Michael Maier created CASSANDRA-14833:
-----------------------------------------
Summary: change client keystore from jks to pkcs12 doesn't work
Key: CASSANDRA-14833
URL: https://issues.apache.org/jira/browse/CASSANDRA-14833
Project: Cassandra
Issue Type: Bug
Components: Configuration
Environment: Cassandra version: 2.2.12 Java: 1.8.0_181 SLES11
Reporter: Michael Maier
Changing from JKS to PKS12 store_type doesn't work for
client_encryption_options. for server_encryption_options it is not a problem.
I use:
{{client_encryption_options:}}
{{ enabled: true}}
{{ optional: false}}
{{ keystore: keystore.p12}}
{{ keystore_password: keystorepass}}
{{ truststore: truststore.p12}}
{{ truststore_password: keystorepass}}
{{ store_type: PKCS12}}
but get this error:
{{ERROR 06:34:36 Exception encountered during startup}}
{{java.lang.RuntimeException: Unable to create thrift socket to
/192.168.1.2:9160}}
{{ at
org.apache.cassandra.thrift.CustomTThreadPoolServer$Factory.buildTServer(CustomTThreadPoolServer.java:270)
~[apache-cassandra-2.2.12.jar:2.2.12]}}
{{ at
org.apache.cassandra.thrift.TServerCustomFactory.buildTServer(TServerCustomFactory.java:46)
~[apache-cassandra-2.2.12.jar:2.2.12]}}
{{ at
org.apache.cassandra.thrift.ThriftServer$ThriftServerThread.<init>(ThriftServer.java:131)
~[apache-cassandra-2.2.12.jar:2.2.12]}}
{{ at org.apache.cassandra.thrift.ThriftServer.start(ThriftServer.java:58)
~[apache-cassandra-2.2.12.jar:2.2.12]}}
{{ at
org.apache.cassandra.service.CassandraDaemon.start(CassandraDaemon.java:453)
[apache-cassandra-2.2.12.jar:2.2.12]}}
{{ at
org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:548)
[apache-cassandra-2.2.12.jar:2.2.12]}}
{{ at
org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:642)
[apache-cassandra-2.2.12.jar:2.2.12]}}
{{Caused by: org.apache.thrift.transport.TTransportException: Error creating
the transport}}
{{ at
org.apache.thrift.transport.TSSLTransportFactory.createSSLContext(TSSLTransportFactory.java:210)
~[libthrift-0.9.2.jar:0.9.2]}}
{{ at
org.apache.thrift.transport.TSSLTransportFactory.getServerSocket(TSSLTransportFactory.java:104)
~[libthrift-0.9.2.jar:0.9.2]}}
{{ at
org.apache.cassandra.thrift.CustomTThreadPoolServer$Factory.buildTServer(CustomTThreadPoolServer.java:256)
~[apache-cassandra-2.2.12.jar:2.2.12]}}
{{ ... 6 common frames omitted}}
{{Caused by: java.io.IOException: Invalid keystore format}}
{{ at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:658)
~[na:1.8.0_181]}}
{{ at
sun.security.provider.{color:#FF0000}JavaKeyStore$JKS.engineLoad({color}JavaKeyStore.java:56)
~[na:1.8.0_181]}}
{{ at
sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:215)
~[na:1.8.0_181]}}
{{ at
sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
~[na:1.8.0_181]}}
{{ at java.security.KeyStore.load(KeyStore.java:1445) ~[na:1.8.0_181]}}
{{ at
org.apache.thrift.transport.TSSLTransportFactory.createSSLContext(TSSLTransportFactory.java:195)
~[libthrift-0.9.2.jar:0.9.2]}}
{{ ... 8 common frames omitted}}
Looks like the store_type option is not set properly for client encryption.
If I don't use the store_type: PKCS12 option the error accuses earlier at the
startup
{{INFO 06:43:46 Enabling encrypted CQL connections between client and server}}
{{Exception (java.lang.RuntimeException) encountered during startup: Failed to
setup secure pipeline}}
{{java.lang.RuntimeException: Failed to setup secure pipeline}}
so from my point of view it looks like the option is set, but not everywhere it
should.
I also use PKCS12 stores for server encryption. It works fine there.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
