Hi Mohan, I'm a bit baffled as at first glance you're doing what I expect. As you're already modifying code, could you extend your changes in ZKClientConfig:: handleBackwardCompatibility so that you print out both the value of System.getProperty(SECURE_CLIENT) but also Boolean.parseBoolean(System.getProperty(SECURE_CLIENT))? Let's rule out the possibility of bad string parsing as I don't immediately see a problem otherwise in the flow of information.
-Brian On Sun, Nov 10, 2019 at 12:34 PM Mohan Ingole <[email protected]> wrote: > Hi All, > > We are using Curator (version 4.0.1) as client to connect to ZooKeeper > (version 3.5.5) in our application. > > When we are trying to connect with secured option SSL through curator to > ZooKeeper. > > 1) We are successfully established secured connection between ZK server to > server. > > 2) When we are trying to establish secured connection between client and > server we get error on client side.On server side in zookeeper logs it is > expecting SSL request, however, it is not getting it from client side and > so it showing exception on server side. > > 3) On client side we added below properties to enable client to server > secured connection in application's properties file from where we pass > properties. > > > > > > *zookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNettyzookeeper.client.secure=true > > zookeeper.ssl.trustStore.location=/opt/ssl/truststore.jkszookeeper.ssl.trustStore.password=testpass* > > We added few logger print statements in following zookeeper code base > classes recompile them and added recompiled classes in zookeeper-3.5.5.jar > to check if passed above inputs values from client side are reached there > or not. > > > > *1) ClientCnxnSocketNetty.java * > > private class ZKClientPipelineFactory extends > ChannelInitializer<SocketChannel> { > private SSLContext sslContext = null; > private SSLEngine sslEngine = null; > private String host; > private int port; > > > public *ZKClientPipelineFactory*(String host, int port) { > this.host = host; > this.port = port; > *System.out.println("SMG>>> ZKClientPipelineFactor > initializer"); // This is added and printed in logs* > } > @Override > protected void *initChannel*(SocketChannel ch) throws Exception { > ChannelPipeline pipeline = ch.pipeline(); > *System.out.println("SMG>>> initChannel value of > ZKClientConfig.SECURE_CLIENT: " + > clientConfig.getBoolean(ZKClientConfig.SECURE_CLIENT)); // Getting value > of this flag as false* > if (clientConfig.getBoolean(ZKClientConfig.SECURE_CLIENT)) { > * System.out.println("SMG>>> calling initSSL"); // This is not > getting called due to if condition false* > initSSL(pipeline); > } > pipeline.addLast("handler", new ZKClientHandler()); > } > > As we passed * zookeeper.client.secure=true *from client side, however, in > initChannel() the value of flag > *clientConfig.getBoolean(ZKClientConfig.SECURE_CLIENT) > *is getting as* FALSE.* It is printed in logs on client side. Due to that > *initSSL(pipeline); doesn't get called.* > > > *2) ZKConfig.java* > > private void *putSSLProperties*(X509Util x509Util) { > properties.put(x509Util.getSslProtocolProperty(), > System.getProperty(x509Util.getSslProtocolProperty())); > | > > | > > properties.put(x509Util.getSslTruststoreLocationProperty(), > System.getProperty(x509Util.getSslTruststoreLocationProperty())); > properties.put(x509Util.getSslTruststorePasswdProperty(), > System.getProperty(x509Util.getSslTruststorePasswdProperty())); > *System.out.println("SMG>>> ZKConfig putSSLProperties exit " + > properties); // *This *properties *object displays all parameters values > passed from client side in logs as below > > } > > *SMG>>> ZKConfig putSSLProperties exit* > {zookeeper.ssl.hostnameVerification=null, > zookeeper.ssl.quorum.clientAuth=null, > *zookeeper.ssl.trustStore.password=testpass, > *zookeeper.ssl.quorum.ciphersuites=null, > zookeeper.ssl.quorum.keyStore.location=null, > zookeeper.ssl.quorum.trustStore.password=null, > zookeeper.ssl.quorum.crl=null, zookeeper.ssl.keyStore.type=null, > zookeeper.ssl.trustStore.type=null, zookeeper.ssl.quorum.ocsp=null, > zookeeper.ssl.protocol=null, *zookeeper.ssl.trustStore.location= > /opt/ssl/truststore.jks,* zookeeper.ssl.ocsp=null, > zookeeper.ssl.authProvider=null, zookeeper.ssl.quorum.trustStore.type=null, > zookeeper.ssl.quorum.enabledProtocols=null, > zookeeper.ssl.keyStore.password=null, > zookeeper.ssl.quorum.keyStore.type=null, zookeeper.ssl.ciphersuites=null, > zookeeper.ssl.crl=null, sun.security.jgss.native=null, > zookeeper.ssl.handshakeDetectionTimeoutMillis=null, > zookeeper.ssl.quorum.handshakeDetectionTimeoutMillis=null, > jute.maxbuffer=null, zookeeper.ssl.enabledProtocols=null, > zookeeper.ssl.quorum.keyStore.password=null, zookeeper.kinit=null, > zookeeper.ssl.keyStore.location=null, zookeeper.ssl.quorum.protocol=null, > zookeeper.ssl.quorum.trustStore.location=null, > zookeeper.ssl.quorum.hostnameVerification=null, > zookeeper.ssl.clientAuth=null} > > > 3) *ZKClientConfig.java* > > @Override > protected void *handleBackwardCompatibility*() { > /** > * backward compatibility for properties which are common to both > client > * and server > */ > super.handleBackwardCompatibility(); > > /** > * backward compatibility for client specific properties > */ > setProperty(ZK_SASL_CLIENT_USERNAME, > System.getProperty(ZK_SASL_CLIENT_USERNAME)); > setProperty(LOGIN_CONTEXT_NAME_KEY, > System.getProperty(LOGIN_CONTEXT_NAME_KEY)); > setProperty(ENABLE_CLIENT_SASL_KEY, > System.getProperty(ENABLE_CLIENT_SASL_KEY)); > setProperty(ZOOKEEPER_SERVER_REALM, > System.getProperty(ZOOKEEPER_SERVER_REALM)); > setProperty(DISABLE_AUTO_WATCH_RESET, > System.getProperty(DISABLE_AUTO_WATCH_RESET)); > setProperty(ZOOKEEPER_CLIENT_CNXN_SOCKET, > System.getProperty(ZOOKEEPER_CLIENT_CNXN_SOCKET)); > > > * System.out.println("SMG>>> ZKClientConfig.handleBackwardCompatibility() > setting " + SECURE_CLIENT + " to " + System.getProperty(SECURE_CLIENT)); * > > setProperty(SECURE_CLIENT, System.getProperty(SECURE_CLIENT)); > > *// Value of flag **System.getProperty(SECURE_CLIENT) * is getting > *true > *here and printed in logs on client side. > > } > > So Value of * SECURE_CLIENT* is set to true in *ZKClientConfig.java* and > value of SECURE_CLIENT is set to false in * ClientCnxnSocketNetty.java > *even > if *zookeeper.client.secure=true *passed though client side and due to > that *initSSL(pipeline); > doesn't get called* and secure connection between client and server is > failed. > > > Please help me to resolve this issue and let me know if I missed anything > in configuration. > > > Thanks, > > Mohan Ingole >
