Makes sense to me. However I'd recommend that you make it configurable. Make the default getDefaultAlgo, but allow it to be overridden by the user via configuration at the ZK level. Print a debug level message with the value used for debuggability.
Patrick On Mon, May 16, 2016 at 7:24 AM, saurabh jain <[email protected]> wrote: > Hello All , > > When connecting from a zookeeper client running in IBM WebSphere > Application Server version 8.5.5, with SSL configured in ZooKeeper, the > below mentioned exception is observed. > > org.jboss.netty.channel.ChannelPipelineException: Failed to initialize a > pipeline. > at org.jboss.netty.bootstrap.ClientBootstrap.connect( > ClientBootstrap.java:208) > at org.jboss.netty.bootstrap.ClientBootstrap.connect( > ClientBootstrap.java:182) > at org.apache.zookeeper.ClientCnxnSocketNetty.connect( > ClientCnxnSocketNetty.java:112) > at org.apache.zookeeper.ClientCnxn$SendThread. > startConnect(ClientCnxn.java:1130) > at org.apache.zookeeper.ClientCnxn$SendThread.run( > ClientCnxn.java:1158) > Caused by: org.apache.zookeeper.common.X509Exception$SSLContextException: > Failed to create KeyManager > at org.apache.zookeeper.common.X509Util.createSSLContext( > X509Util.java:75) > at > org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory. > initSSL(ClientCnxnSocketNetty.java:358) > at > org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory. > getPipeline(ClientCnxnSocketNetty.java:348) > at org.jboss.netty.bootstrap.ClientBootstrap.connect( > ClientBootstrap.java:206) > ... 4 more > Caused by: org.apache.zookeeper.common.X509Exception$KeyManagerException: > java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not > available > at org.apache.zookeeper.common.X509Util.createKeyManager( > X509Util.java:129) > at org.apache.zookeeper.common.X509Util.createSSLContext( > X509Util.java:73) > ... 7 more > Caused by: java.security.NoSuchAlgorithmException: SunX509 > KeyManagerFactory not available > at sun.security.jca.GetInstance.getInstance(GetInstance.java:172) > at javax.net.ssl.KeyManagerFactory.getInstance( > KeyManagerFactory.java:9) > at org.apache.zookeeper.common.X509Util.createKeyManager( > X509Util.java:118) > > > Reason : IBM websphere uses its own jre and supports only IbmX509 > keymanager algorithm which is causing an exception when trying to get an > key manager instance using SunX509 which is not supported. > Currently KeyManager algorithm name (SunX509) is hardcoded in the class > X509Util.java. > > Possible fix: Instead of having algorithm name hardcoded to SunX509 we can > fall back to the default algorithm supported by the underlying jre. > > Instead of having this - > KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); > TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); > > can we have ? > KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory. > getDefaultAlgorithm()); > > TrustManagerFactory tmf = TrustManagerFactory.getInstance( > TrustManagerFactory.getDefaultAlgorithm()); > > Please advise. > > Thanks, > Saurabh >
