[
https://issues.apache.org/jira/browse/CALCITE-5890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17750785#comment-17750785
]
Istvan Toth edited comment on CALCITE-5890 at 8/3/23 4:03 PM:
--------------------------------------------------------------
Testing on a system with a JVM configured for FIPS with bouncycastle:
Trying to load a bcfks truststore without the patch:
{noformat}
Connecting to
jdbc:phoenix:thin:url=https://quasar-uablrr-1.vpc.cloudera.com:8765;serialization=PROTOBUF;authentication=SPNEGO;truststore=/var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks;truststore_password=86cjugByTIj4IUGj4CD9SWwWeYXVwnx9PMNWVwyGECK
[main] ERROR org.apache.calcite.avatica.remote.CommonsHttpClientPoolCache -
HTTPS registry configuration failed
java.lang.RuntimeException: java.io.IOException: Invalid keystore format
{noformat}
Trying to load the same with the patch and the new property:
{noformat}
Connecting to
jdbc:phoenix:thin:url=https://quasar-uablrr-1.vpc.cloudera.com:8765;serialization=PROTOBUF;authentication=SPNEGO;truststore=/var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks;truststore_password=86cjugByTIj4IUGj4CD9SWwWeYXVwnx9PMNWVwyGECK;keystore_type=bcfks
[main] INFO org.apache.calcite.avatica.remote.CommonsHttpClientPoolCache -
Trustore loaded from:
/var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks{noformat}
The trustsore file is bcfks, despite the file name extension.
was (Author: stoty):
Testing on a system with a JVM configure for FIPS with bouncycastle:
Trying to load a bcfks truststore without the patch:
{noformat}
Connecting to
jdbc:phoenix:thin:url=https://quasar-uablrr-1.vpc.cloudera.com:8765;serialization=PROTOBUF;authentication=SPNEGO;truststore=/var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks;truststore_password=86cjugByTIj4IUGj4CD9SWwWeYXVwnx9PMNWVwyGECK
[main] ERROR org.apache.calcite.avatica.remote.CommonsHttpClientPoolCache -
HTTPS registry configuration failed
java.lang.RuntimeException: java.io.IOException: Invalid keystore format
{noformat}
Trying to load the same with the patch and the new property:
{noformat}
Connecting to
jdbc:phoenix:thin:url=https://quasar-uablrr-1.vpc.cloudera.com:8765;serialization=PROTOBUF;authentication=SPNEGO;truststore=/var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks;truststore_password=86cjugByTIj4IUGj4CD9SWwWeYXVwnx9PMNWVwyGECK;keystore_type=bcfks
[main] INFO org.apache.calcite.avatica.remote.CommonsHttpClientPoolCache -
Trustore loaded from:
/var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks{noformat}
The trustsore file is bcfks, despite the file name extension.
> Handle non-JKS truststores in Avatica client
> --------------------------------------------
>
> Key: CALCITE-5890
> URL: https://issues.apache.org/jira/browse/CALCITE-5890
> Project: Calcite
> Issue Type: Bug
> Components: avatica
> Reporter: Istvan Toth
> Assignee: Istvan Toth
> Priority: Major
> Labels: pull-request-available
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Avatica can handle non-JKS truststores on the server side.
> However, the client fails if we try to use non-JKS keystore.
> Either add a connection property to specify the keystore format, or enable
> autodetection (if it is possible)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
