[jira] [Comment Edited] (CASSANDRA-14437) SSTableLoader does not work when "internode_encryption : all" is set
[ https://issues.apache.org/jira/browse/CASSANDRA-14437?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16476156#comment-16476156 ] Paul Cheon edited comment on CASSANDRA-14437 at 5/15/18 4:52 PM: - The content of yaml file is exact same except the node keystore file {code} keystore: "/etc/ssl/visier/10.1.119.203.jks" {code} The keystore password is same though. Just the certificate inside of the keystore is generated with the IP address of each node Trust keystore is same file in every node was (Author: paul.ch...@visiercorp.com): The content of yaml file is exact same except the node keystore file {code} keystore: "/etc/ssl/visier/10.1.119.203.jks" {code} The keystore password is same though. Just the certificate inside of the keystore is generated with the IP address of each node > SSTableLoader does not work when "internode_encryption : all" is set > > > Key: CASSANDRA-14437 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14437 > Project: Cassandra > Issue Type: Bug > Components: Tools >Reporter: Paul Cheon >Priority: Major > Fix For: 3.11.2 > > > I am trying to use sstableloader to restore snapshot. > If "internode_encryption : all" is set, then it does not work and complain > with below error messages. I initiated sstableloader from 10.1.10.203 > (yvr-paul-cas003), so 10.1.10.203 worked fine, but the the other two nodes > (10.1.10.201 & 10.1.10.202 failed) > {noformat} > pcheon@yvr-paul-cas003:~/t$ sstableloader -v -d 10.1.10.203 office_audit/log/ > -f /etc/cassandra/cassandra.yaml -u pcheon -pw `cat .secret` > WARN 17:23:45,166 Small commitlog volume detected at > /var/lib/cassandra/commitlog; setting commitlog_total_space_in_mb to 2316. > You can override this in cassandra.yaml > WARN 17:23:45,170 Small cdc volume detected at /var/lib/cassandra/cdc_raw; > setting cdc_total_space_in_mb to 1158. You can override this in > cassandra.yaml > WARN 17:23:45,285 Only 5.318GiB free across all data volumes. Consider > adding more capacity to your cluster or removing obsolete snapshots > Established connection to initial hosts > Opening sstables and calculating sections to stream > Streaming relevant part of > /home/pcheon/t/office_audit/log/mc-1083-big-Data.db > /home/pcheon/t/office_audit/log/mc-1100-big-Data.db > /home/pcheon/t/office_audit/log/mc-1101-big-Data.db > /home/pcheon/t/office_audit/log/mc-257-big-Data.db > /home/pcheon/t/office_audit/log/mc-984-big-Data.db to [/10.1.10.201, > /10.1.10.203, /10.1.10.202] > ERROR 17:23:49,460 [Stream #938baee0-4e2d-11e8-9be0-ebc69ba4b87f] Streaming > error occurred on session with peer 10.1.10.201 > java.net.SocketException: Invalid argument or cannot assign requested address > at java.net.PlainSocketImpl.socketConnect(Native Method) ~[na:1.8.0_112] > at > java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) > ~[na:1.8.0_112] > at > java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) > ~[na:1.8.0_112] > at > java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) > ~[na:1.8.0_112] > at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) > ~[na:1.8.0_112] > at java.net.Socket.connect(Socket.java:589) ~[na:1.8.0_112] > at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668) > ~[na:1.8.0_112] > at sun.security.ssl.SSLSocketImpl.(SSLSocketImpl.java:495) > ~[na:1.8.0_112] > at > sun.security.ssl.SSLSocketFactoryImpl.createSocket(SSLSocketFactoryImpl.java:169) > ~[na:1.8.0_112] > at > org.apache.cassandra.security.SSLFactory.getSocket(SSLFactory.java:81) > ~[apache-cassandra-3.11.2.jar:3.11.2] > at > org.apache.cassandra.tools.BulkLoadConnectionFactory.createConnection(BulkLoadConnectionFactory.java:56) > ~[apache-cassandra-3.11.2.jar:3.11.2] > at > org.apache.cassandra.streaming.StreamSession.createConnection(StreamSession.java:282) > ~[apache-cassandra-3.11.2.jar:3.11.2] > at > org.apache.cassandra.streaming.ConnectionHandler.initiate(ConnectionHandler.java:86) > ~[apache-cassandra-3.11.2.jar:3.11.2] > at > org.apache.cassandra.streaming.StreamSession.start(StreamSession.java:269) > ~[apache-cassandra-3.11.2.jar:3.11.2] > at > org.apache.cassandra.streaming.StreamCoordinator$StreamSessionConnector.run(StreamCoordinator.java:263) > [apache-cassandra-3.11.2.jar:3.11.2] > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > [na:1.8.0_112] > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > [na:1.8.0_112] > at >
[jira] [Comment Edited] (CASSANDRA-14437) SSTableLoader does not work when "internode_encryption : all" is set
[ https://issues.apache.org/jira/browse/CASSANDRA-14437?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16461372#comment-16461372 ] Paul Cheon edited comment on CASSANDRA-14437 at 5/2/18 5:42 PM: Here is the cassandra.yml file content I used with sstableloader {code} --- authenticator: PasswordAuthenticator authorizer: CassandraAuthorizer cluster_name: vdc_ca_cdval commitlog_sync: periodic commitlog_sync_period_in_ms: 1 endpoint_snitch: GossipingPropertyFileSnitch listen_address: 10.1.10.203 rpc_address: 0.0.0.0 broadcast_rpc_address: 10.1.10.203 partitioner: org.apache.cassandra.dht.Murmur3Partitioner seed_provider: - class_name: org.apache.cassandra.locator.SimpleSeedProvider parameters: - seeds: 10.1.10.201 num_tokens: 64 start_native_transport: true transparent_data_encryption_options: enabled: true chunk_length_kb: '64' cipher: AES/CBC/PKCS5Padding key_alias: atrestencryptionkey key_provider: - class_name: org.apache.cassandra.security.JKSKeyProvider parameters: - keystore: "/etc/ssl/visier/atrestencryptionkey.jceks" keystore_password: somepassword store_type: JCEKS key_password: somepassword server_encryption_options: internode_encryption: all keystore: "/etc/ssl/visier/10.1.119.203.jks" keystore_password: somepassword truststore: "/etc/ssl/visier/generic-server-truststore.jks" truststore_password: somepassword protocol: - TLS algorithm: SunX509 store_type: JKS cipher_suites: - TLS_DHE_RSA_WITH_AES_128_CBC_SHA - TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_DHE_RSA_WITH_AES_256_CBC_SHA - TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 require_client_auth: true client_encryption_options: enabled: true optional: false require_client_auth: false keystore: "/etc/ssl/visier/10.1.119.203.jks" keystore_password: somepassword truststore: "/etc/ssl/visier/generic-server-truststore.jks" truststore_password: somepassword protocol: - TLS cipher_suites: - TLS_DHE_RSA_WITH_AES_128_CBC_SHA - TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_DHE_RSA_WITH_AES_256_CBC_SHA - TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 batch_size_warn_threshold_in_kb: 10 slow_query_log_timeout_in_ms: 1000 commitlog_directory: "/var/lib/cassandra/commitlog" data_file_directories: - "/var/lib/cassandra/data" hints_directory: "/var/lib/cassandra/hints" saved_caches_directory: "/var/lib/cassandra/saved_caches" {code} was (Author: paul.ch...@visiercorp.com): Here is the cassandra.yml file content I used with sstableloader {code} --- authenticator: PasswordAuthenticator authorizer: CassandraAuthorizer cluster_name: vdc_ca_cdval commitlog_sync: periodic commitlog_sync_period_in_ms: 1 endpoint_snitch: GossipingPropertyFileSnitch listen_address: 10.1.10.203 rpc_address: 0.0.0.0 broadcast_rpc_address: 10.1.10.203 partitioner: org.apache.cassandra.dht.Murmur3Partitioner seed_provider: - class_name: org.apache.cassandra.locator.SimpleSeedProvider parameters: - seeds: 10.1.10.201,10.1.10.201 num_tokens: 64 start_native_transport: true transparent_data_encryption_options: enabled: true chunk_length_kb: '64' cipher: AES/CBC/PKCS5Padding key_alias: atrestencryptionkey key_provider: - class_name: org.apache.cassandra.security.JKSKeyProvider parameters: - keystore: "/etc/ssl/visier/atrestencryptionkey.jceks" keystore_password: somepassword store_type: JCEKS key_password: somepassword server_encryption_options: internode_encryption: all keystore: "/etc/ssl/visier/10.1.119.203.jks" keystore_password: somepassword truststore: "/etc/ssl/visier/generic-server-truststore.jks" truststore_password: somepassword protocol: - TLS algorithm: SunX509 store_type: JKS cipher_suites: - TLS_DHE_RSA_WITH_AES_128_CBC_SHA - TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_DHE_RSA_WITH_AES_256_CBC_SHA - TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 require_client_auth: true