[jira] [Comment Edited] (CASSANDRA-14437) SSTableLoader does not work when "internode_encryption : all" is set

2018-05-15 Thread Paul Cheon (JIRA) 

[ 
https://issues.apache.org/jira/browse/CASSANDRA-14437?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16476156#comment-16476156
 ] 

Paul Cheon edited comment on CASSANDRA-14437 at 5/15/18 4:52 PM:
-

The content of yaml file is exact same except the node keystore file 
{code}
  keystore: "/etc/ssl/visier/10.1.119.203.jks"
{code}

The keystore password is same though.  Just the certificate inside of the 
keystore is generated with the IP address of each node

Trust keystore is same file in every node






was (Author: paul.ch...@visiercorp.com):
The content of yaml file is exact same except the node keystore file 
{code}
  keystore: "/etc/ssl/visier/10.1.119.203.jks"
{code}

The keystore password is same though.  Just the certificate inside of the 
keystore is generated with the IP address of each node



> SSTableLoader does not work when "internode_encryption : all" is set
> 
>
> Key: CASSANDRA-14437
> URL: https://issues.apache.org/jira/browse/CASSANDRA-14437
> Project: Cassandra
>  Issue Type: Bug
>  Components: Tools
>Reporter: Paul Cheon
>Priority: Major
> Fix For: 3.11.2
>
>
> I am trying to use sstableloader to restore snapshot.
> If "internode_encryption :  all" is set, then it does not work and complain 
> with below error messages.  I initiated sstableloader from 10.1.10.203 
> (yvr-paul-cas003), so 10.1.10.203 worked fine, but the the other two nodes 
> (10.1.10.201 & 10.1.10.202 failed)
> {noformat}
> pcheon@yvr-paul-cas003:~/t$ sstableloader -v -d 10.1.10.203 office_audit/log/ 
> -f /etc/cassandra/cassandra.yaml -u pcheon -pw `cat .secret`
> WARN  17:23:45,166 Small commitlog volume detected at 
> /var/lib/cassandra/commitlog; setting commitlog_total_space_in_mb to 2316.  
> You can override this in cassandra.yaml
> WARN  17:23:45,170 Small cdc volume detected at /var/lib/cassandra/cdc_raw; 
> setting cdc_total_space_in_mb to 1158.  You can override this in 
> cassandra.yaml
> WARN  17:23:45,285 Only 5.318GiB free across all data volumes. Consider 
> adding more capacity to your cluster or removing obsolete snapshots
> Established connection to initial hosts
> Opening sstables and calculating sections to stream
> Streaming relevant part of 
> /home/pcheon/t/office_audit/log/mc-1083-big-Data.db 
> /home/pcheon/t/office_audit/log/mc-1100-big-Data.db 
> /home/pcheon/t/office_audit/log/mc-1101-big-Data.db 
> /home/pcheon/t/office_audit/log/mc-257-big-Data.db 
> /home/pcheon/t/office_audit/log/mc-984-big-Data.db  to [/10.1.10.201, 
> /10.1.10.203, /10.1.10.202]
> ERROR 17:23:49,460 [Stream #938baee0-4e2d-11e8-9be0-ebc69ba4b87f] Streaming 
> error occurred on session with peer 10.1.10.201
> java.net.SocketException: Invalid argument or cannot assign requested address
>   at java.net.PlainSocketImpl.socketConnect(Native Method) ~[na:1.8.0_112]
>   at 
> java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) 
> ~[na:1.8.0_112]
>   at 
> java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
>  ~[na:1.8.0_112]
>   at 
> java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) 
> ~[na:1.8.0_112]
>   at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) 
> ~[na:1.8.0_112]
>   at java.net.Socket.connect(Socket.java:589) ~[na:1.8.0_112]
>   at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668) 
> ~[na:1.8.0_112]
>   at sun.security.ssl.SSLSocketImpl.(SSLSocketImpl.java:495) 
> ~[na:1.8.0_112]
>   at 
> sun.security.ssl.SSLSocketFactoryImpl.createSocket(SSLSocketFactoryImpl.java:169)
>  ~[na:1.8.0_112]
>   at 
> org.apache.cassandra.security.SSLFactory.getSocket(SSLFactory.java:81) 
> ~[apache-cassandra-3.11.2.jar:3.11.2]
>   at 
> org.apache.cassandra.tools.BulkLoadConnectionFactory.createConnection(BulkLoadConnectionFactory.java:56)
>  ~[apache-cassandra-3.11.2.jar:3.11.2]
>   at 
> org.apache.cassandra.streaming.StreamSession.createConnection(StreamSession.java:282)
>  ~[apache-cassandra-3.11.2.jar:3.11.2]
>   at 
> org.apache.cassandra.streaming.ConnectionHandler.initiate(ConnectionHandler.java:86)
>  ~[apache-cassandra-3.11.2.jar:3.11.2]
>   at 
> org.apache.cassandra.streaming.StreamSession.start(StreamSession.java:269) 
> ~[apache-cassandra-3.11.2.jar:3.11.2]
>   at 
> org.apache.cassandra.streaming.StreamCoordinator$StreamSessionConnector.run(StreamCoordinator.java:263)
>  [apache-cassandra-3.11.2.jar:3.11.2]
>   at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>  [na:1.8.0_112]
>   at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>  [na:1.8.0_112]
>   at 
>

[jira] [Comment Edited] (CASSANDRA-14437) SSTableLoader does not work when "internode_encryption : all" is set

2018-05-02 Thread Paul Cheon (JIRA) 

[ 
https://issues.apache.org/jira/browse/CASSANDRA-14437?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16461372#comment-16461372
 ] 

Paul Cheon edited comment on CASSANDRA-14437 at 5/2/18 5:42 PM:


Here is the cassandra.yml file content I used with sstableloader

{code}
---
authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer
cluster_name: vdc_ca_cdval
commitlog_sync: periodic
commitlog_sync_period_in_ms: 1
endpoint_snitch: GossipingPropertyFileSnitch
listen_address: 10.1.10.203
rpc_address: 0.0.0.0
broadcast_rpc_address: 10.1.10.203
partitioner: org.apache.cassandra.dht.Murmur3Partitioner
seed_provider:
- class_name: org.apache.cassandra.locator.SimpleSeedProvider
  parameters:
  - seeds: 10.1.10.201
num_tokens: 64
start_native_transport: true
transparent_data_encryption_options:
  enabled: true
  chunk_length_kb: '64'
  cipher: AES/CBC/PKCS5Padding
  key_alias: atrestencryptionkey
  key_provider:
  - class_name: org.apache.cassandra.security.JKSKeyProvider
parameters:
- keystore: "/etc/ssl/visier/atrestencryptionkey.jceks"
  keystore_password: somepassword
  store_type: JCEKS
  key_password: somepassword
server_encryption_options:
  internode_encryption: all
  keystore: "/etc/ssl/visier/10.1.119.203.jks"
  keystore_password: somepassword
  truststore: "/etc/ssl/visier/generic-server-truststore.jks"
  truststore_password: somepassword
  protocol:
  - TLS
  algorithm: SunX509
  store_type: JKS
  cipher_suites:
  - TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  - TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  - TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  - TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  - TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  require_client_auth: true
client_encryption_options:
  enabled: true
  optional: false
  require_client_auth: false
  keystore: "/etc/ssl/visier/10.1.119.203.jks"
  keystore_password: somepassword
  truststore: "/etc/ssl/visier/generic-server-truststore.jks"
  truststore_password: somepassword
  protocol:
  - TLS
  cipher_suites:
  - TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  - TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  - TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  - TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  - TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
batch_size_warn_threshold_in_kb: 10
slow_query_log_timeout_in_ms: 1000
commitlog_directory: "/var/lib/cassandra/commitlog"
data_file_directories:
- "/var/lib/cassandra/data"
hints_directory: "/var/lib/cassandra/hints"
saved_caches_directory: "/var/lib/cassandra/saved_caches"
{code}



was (Author: paul.ch...@visiercorp.com):
Here is the cassandra.yml file content I used with sstableloader

{code}
---
authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer
cluster_name: vdc_ca_cdval
commitlog_sync: periodic
commitlog_sync_period_in_ms: 1
endpoint_snitch: GossipingPropertyFileSnitch
listen_address: 10.1.10.203
rpc_address: 0.0.0.0
broadcast_rpc_address: 10.1.10.203
partitioner: org.apache.cassandra.dht.Murmur3Partitioner
seed_provider:
- class_name: org.apache.cassandra.locator.SimpleSeedProvider
  parameters:
  - seeds: 10.1.10.201,10.1.10.201
num_tokens: 64
start_native_transport: true
transparent_data_encryption_options:
  enabled: true
  chunk_length_kb: '64'
  cipher: AES/CBC/PKCS5Padding
  key_alias: atrestencryptionkey
  key_provider:
  - class_name: org.apache.cassandra.security.JKSKeyProvider
parameters:
- keystore: "/etc/ssl/visier/atrestencryptionkey.jceks"
  keystore_password: somepassword
  store_type: JCEKS
  key_password: somepassword
server_encryption_options:
  internode_encryption: all
  keystore: "/etc/ssl/visier/10.1.119.203.jks"
  keystore_password: somepassword
  truststore: "/etc/ssl/visier/generic-server-truststore.jks"
  truststore_password: somepassword
  protocol:
  - TLS
  algorithm: SunX509
  store_type: JKS
  cipher_suites:
  - TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  - TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  - TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  - TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  - TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  require_client_auth: true