Need help with Riak-KV (2.1.4) certificate based authentication using Java client

Nguyen, Kyle kyle.nguyen at philips.com
Tue Aug 30 17:18:47 EDT 2016


Hi Luke,

I am using TLS for protocol buffer - not sure if you're thinking of HTTP only.

Thanks

-Kyle-

-----Original Message-----
From: Luke Bakken [mailto:lbakken at basho.com]
Sent: Tuesday, August 30, 2016 2:14 PM
To: Nguyen, Kyle
Cc: Riak Users
Subject: Re: Need help with Riak-KV (2.1.4) certificate based authentication using Java client

Kyle,

I would be interested to see the output of this command run on the same server as your Riak node:

openssl s_client -debug -connect localhost:8098

Please replace "8098" with the HTTPS port used in this configuration setting in your /etc/riak.conf file:

listener.https.internal

--
Luke Bakken
Engineer
lbakken at basho.com


On Tue, Aug 30, 2016 at 12:01 PM, Nguyen, Kyle <kyle.nguyen at philips.com> wrote:
> Hi Luke,
>
> I believe this is not the case. The Java riak-client (version 2.0.6) that I used does validate the server's cert but not checking on server's CN. If I replaced getACert CA in the trustor with another unknown CA then SSL will fail with "unable to find valid certification path to requested target". I don't even see an option to ignore server cert validation on the client side. I am wondering if you can help provide some details related to SSL certification validation configuration.
>
> My riak node builder code:
> RiakNode.Builder builder = new RiakNode.Builder().withRemoteAddress("127.0.0.1").withRemotePort(8087);
>             builder.withAuth(username, password, trustStore, keyStore,
> keyPasswd);
>
> Thanks
>
> -Kyle-

________________________________
The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.


More information about the riak-users mailing list