[
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14364136#comment-14364136
]
Flavio Junqueira commented on ZOOKEEPER-2125:
---------------------------------------------
[~hdeng], code looks good. there is just a small thing I'd like to improve
here, which is the comment right above:
{noformat}
ZOOKEEPER-558:
In some cases the server would not close the connection
(closeconn buffer was not being queued) properly.
This would happen anyway when the client closed the connection,
but the server should do the right thing regardless -- close session.
Calling closeSession() if we have lost the cnxn results in the client's
close session response.
{noformat}
I tried to rephrase in a way that is more understandable to me, but feel free
to complain. I just want to make it a bit more meaningful:
{noformat}
In some cases the server does not close the connection (e.g., closeconn buffer
was not being queued — ZOOKEEPER-558) properly. This happens, for example, when
the client closes the connection. The server should still close the session,
though. Calling closeSession() after losing the cnxn, results in the client
close session response being dropped.
{noformat}
Let me know if this makes sense and if it reads better.
> SSL on Netty client-server communication
> ----------------------------------------
>
> Key: ZOOKEEPER-2125
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
> Project: ZooKeeper
> Issue Type: Sub-task
> Reporter: Hongchao Deng
> Assignee: Hongchao Deng
> Fix For: 3.5.1
>
> Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch,
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch,
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch,
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch,
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch,
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch,
> ZOOKEEPER-2125.patch, testKeyStore.jks, testTrustStore.jks
>
>
> Supporting SSL on Netty client-server communication.
> 1. It supports keystore and trustore usage.
> 2. It adds an additional ZK server port which supports SSL. This would be
> useful for rolling upgrade.
> RB: https://reviews.apache.org/r/31277/
> The patch includes three files:
> * testing purpose keystore and truststore under
> "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/".
> * latest ZOOKEEPER-2125.patch
> h2. How to use it
> You need to set some parameters on both ZK server and client.
> h3. Server
> You need to specify a listening SSL port in "zoo.cfg":
> {code}
> secureClientPort=2281
> {code}
> Just like what you did with "clientPort". And then set some jvm flags:
> {code}
> export
> SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
> -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks
> -Dzookeeper.ssl.keyStore.password=testpass
> -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks
> -Dzookeeper.ssl.trustStore.password=testpass"
> {code}
> Please change keystore and truststore parameters accordingly.
> h3. Client
> You need to set jvm flags:
> {code}
> export
> CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
> -Dzookeeper.client.secure=true
> -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks
> -Dzookeeper.ssl.keyStore.password=testpass
> -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks
> -Dzookeeper.ssl.trustStore.password=testpass"
> {code}
> change keystore and truststore parameters accordingly.
> And then connect to the server's SSL port, in this case:
> {code}
> bin/zkCli.sh -server 127.0.0.1:2281
> {code}
> If you have any feedback, you are more than welcome to discuss it here!
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
