Hi Sanjay, More specific details are needed here and you should look them up in the Vendor Router documentation to answer the following questions:
- are certificates needed only for establishing (one-way) SSL or mTLS? I am assuming it is not mTLS but it is good to confirm. Note that mTLS is used to authenticate a client by the server. My understanding is for encryption might be. I don't have the documentation right now in hand, will get it and check the documentation. - the credentials are just passed as "username" and "password" headers just like your C++ example shows? That should be relatively straightforward as shown in the Java auth examples here ( https://github.com/grpc/grpc-java/blob/master/examples/AUTHENTICATION_EXAMPLE.md <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_grpc_grpc-2Djava_blob_master_examples_AUTHENTICATION-5FEXAMPLE.md&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=ChxOdF9MDUHQXGXXLqr7elRy8wuLMzBP10cgEfyTxR4&m=VfK4hE15PIJMhiK5G3q2YFZVALYCa4LU4byHE8zcyIc&s=vCl7rFkMAR-IOWVrWZjZdwH1u04DicEhy0MLmXC4cqI&e=>). I suggest you use that approach - of using ClientInterceptor and adding headers - instead of stub.withCallCredentials(). - can you provide the stack trace of UNAUTHENTICATED exception you are getting? I have tried the ClientInterceptor option , still getting the UNAUTHENTICATED exception. Below is the stacktrace. io.grpc.StatusRuntimeException: UNAUTHENTICATED at io.grpc.stub.ClientCalls.toStatusRuntimeException(ClientCalls.java:233) at io.grpc.stub.ClientCalls.getUnchecked(ClientCalls.java:214) at io.grpc.stub.ClientCalls.blockingUnaryCall(ClientCalls.java:139) at telemetry.OpenConfigGrpc$OpenConfigBlockingStub.get(OpenConfigGrpc.java:373) at OpenConfigTelemetryClient.get(OpenConfigTelemetryClient.java:208) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) [2019-01-22 16:33:27,534 UTC] [ERROR] pool-1-thread-1 OpenConfigTelemetryClient - Error Code:: UNAUTHENTICATED [2019-01-22 16:33:27,534 UTC] [ERROR] pool-1-thread-1 OpenConfigTelemetryClient - Error description:: null [2019-01-22 16:33:27,534 UTC] [ERROR] pool-1-thread-1 OpenConfigTelemetryClient - Error Cause:: null *Channel Creation code:* channel = NettyChannelBuilder.forAddress(ip, port) .useTransportSecurity() .negotiationType(NegotiationType.TLS) .sslContext(sslContext) .intercept(interceptor) .build(); *ClientInterceptor Code:* public <ReqT, RespT> ClientCall<ReqT, RespT> interceptCall(MethodDescriptor<ReqT, RespT> methodDescriptor, CallOptions callOptions, Channel channel) { return new ForwardingClientCall.SimpleForwardingClientCall<ReqT, RespT>(channel.newCall(methodDescriptor, callOptions)) { @Override public void start(Listener<RespT> responseListener, Metadata headers) { //callOptions.withCallCredentials(credentials); Metadata.Key<String> usernameKey = Metadata.Key.of("userid", Metadata.ASCII_STRING_MARSHALLER); headers.put(usernameKey, user); Metadata.Key<String> passwordKey = Metadata.Key.of("password", Metadata.ASCII_STRING_MARSHALLER); headers.put(passwordKey, pass); super.start(responseListener, headers); } }; } On Tuesday, January 15, 2019 at 4:09:39 PM UTC-5, Kishore Ganipineni wrote: > > SSL/TLS Authentication of gRPC using root.pem file and username & password > at client side. > > To Authenticate the gRPC server using root pem certificate file and > credentials in C++ we have a facility to provide both options from client > like below. > > pem file setup using environment variable option (C++): > > setenv("GRPC_DEFAULT_SSL_ROOTS_FILE_PATH", fileBuff1, true); > sprintf(setSecBuff, "chmod 777 %s", fileBuff1); > system(setSecBuff); > Creating Channel Using ssl options(keyPassword if any): > > SslCredentialsOptions ssl_opts; > TelemAsyncClient > telemAsyncClient(grpc::CreateChannel(std::string(hostIpStr), > grpc::SslCredentials(ssl_opts), ChannelArguments())); > Passing credentials using ClientContext(C++): > > ClientContext context; > CompletionQueue cq; > Status status; > > context.AddMetadata("username", userid); > context.AddMetadata("password", password); > > > // Print Populated GetRequest > printGetRequest(&getReq); > std::unique_ptr<ClientAsyncResponseReader<GetResponse> > > rpc(stub_->AsyncGet(&context, getReq, &cq)); > In java we have facility to pass the pem file but how to pass the > credentials? Java code to pass pem file: ============================ > > ManagedChannel channel = NettyChannelBuilder.forAddress(ip, port) > .useTransportSecurity() > .negotiationType(NegotiationType.TLS) > .sslContext(GrpcSslContexts.forClient() > .trustManager(new File("<path>/test.pem")) > .clientAuth(ClientAuth.REQUIRE) > .build()) > .overrideAuthority("test") > .build(); > Tried to set the credentials using CallCredentials and ClientInterceptor > options but none of the worked. Server side Username is not receiving. > Hence getting io.grpc.StatusRuntimeException: UNAUTHENTICATED exception. > > CallCredentials Tried: > > OpenConfigGrpc.OpenConfigBlockingStub blockingStub = > OpenConfigGrpc.newBlockingStub(channel).withCallCredentials(credentials); > > public void applyRequestMetadata(MethodDescriptor<?, ?> methodDescriptor, > Attributes attributes, Executor executor, final MetadataApplier > metadataApplier) { > String authority = attributes.get(ATTR_AUTHORITY); > Attributes.Key<String> usernameKey = Attributes.Key.of("userId"); > Attributes.Key<String> passwordKey = Attributes.Key.of("password"); > attributes.newBuilder().set(usernameKey, username).build(); > attributes.newBuilder().set(passwordKey, pasfhocal).build(); > System.out.println(authority); > executor.execute(new Runnable() { > public void run() { > try { > Metadata headers = new Metadata(); > Metadata.Key<String> usernameKey = > Metadata.Key.of("userId", Metadata.ASCII_STRING_MARSHALLER); > Metadata.Key<String> passwordKey = > Metadata.Key.of("password", Metadata.ASCII_STRING_MARSHALLER); > headers.put(usernameKey, username); > headers.put(passwordKey, pasfhocal); > metadataApplier.apply(headers); > } catch (Exception e) { > > metadataApplier.fail(Status.UNAUTHENTICATED.withCause(e)); > e.printStackTrace(); > }finally{ > logger.info("Inside CienaCallCredentials finally."); > } > } > }); > } > Interceptors Tried: > > OpenConfigGrpc.OpenConfigBlockingStub blockingStub = > OpenConfigGrpc.newBlockingStub(channel).withInterceptors(interceptors); > > public <ReqT, RespT> ClientCall<ReqT, RespT> > interceptCall(MethodDescriptor<ReqT, RespT> methodDescriptor, CallOptions > callOptions, Channel channel) { > return new ForwardingClientCall.SimpleForwardingClientCall<ReqT, > RespT>(channel.newCall(methodDescriptor, callOptions)) { > @Override > public void start(Listener<RespT> responseListener, Metadata > headers) { > callOptions.withCallCredentials(credentials); > Metadata.Key<String> usernameKey = > Metadata.Key.of("usernId", Metadata.ASCII_STRING_MARSHALLER); > headers.put(usernameKey, username); > Metadata.Key<String> passwordKey = > Metadata.Key.of("password", Metadata.ASCII_STRING_MARSHALLER); > headers.put(passwordKey, pasfhocal); > super.start(responseListener, headers); > } > }; > } > Much appreciated your help if some can help on this how to authenticate > gRPC using root.pem file and username and password. > > Thanks in Advance, Kishore > > -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/grpc-io. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/79f3ee80-8a44-400e-a3cf-ce10f7312fbe%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
