Need help with Riak-KV (2.1.4) certificate based authentication using Java client

Luke Bakken lbakken at basho.com
Tue Aug 30 10:13:42 EDT 2016


Kyle -

The CN should be either the DNS-resolvable host name of the Riak node,
or its IP address (without "riak@"). Then, the Java client should be
configured to use that to connect to the node (either DNS or IP).
Without doing that, I really don't have any idea how the Java client
is validating the server certificate during TLS handshake. Did you
configure the client to *not* validate the server cert?

--
Luke Bakken
Engineer
lbakken at basho.com


On Mon, Aug 29, 2016 at 3:18 PM, Nguyen, Kyle <kyle.nguyen at philips.com> wrote:
> Hi Luke,
>
> The CN for client's certificate is "kyle" and the CN for riak cert (ssl.certfile) is "riak at 127.0.0.1" which matches the nodename in the riak.conf. Riak ssl.cacertfile.pem contains the same CA (getACert) which I used to sign both client and riak public keys. It appears that riak also validated the client certificate following this SSL debug info. I do see *** CertificateVerify (toward the end) after the client certificate is requested by Riak. Please let me know if it looks right to you.




More information about the riak-users mailing list