How to enable client-to-node encrypt communication with Astyanax cassandra client

2014-10-08 Thread Lu, Boying 
Hi, All,

I'm trying to enable client-to-node encrypt communication in Cassandra (2.0.7) 
with Astyanax client library (version=1.56.48)

I found the links about how to enable this feature:
http://www.datastax.com/documentation/cassandra/2.0/cassandra/security/secureSSLClientToNode_t.html
But this only says how to set up in the server side, but not the client side.

Here is my configuration on the server side (in yaml):
client_encryption_options:
enabled: true
keystore:  full-path-to-keystore-file   #same file used by Cassandra server
keystore_password: some-password
truststore: fullpath-to-truststore-file  #same file used by Cassandra server
truststore_password: some-password
# More advanced defaults below:
# protocol: TLS
# algorithm: SunX509
# store_type: JKS
cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA]
require_client_auth: true

http://www.datastax.com/dev/blog/accessing-secure-dse-clusters-with-cql-native-protocol
This link says something about client side, but not how to do it with the 
Astyanax client library.

Searching the Astyanax source codes, I found the class SSLConnectionContext 
maybe useful
And here is my code snippet:
AstyanaxContextCluster clusterContext = new AstyanaxContext.Builder()
.forCluster(clusterName)
.forKeyspace(keyspaceName)
.withAstyanaxConfiguration(new AstyanaxConfigurationImpl()
.setRetryPolicy(new QueryRetryPolicy(10, 1000)))
.withConnectionPoolConfiguration(new 
ConnectionPoolConfigurationImpl(_clusterName)
.setMaxConnsPerHost(1)
.setAuthenticationCredentials(credentials)
.setSSLConnectionContext(sslContext)
.setSeeds(String.format(%1$s:%2$d, uri.getHost(),
uri.getPort()))
)
.buildCluster(ThriftFamilyFactory.getInstance());

But when I tried to connect to the Cassandra server, I got following error:
Caused by: org.apache.thrift.transport.TTransportException: 
javax.net.ssl.SSLHandshakeException: Remote host closed connection during 
handshake
at 
org.apache.thrift.transport.TIOStreamTransport.flush(TIOStreamTransport.java:161)
at 
org.apache.thrift.transport.TFramedTransport.flush(TFramedTransport.java:158)
at org.apache.thrift.TServiceClient.sendBase(TServiceClient.java:65)
at 
org.apache.cassandra.thrift.Cassandra$Client.send_login(Cassandra.java:567)
at 
org.apache.cassandra.thrift.Cassandra$Client.login(Cassandra.java:559)
at 
com.netflix.astyanax.thrift.ThriftSyncConnectionFactoryImpl$ThriftConnection.open(ThriftSyncConnectionFactoryImpl.java:203)
... 6 more

It looks like that my SSL settings are incorrect.

Does anyone know how to resolve this issue?

Thanks

Boying

Re: How to enable client-to-node encrypt communication with Astyanax cassandra client

2014-10-08 Thread Ben Bromhead 
Haven't personally followed this but give it a go:
http://lyubent.github.io/security/planetcassandra/2013/05/31/ssl-for-astyanax.html

On 8 October 2014 20:46, Lu, Boying boying...@emc.com wrote:

 Hi, All,



 I’m trying to enable client-to-node encrypt communication in Cassandra
 (2.0.7) with Astyanax client library (version=1.56.48)



 I found the links about how to enable this feature:


 http://www.datastax.com/documentation/cassandra/2.0/cassandra/security/secureSSLClientToNode_t.html

 But this only says how to set up in the server side, but not the client
 side.



 Here is my configuration on the server side (in yaml):

 client_encryption_options:

 enabled: true

 keystore:  full-path-to-keystore-file   *#same file used by Cassandra
 server*

 keystore_password: some-password

 truststore: fullpath-to-truststore-file  *#same file used by
 Cassandra server*

 truststore_password: some-password

 # More advanced defaults below:

 # protocol: TLS

 # algorithm: SunX509

 # store_type: JKS

 cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA]

 require_client_auth: true




 http://www.datastax.com/dev/blog/accessing-secure-dse-clusters-with-cql-native-protocol

 This link says something about client side, but not how to do it with the
 Astyanax client library.



 Searching the Astyanax source codes, I found the class
 SSLConnectionContext maybe useful

 And here is my code snippet:

 AstyanaxContextCluster clusterContext = new AstyanaxContext.Builder()

 .forCluster(clusterName)

 .forKeyspace(keyspaceName)

 .withAstyanaxConfiguration(new AstyanaxConfigurationImpl()

 .setRetryPolicy(new QueryRetryPolicy(10, 1000)))

 .withConnectionPoolConfiguration(new
 ConnectionPoolConfigurationImpl(_clusterName)

 .setMaxConnsPerHost(1)

 .setAuthenticationCredentials(credentials)

 *.setSSLConnectionContext(sslContext)*

 .setSeeds(String.format(%1$s:%2$d, uri.getHost(),

 uri.getPort()))

 )

 .buildCluster(ThriftFamilyFactory.getInstance());



 But when I tried to connect to the Cassandra server, I got following error:

 Caused by: org.apache.thrift.transport.TTransportException:
 javax.net.ssl.SSLHandshakeException: Remote host closed connection during
 handshake

 at
 org.apache.thrift.transport.TIOStreamTransport.flush(TIOStreamTransport.java:161)

 at
 org.apache.thrift.transport.TFramedTransport.flush(TFramedTransport.java:158)

 at
 org.apache.thrift.TServiceClient.sendBase(TServiceClient.java:65)

 at
 org.apache.cassandra.thrift.Cassandra$Client.send_login(Cassandra.java:567)

 at
 org.apache.cassandra.thrift.Cassandra$Client.login(Cassandra.java:559)

 at
 com.netflix.astyanax.thrift.ThriftSyncConnectionFactoryImpl$ThriftConnection.open(ThriftSyncConnectionFactoryImpl.java:203)

 ... 6 more



 It looks like that my SSL settings are incorrect.



 Does anyone know how to resolve this issue?



 Thanks



 Boying




-- 

Ben Bromhead

Instaclustr | www.instaclustr.com | @instaclustr
http://twitter.com/instaclustr | +61 415 936 359