[
https://issues.apache.org/jira/browse/CASSANDRA-14833?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jeremy Hanna updated CASSANDRA-14833:
-------------------------------------
Labels: security (was: )
> change client keystore from jks to pkcs12 doesn't work
> -------------------------------------------------------
>
> Key: CASSANDRA-14833
> URL: https://issues.apache.org/jira/browse/CASSANDRA-14833
> Project: Cassandra
> Issue Type: Bug
> Components: Configuration
> Environment: Cassandra version: 2.2.12 Java: 1.8.0_181 SLES11
> Reporter: Michael Maier
> Priority: Minor
> Labels: security
>
> Changing from JKS to PKS12 store_type doesn't work for
> client_encryption_options. for server_encryption_options it is not a problem.
> I use:
> {{client_encryption_options:}}
> {{ enabled: true}}
> {{ optional: false}}
> {{ keystore: keystore.p12}}
> {{ keystore_password: keystorepass}}
> {{ truststore: truststore.p12}}
> {{ truststore_password: keystorepass}}
> {{ store_type: PKCS12}}
> but get this error:
> {{ERROR 06:34:36 Exception encountered during startup}}
> {{java.lang.RuntimeException: Unable to create thrift socket to
> /192.168.1.2:9160}}
> {{ at
> org.apache.cassandra.thrift.CustomTThreadPoolServer$Factory.buildTServer(CustomTThreadPoolServer.java:270)
> ~[apache-cassandra-2.2.12.jar:2.2.12]}}
> {{ at
> org.apache.cassandra.thrift.TServerCustomFactory.buildTServer(TServerCustomFactory.java:46)
> ~[apache-cassandra-2.2.12.jar:2.2.12]}}
> {{ at
> org.apache.cassandra.thrift.ThriftServer$ThriftServerThread.<init>(ThriftServer.java:131)
> ~[apache-cassandra-2.2.12.jar:2.2.12]}}
> {{ at org.apache.cassandra.thrift.ThriftServer.start(ThriftServer.java:58)
> ~[apache-cassandra-2.2.12.jar:2.2.12]}}
> {{ at
> org.apache.cassandra.service.CassandraDaemon.start(CassandraDaemon.java:453)
> [apache-cassandra-2.2.12.jar:2.2.12]}}
> {{ at
> org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:548)
> [apache-cassandra-2.2.12.jar:2.2.12]}}
> {{ at
> org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:642)
> [apache-cassandra-2.2.12.jar:2.2.12]}}
> {{Caused by: org.apache.thrift.transport.TTransportException: Error creating
> the transport}}
> {{ at
> org.apache.thrift.transport.TSSLTransportFactory.createSSLContext(TSSLTransportFactory.java:210)
> ~[libthrift-0.9.2.jar:0.9.2]}}
> {{ at
> org.apache.thrift.transport.TSSLTransportFactory.getServerSocket(TSSLTransportFactory.java:104)
> ~[libthrift-0.9.2.jar:0.9.2]}}
> {{ at
> org.apache.cassandra.thrift.CustomTThreadPoolServer$Factory.buildTServer(CustomTThreadPoolServer.java:256)
> ~[apache-cassandra-2.2.12.jar:2.2.12]}}
> {{ ... 6 common frames omitted}}
> {{Caused by: java.io.IOException: Invalid keystore format}}
> {{ at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:658)
> ~[na:1.8.0_181]}}
> {{ at
> sun.security.provider.{color:#FF0000}JavaKeyStore$JKS.engineLoad({color}JavaKeyStore.java:56)
> ~[na:1.8.0_181]}}
> {{ at
> sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:215)
> ~[na:1.8.0_181]}}
> {{ at
> sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
> ~[na:1.8.0_181]}}
> {{ at java.security.KeyStore.load(KeyStore.java:1445) ~[na:1.8.0_181]}}
> {{ at
> org.apache.thrift.transport.TSSLTransportFactory.createSSLContext(TSSLTransportFactory.java:195)
> ~[libthrift-0.9.2.jar:0.9.2]}}
> {{ ... 8 common frames omitted}}
>
> Looks like the store_type option is not set properly for client encryption.
> If I don't use the store_type: PKCS12 option the error accuses earlier at
> the startup
> {{INFO 06:43:46 Enabling encrypted CQL connections between client and server}}
> {{Exception (java.lang.RuntimeException) encountered during startup: Failed
> to setup secure pipeline}}
> {{java.lang.RuntimeException: Failed to setup secure pipeline}}
> so from my point of view it looks like the option is set, but not everywhere
> it should.
> I also use PKCS12 stores for server encryption. It works fine there.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
