53 77 EB D1 0E 29   58 72 91 62 51 F8 19 D9  ..Sw...)Xr.bQ...
00F0: 39 33 27 36 35 84 49 4D   04 53 36 5C DC 19 4F 0D  93'65.IM.S6\..O.

]
chain [1] = [
[
  Version: V3
  Subject: O=getaCert - www.getacert.com, L=Seattle, ST=Washington, C=US
  Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

  Key:  Sun RSA public key, 2048 bits
  modulus: 2064799190013863832237497384456747048251973951176858414375153927799138759221940377373663769360014631765243443414759628050513692379289235182
936946552961722501636881455166620516223594970461447332100562616959982581458611860448138976476896350579615950051925977583892448793441263022740062639429
917178490720071530078452548249977085583147798068928091675033763531656048682188135817700332044003822966987847706066728697378190942831516294222763832839
406097321651801274944907268850456458906950212434927181309186154676093900606460368006070589568036839728568802141690824672089370835535165033516054933124
6225990765857663834015961513
  public exponent: 65537
  Validity: [From: Tue Jan 06 14:14:55 PST 2004,
               To: Wed May 07 15:14:55 PDT 2031]
  Issuer: O=getaCert - www.getacert.com, L=Seattle, ST=Washington, C=US
  SerialNumber: [    07b2]

Certificate Extensions: 3
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: CD DF 18 20 8A 6D 74 4F   37 DC B2 E0 89 A2 A9 0B  ... .mtO7.......
0010: 95 88 CB 0B                                        ....
]
[O=getaCert - www.getacert.com, L=Seattle, ST=Washington, C=US]
SerialNumber: [    07b2]
]

[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: CD DF 18 20 8A 6D 74 4F   37 DC B2 E0 89 A2 A9 0B  ... .mtO7.......
0010: 95 88 CB 0B                                        ....
]
]

]
  Algorithm: [MD5withRSA]
  Signature:
0000: 6D 92 1A 4A 3C 5F 06 52   74 33 55 6F FB FA A1 8A  m..J<_.Rt3Uo....
0010: 3B 36 DC 14 EA 8E FA 75   AB 44 FA EE 59 03 B0 22  ;6.....u.D..Y.."
0020: C9 73 2B C4 AD E4 B1 FE   38 4C E9 9B 06 CA CC 6E  .s+.....8L.....n
0030: BC FE 61 9E 37 AA 10 BF   F2 26 72 9F 06 5E F0 4F  ..a.7....&r..^.O
0040: A3 C8 88 11 98 9A 7A 5A   58 85 B6 C7 96 F9 D5 2F  ......zZX....../
0050: F9 BA 09 3C 5E 5B 83 7D   D9 B0 79 A5 AD DC 36 1E  ...<^[....y...6.
0060: 25 68 52 BA E6 CE 92 8A   4B E9 80 4F 86 EB 0A 57  %hR.....K..O...W
0070: 6E 82 BD 98 65 D2 9F CA   E2 E3 77 C9 1F 5E A5 98  n...e.....w..^..
0080: 87 E9 D3 60 C4 1F 54 F2   17 CA 9A BA 23 8B 2E 3B  ...`..T.....#..;
0090: 97 38 C0 23 7F E8 93 7C   AD B9 D3 B2 00 00 DF 53  .8.#...........S
00A0: F2 2D A7 F7 5C BD 8D A4   35 57 83 F6 B3 CC 8A B1  .-..\...5W......
00B0: 24 4F E1 C1 F5 F6 1D A8   85 5D 06 0C 44 AA ED 96  $O.......]..D...
00C0: 11 43 5E AB E0 D7 A9 9C   8A FE 64 2F 6C 6F 26 E9  .C^.......d/lo&.
00D0: 73 53 2C 1C 58 6E B4 EF   5D 44 1E 40 BD 36 DA 32  sS,.Xn..]D. at .6.2
00E0: 53 31 41 29 58 96 5B 11   ED 92 20 38 59 F3 56 98  S1A)X.[... 8Y.V.
00F0: 1E D5 BF 9D C4 45 13 D3   88 D6 15 81 E1 44 57 26  .....E.......DW&

]
***
Found trusted certificate:
[
[
  Version: V3
  Subject: O=getaCert - www.getacert.com, L=Seattle, ST=Washington, C=US
  Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

  Key:  Sun RSA public key, 2048 bits
  modulus: 2064799190013863832237497384456747048251973951176858414375153927799138759221940377373663769360014631765243443414759628050513692379289235182
936946552961722501636881455166620516223594970461447332100562616959982581458611860448138976476896350579615950051925977583892448793441263022740062639429
917178490720071530078452548249977085583147798068928091675033763531656048682188135817700332044003822966987847706066728697378190942831516294222763832839
406097321651801274944907268850456458906950212434927181309186154676093900606460368006070589568036839728568802141690824672089370835535165033516054933124
6225990765857663834015961513
  public exponent: 65537
  Validity: [From: Tue Jan 06 14:14:55 PST 2004,
               To: Wed May 07 15:14:55 PDT 2031]
  Issuer: O=getaCert - www.getacert.com, L=Seattle, ST=Washington, C=US
  SerialNumber: [    07b2]

Certificate Extensions: 3
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: CD DF 18 20 8A 6D 74 4F   37 DC B2 E0 89 A2 A9 0B  ... .mtO7.......
0010: 95 88 CB 0B                                        ....
]
[O=getaCert - www.getacert.com, L=Seattle, ST=Washington, C=US]
SerialNumber: [    07b2]
]

[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: CD DF 18 20 8A 6D 74 4F   37 DC B2 E0 89 A2 A9 0B  ... .mtO7.......
0010: 95 88 CB 0B                                        ....
]
]

]
  Algorithm: [MD5withRSA]
  Signature:
0000: 6D 92 1A 4A 3C 5F 06 52   74 33 55 6F FB FA A1 8A  m..J<_.Rt3Uo....
0010: 3B 36 DC 14 EA 8E FA 75   AB 44 FA EE 59 03 B0 22  ;6.....u.D..Y.."
0020: C9 73 2B C4 AD E4 B1 FE   38 4C E9 9B 06 CA CC 6E  .s+.....8L.....n
0030: BC FE 61 9E 37 AA 10 BF   F2 26 72 9F 06 5E F0 4F  ..a.7....&r..^.O
0040: A3 C8 88 11 98 9A 7A 5A   58 85 B6 C7 96 F9 D5 2F  ......zZX....../
0050: F9 BA 09 3C 5E 5B 83 7D   D9 B0 79 A5 AD DC 36 1E  ...<^[....y...6.
0060: 25 68 52 BA E6 CE 92 8A   4B E9 80 4F 86 EB 0A 57  %hR.....K..O...W
0070: 6E 82 BD 98 65 D2 9F CA   E2 E3 77 C9 1F 5E A5 98  n...e.....w..^..
0080: 87 E9 D3 60 C4 1F 54 F2   17 CA 9A BA 23 8B 2E 3B  ...`..T.....#..;
0090: 97 38 C0 23 7F E8 93 7C   AD B9 D3 B2 00 00 DF 53  .8.#...........S
00A0: F2 2D A7 F7 5C BD 8D A4   35 57 83 F6 B3 CC 8A B1  .-..\...5W......
00B0: 24 4F E1 C1 F5 F6 1D A8   85 5D 06 0C 44 AA ED 96  $O.......]..D...
00C0: 11 43 5E AB E0 D7 A9 9C   8A FE 64 2F 6C 6F 26 E9  .C^.......d/lo&.
00D0: 73 53 2C 1C 58 6E B4 EF   5D 44 1E 40 BD 36 DA 32  sS,.Xn..]D. at .6.2
00E0: 53 31 41 29 58 96 5B 11   ED 92 20 38 59 F3 56 98  S1A)X.[... 8Y.V.
00F0: 1E D5 BF 9D C4 45 13 D3   88 D6 15 81 E1 44 57 26  .....E.......DW&

]
nioEventLoopGroup-2-1, READ: TLSv1.2 Handshake, length = 118
*** CertificateRequest
Cert Types: RSA
Supported Signature Algorithms: SHA512withRSA, SHA384withRSA, SHA256withRSA, SHA224withRSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Cert Authorities:
<O=getaCert - www.getacert.com, L=Seattle, ST=Washington, C=US>
nioEventLoopGroup-2-1, READ: TLSv1.2 Handshake, length = 4
*** ServerHelloDone
matching alias: kyle
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=kyle
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 2204919627045054461870195032032895252635052455489474519600546291706920528173152336490304351899971237518524507135332089995347380211875595325
522086693569720342031449593613586317687575631650683468485522838909471231197714605841616598066946550435086027125398144164894205073402202894369794803383
799482419802858029259441063439987628937318416877886642870668064983998735504107947068330942632554921992334392523915970266409652736111572221680661250506
632685758352942242306864012836288830119592146994735536778985817669369871400698678341354549554839463159944557994344636502611751624240635193724889770806
6479354470830559901438864391
  public exponent: 65537
  Validity: [From: Mon Aug 22 15:36:32 PDT 2016,
               To: Fri Oct 21 15:36:32 PDT 2016]
  Issuer: O=getaCert - www.getacert.com, L=Seattle, ST=Washington, C=US
  SerialNumber: [    1376]

Certificate Extensions: 3
[1]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[2]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  Key_Encipherment
]

[3]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
   SSL client
   SSL server
   S/MIME
   Object Signing
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 14 66 51 B6 60 76 65 72   E2 00 89 AC 1A 52 2B 80  .fQ.`ver.....R+.
0010: 4A A8 1B D6 DB 54 29 50   59 14 9B 5B 5C 67 D6 F5  J....T)PY..[\g..
0020: 9E AD 57 35 06 84 5E 39   79 6F 36 06 EF 58 B8 7B  ..W5..^9yo6..X..
0030: E7 02 A6 89 34 D3 72 55   42 17 11 AA F2 9D 8C F4  ....4.rUB.......
0040: 42 65 E2 B7 DD 2F 57 51   7C C2 1E 85 D3 F6 DA C6  Be.../WQ........
0050: 2A 97 06 5B 15 88 F3 1F   B4 C9 0C 4F A5 C5 42 B3  *..[.......O..B.
0060: 7A E9 EC EE DA C4 A8 F9   DE 10 4E 1E 79 54 11 80  z.........N.yT..
0070: 22 E5 10 E0 36 F6 96 1A   38 98 62 8C D5 56 C5 C3  "...6...8.b..V..
0080: 1C 40 2B 0C 51 C3 6C 31   36 56 DE 97 3C 6A 48 92  . at +.Q.l16V..<jH.
0090: D9 B4 4E 92 7F 9D 54 BA   85 88 7B 26 A3 2C 0E 47  ..N...T....&.,.G
00A0: 98 7E 06 39 CE 12 AB 61   25 9F FA 31 65 13 1A A2  ...9...a%..1e...
00B0: 15 D9 49 AD 06 9D 03 13   01 24 E4 E8 04 E5 4B 4B  ..I......$....KK
00C0: 67 CC BA A8 D8 1C D4 5D   34 1A 75 5F 32 96 B5 30  g......]4.u_2..0
00D0: 9E 6F 03 F8 2A 08 4A 67   B7 23 5E A6 3C 1A C6 EE  .o..*.Jg.#^.<...
00E0: BD F9 B1 50 EC A1 49 64   8D B9 0B 52 2E 4A 0F 1E  ...P..Id...R.J..
00F0: 1D 09 E4 C6 56 89 A0 91   DE 53 3C FC 09 D5 7B 23  ....V....S<....#

]
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1.2
nioEventLoopGroup-2-1, WRITE: TLSv1.2 Handshake, length = 1062
SESSION KEYGEN:
PreMaster Secret:
0000: 03 03 41 ED C7 AD 15 08   86 A9 79 48 37 80 C1 B3  ..A.......yH7...
0010: 41 0A 08 91 46 00 01 35   6F 8D 90 1E 63 49 6D 45  A...F..5o...cImE
0020: EE 37 04 D9 F9 D0 76 C6   A8 DE C8 72 E2 9C 49 C1  .7....v....r..I.
CONNECTION KEYGEN:
Client Nonce:
0000: 57 C4 98 A6 54 1E F7 CA   FD CC D3 63 74 F1 73 92  W...T......ct.s.
0010: A3 7F DB C1 D2 66 78 4F   D8 DF 27 49 2F EA 2E 0B  .....fxO..'I/...
Server Nonce:
0000: 57 C4 98 A6 A1 B8 E1 09   EA C4 64 E2 B7 C1 AD 4D  W.........d....M
0010: 45 92 9A B1 D9 B5 C7 74   83 EE FB 06 AF 20 A7 A8  E......t..... ..
Master Secret:
0000: 7E 19 05 3D 95 E4 C1 99   39 7B 28 D4 ED 6F C5 69  ...=....9.(..o.i
0010: 2E 31 28 74 16 56 BE 6D   41 CB 40 45 CE 91 83 FD  .1(t.V.mA. at E....
0020: 0B B0 7C A6 3D 9E DB D9   1F BB C7 50 5F 95 68 E6  ....=......P_.h.
Client MAC write Secret:
0000: 9C 9E 4A 3F 2B EE 90 DC   AE 98 87 0E 9A 9D 63 38  ..J?+.........c8
0010: 74 34 1D A0 3F 1C 39 3B   7A 83 BB 33 93 CA FC E6  t4..?.9;z..3....
Server MAC write Secret:
0000: CF 0B F8 61 0D 68 8B 70   0A 8A D7 73 FA 9D 4F 35  ...a.h.p...s..O5
0010: 2C 64 15 4C E2 F9 66 3A   CA 79 99 2D 85 42 AA 8C  ,d.L..f:.y.-.B..
Client write key:
0000: 18 85 3E D4 0F A4 00 7F   D5 B1 C0 CE 15 49 F1 76  ..>..........I.v
Server write key:
0000: E6 78 47 02 C4 34 4B DB   86 F4 50 CA 05 9A F0 D5  .xG..4K...P.....
... no IV derived for this protocol
*** CertificateVerify
Signature Algorithm SHA512withRSA
nioEventLoopGroup-2-1, WRITE: TLSv1.2 Handshake, length = 264
nioEventLoopGroup-2-1, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data:  { 147, 250, 146, 107, 7, 88, 232, 63, 43, 225, 105, 85 }
***
nioEventLoopGroup-2-1, WRITE: TLSv1.2 Handshake, length = 80
nioEventLoopGroup-2-1, READ: TLSv1.2 Change Cipher Spec, length = 1
nioEventLoopGroup-2-1, READ: TLSv1.2 Handshake, length = 80
*** Finished
verify_data:  { 203, 196, 200, 206, 98, 120, 17, 126, 12, 142, 176, 106 }
***
%% Cached client session: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA256]
nioEventLoopGroup-2-1, WRITE: TLSv1.2 Application Data, length = 21
nioEventLoopGroup-2-1, WRITE: TLSv1.2 Application Data, length = 920
nioEventLoopGroup-2-1, WRITE: TLSv1.2 Application Data, length = 920

Thanks

-Kyle-



-----Original Message-----
From: Luke Bakken [mailto:lbakken at basho.com]
Sent: Monday, August 29, 2016 2:20 PM
To: Nguyen, Kyle
Cc: Riak Users
Subject: Re: Need help with Riak-KV (2.1.4) certificate based authentication using Java client

Hi Kyle -

Thanks for the info. Just so you know, setting check_clr = off means that Riak will not validate the signing chain of your client certificate.

What value are you using for "CN=" for the certificates pointed to by the various "ssl.*" settings in riak.conf?

http://docs.basho.com/riak/kv/2.1.4/using/security/basics/#certificate-configuration

I ask because the validation of the server certificate by the client during the TLS handshake depends on the CN= value.

--
Luke Bakken
Engineer
lbakken at basho.com

On Mon, Aug 29, 2016 at 2:07 PM, Nguyen, Kyle <kyle.nguyen at philips.com> wrote:
> Thanks a lot, Luke! I finally got the mutual certificate based authentication working by setting check_clr = off since I don't see any documentation on how to set this up and we might not need this feature. Another thing that I added to make it work is to add the correct entry for cidr. I was using 127.0.0.1/32 instead of 10.0.2.2/32 which is the Ubuntu ip that my laptop localhost is sending the request to.
>
> +--------------------+------------+-----------+----------+
> |       users        |    cidr    |  source   | options  |
> +--------------------+------------+-----------+----------+
> |        kyle        |10.0.2.2/32 |certificate|    []
>
> TLS also works without using the DNS-resolvable hostname with protocol buffer. Hence, I thought you must have referred to HTTPS.
>
> -Kyle-
>
> -----Original Message-----
> From: Luke Bakken [mailto:lbakken at basho.com]
> Sent: Monday, August 29, 2016 7:59 AM
> To: Nguyen, Kyle
> Cc: Riak Users
> Subject: Re: Need help with Riak-KV (2.1.4) certificate based
> authentication using Java client
>
> Kyle -
>
> What is the output of these commands?
>
> riak-admin security print-users
> riak-admin security print-sources
>
> http://docs.basho.com/riak/kv/2.1.4/using/security/basics/#user-manage
> ment
>
> Please note that setting up certificate authentication *requires* that you have set up SSL / TLS in Riak as well.
>
> http://docs.basho.com/riak/kv/2.1.4/using/security/basics/#enabling-ss
> l
>
> The SSL certificates used by Riak *must* have their "CN=" section match the server's DNS-resolvable host name. This is an SSL/TLS requirement, not specific to Riak. Then, when you connect via the Java client, you must use the DNS name and not IP address. The client must have the appropriate public key information to validate the server cert as well (from Get a Cert).
>
> --
> Luke Bakken
> Engineer
> lbakken at basho.com

________________________________
The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.


More information about the riak-users mailing list