[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Christian Tramnitz (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16761930#comment-16761930
 ] 

Christian Tramnitz commented on ZOOKEEPER-2125:
---

I second that. It's hard to justify that TLS is *not* supported by an 
application in 2019. With the "beta" tag on 3.5 this is not an option for some 
enterprises in production.

> SSL on Netty client-server communication
> 
>
> Key: ZOOKEEPER-2125
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
> Project: ZooKeeper
>  Issue Type: Sub-task
>Reporter: Hongchao Deng
>Assignee: Hongchao Deng
>Priority: Major
> Fix For: 3.5.1, 3.6.0
>
> Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, 
> testTrustStore.jks
>
>
> Supporting SSL on Netty client-server communication. 
> 1. It supports keystore and trustore usage. 
> 2. It adds an additional ZK server port which supports SSL. This would be 
> useful for rolling upgrade.
> RB: https://reviews.apache.org/r/31277/
> The patch includes three files: 
> * testing purpose keystore and truststore under 
> "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/".
> * latest ZOOKEEPER-2125.patch
> h2. How to use it
> You need to set some parameters on both ZK server and client.
> h3. Server
> You need to specify a listening SSL port in "zoo.cfg":
> {code}
> secureClientPort=2281
> {code}
> Just like what you did with "clientPort". And then set some jvm flags:
> {code}
> export 
> SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
>  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
> -Dzookeeper.ssl.keyStore.password=testpass 
> -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
> -Dzookeeper.ssl.trustStore.password=testpass"
> {code}
> Please change keystore and truststore parameters accordingly.
> h3. Client
> You need to set jvm flags:
> {code}
> export 
> CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
>  -Dzookeeper.client.secure=true 
> -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
> -Dzookeeper.ssl.keyStore.password=testpass 
> -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
> -Dzookeeper.ssl.trustStore.password=testpass"
> {code}
> change keystore and truststore parameters accordingly.
> And then connect to the server's SSL port, in this case:
> {code}
> bin/zkCli.sh -server 127.0.0.1:2281
> {code}
> If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Andreas Buschka (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16722913#comment-16722913
 ] 

Andreas Buschka commented on ZOOKEEPER-2125:


Would it be possible to backport this enhancement to Zookeeper 3.4.x? As of 
12/2018, Zookeeper 3.5 still seems to be marked as "Beta" ( 
[https://zookeeper.apache.org/releases.html] ) and it would really be helpful 
to have full TLS support in the stable version.

> SSL on Netty client-server communication
> 
>
> Key: ZOOKEEPER-2125
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
> Project: ZooKeeper
>  Issue Type: Sub-task
>Reporter: Hongchao Deng
>Assignee: Hongchao Deng
>Priority: Major
> Fix For: 3.5.1, 3.6.0
>
> Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, 
> testTrustStore.jks
>
>
> Supporting SSL on Netty client-server communication. 
> 1. It supports keystore and trustore usage. 
> 2. It adds an additional ZK server port which supports SSL. This would be 
> useful for rolling upgrade.
> RB: https://reviews.apache.org/r/31277/
> The patch includes three files: 
> * testing purpose keystore and truststore under 
> "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/".
> * latest ZOOKEEPER-2125.patch
> h2. How to use it
> You need to set some parameters on both ZK server and client.
> h3. Server
> You need to specify a listening SSL port in "zoo.cfg":
> {code}
> secureClientPort=2281
> {code}
> Just like what you did with "clientPort". And then set some jvm flags:
> {code}
> export 
> SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
>  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
> -Dzookeeper.ssl.keyStore.password=testpass 
> -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
> -Dzookeeper.ssl.trustStore.password=testpass"
> {code}
> Please change keystore and truststore parameters accordingly.
> h3. Client
> You need to set jvm flags:
> {code}
> export 
> CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
>  -Dzookeeper.client.secure=true 
> -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
> -Dzookeeper.ssl.keyStore.password=testpass 
> -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
> -Dzookeeper.ssl.trustStore.password=testpass"
> {code}
> change keystore and truststore parameters accordingly.
> And then connect to the server's SSL port, in this case:
> {code}
> bin/zkCli.sh -server 127.0.0.1:2281
> {code}
> If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Martin M (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16638309#comment-16638309
 ] 

Martin M commented on ZOOKEEPER-2125:
-

In this Jira item it is indicated that in order to configure SSl, one has to 
specified secureClientPort in zoo.cfg.

However, the documentation 
(https://zookeeper.apache.org/doc/r3.5.2-alpha/zookeeperReconfig.html) says:
{noformat}
Starting with 3.5.0 the clientPort and clientPortAddress configuration 
parameters should no longer be used
{noformat}
I have tried setting the SSL port in the dynamic configuration, but it doesnt 
work. The secureClientPort must be specified in zoo.cfg.
When i specify both securePortClient in zoo.cfg and the dynamic configuration, 
ZK server doesnt start anymore.
How to fix this?
Thanks

> SSL on Netty client-server communication
> 
>
> Key: ZOOKEEPER-2125
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
> Project: ZooKeeper
>  Issue Type: Sub-task
>Reporter: Hongchao Deng
>Assignee: Hongchao Deng
>Priority: Major
> Fix For: 3.5.1, 3.6.0
>
> Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, 
> testTrustStore.jks
>
>
> Supporting SSL on Netty client-server communication. 
> 1. It supports keystore and trustore usage. 
> 2. It adds an additional ZK server port which supports SSL. This would be 
> useful for rolling upgrade.
> RB: https://reviews.apache.org/r/31277/
> The patch includes three files: 
> * testing purpose keystore and truststore under 
> "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/".
> * latest ZOOKEEPER-2125.patch
> h2. How to use it
> You need to set some parameters on both ZK server and client.
> h3. Server
> You need to specify a listening SSL port in "zoo.cfg":
> {code}
> secureClientPort=2281
> {code}
> Just like what you did with "clientPort". And then set some jvm flags:
> {code}
> export 
> SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
>  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
> -Dzookeeper.ssl.keyStore.password=testpass 
> -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
> -Dzookeeper.ssl.trustStore.password=testpass"
> {code}
> Please change keystore and truststore parameters accordingly.
> h3. Client
> You need to set jvm flags:
> {code}
> export 
> CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
>  -Dzookeeper.client.secure=true 
> -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
> -Dzookeeper.ssl.keyStore.password=testpass 
> -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
> -Dzookeeper.ssl.trustStore.password=testpass"
> {code}
> change keystore and truststore parameters accordingly.
> And then connect to the server's SSL port, in this case:
> {code}
> bin/zkCli.sh -server 127.0.0.1:2281
> {code}
> If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Sriram (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15863346#comment-15863346
 ] 

Sriram commented on ZOOKEEPER-2125:
---

I am using zookeeper-3.5.2-alpha . I tried enabling the SSL for zookeeper and 
marathon .  I am getting the following error error : 
EXCEPTION: org.jboss.netty.handler.ssl.NotSslRecordException: not an SSL/TLS 
record:
002dea600..
org.jboss.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record:
002dea600010

at org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:857)
at 
org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)
at 
org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
at 
org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at 
org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at 
org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
at 
org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)
at 
org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)
at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
at 
org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
at 
org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
at 
org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
at 
org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
at 
org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)

Exception is same as the one mentioned in : 
http://grokbase.com/t/zookeeper/user/166g6xvvkk/ssl-between-java-client-and-zookeeper


Any pointers? 



> SSL on Netty client-server communication
> 
>
> Key: ZOOKEEPER-2125
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
> Project: ZooKeeper
>  Issue Type: Sub-task
>Reporter: Hongchao Deng
>Assignee: Hongchao Deng
> Fix For: 3.5.1, 3.6.0
>
> Attachments: testKeyStore.jks, testTrustStore.jks, 
> ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch
>
>
> Supporting SSL on Netty client-server communication. 
> 1. It supports keystore and trustore usage. 
> 2. It adds an additional ZK server port which supports SSL. This would be 
> useful for rolling upgrade.
> RB: https://reviews.apache.org/r/31277/
> The patch includes three files: 
> * testing purpose keystore and truststore under 
> "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/".
> * latest ZOOKEEPER-2125.patch
> h2. How to use it
> You need to set some parameters on both ZK server and client.
> h3. Server
> You need to specify a listening SSL port in "zoo.cfg":
> {code}
> secureClientPort=2281
> {code}
> Just like what you did with "clientPort". And then set some jvm flags:
> {code}
> export 
> SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
>  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
> -Dzookeeper.ssl.keyStore.password=testpass 
> -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
> -Dzookeeper.ssl.trustStore.password=testpass"
> {code}
> Please change keystore and truststore parameters accordingly.
> h3. Client
> You need to set jvm flags:
> {code}
> export 
> CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
>  -Dzookeeper.client.secure=true 
> -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
> -Dzookeeper.ssl.keyStore.password=testpass 
> -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
> -Dzookeeper.ssl.trustStore.password=testpass"
> {code}
> change keystore and truststore parameters accordingly.

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Gaurav Abbi (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15859776#comment-15859776
 ] 

Gaurav Abbi commented on ZOOKEEPER-2125:


Is it possible to test Zookeeper with SSL using self-signed certificates?

> SSL on Netty client-server communication
> 
>
> Key: ZOOKEEPER-2125
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
> Project: ZooKeeper
>  Issue Type: Sub-task
>Reporter: Hongchao Deng
>Assignee: Hongchao Deng
> Fix For: 3.5.1, 3.6.0
>
> Attachments: testKeyStore.jks, testTrustStore.jks, 
> ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch
>
>
> Supporting SSL on Netty client-server communication. 
> 1. It supports keystore and trustore usage. 
> 2. It adds an additional ZK server port which supports SSL. This would be 
> useful for rolling upgrade.
> RB: https://reviews.apache.org/r/31277/
> The patch includes three files: 
> * testing purpose keystore and truststore under 
> "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/".
> * latest ZOOKEEPER-2125.patch
> h2. How to use it
> You need to set some parameters on both ZK server and client.
> h3. Server
> You need to specify a listening SSL port in "zoo.cfg":
> {code}
> secureClientPort=2281
> {code}
> Just like what you did with "clientPort". And then set some jvm flags:
> {code}
> export 
> SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
>  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
> -Dzookeeper.ssl.keyStore.password=testpass 
> -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
> -Dzookeeper.ssl.trustStore.password=testpass"
> {code}
> Please change keystore and truststore parameters accordingly.
> h3. Client
> You need to set jvm flags:
> {code}
> export 
> CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
>  -Dzookeeper.client.secure=true 
> -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
> -Dzookeeper.ssl.keyStore.password=testpass 
> -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
> -Dzookeeper.ssl.trustStore.password=testpass"
> {code}
> change keystore and truststore parameters accordingly.
> And then connect to the server's SSL port, in this case:
> {code}
> bin/zkCli.sh -server 127.0.0.1:2281
> {code}
> If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[JIRA]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15848621#comment-15848621
 ] 

Gérald Quintana commented on ZOOKEEPER-2125:


This change is interesting.

But giving truststore|keystore password using an environment variable is 
dangerous, they should be stored in Zookeeper's config file.
Any user with access to the machine can do a `ps` and grab passwords, it's like 
not having passwords at all.
{code}
# ps -ef |grep zookeeper
zookeeper4125 1  0 17:39 ?00:00:04 
/usr/lib/java/jdk-1.8.0_91/bin/java -Dzookeeper.log.dir=/var/log/zookeeper 
-Dzookeeper.root.logger=INFO,ROLLINGFILE -cp 
/appli/projects/sup/supervision/zookeeper/zookeeper-3.4.6/bin/../build/classes:/opt/zookeeper-3.4.6/bin/../build/lib/*.jar:/opt/zookeeper-3.4.6/bin/../lib/slf4j-log4j12-1.6.1.jar:/opt/zookeeper-3.4.6/bin/../lib/slf4j-api-1.6.1.jar:/opt/zookeeper-3.4.6/bin/../lib/netty-3.7.0.Final.jar:/opt/zookeeper-3.4.6/bin/../lib/log4j-1.2.16.jar:/opt/zookeeper-3.4.6/bin/../lib/jline-0.9.94.jar:/opt/zookeeper-3.4.6/bin/../zookeeper-3.4.6.jar:/opt/zookeeper-3.4.6/bin/../src/java/lib/*.jar:/opt/zookeeper-3.4.6/bin/../conf:
 
-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
 -Dzookeeper.ssl.keyStore.location=/opt/zookeeper-3.4.6/conf/keystore.jks 
-Dzookeeper.ssl.keyStore.password=changeme - 
zookeeper.ssl.trustStore.location=/opt/zookeeper-3.4.6/conf/truststore.jks 
-Dzookeeper.ssl.trustStore.password=changeme 
org.apache.zookeeper.server.quorum.QuorumPeerMain 
/opt/zookeeper-3.4.6/bin/../conf/zoo.cfg
{code}

> SSL on Netty client-server communication
> 
>
> Key: ZOOKEEPER-2125
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
> Project: ZooKeeper
>  Issue Type: Sub-task
>Reporter: Hongchao Deng
>Assignee: Hongchao Deng
> Fix For: 3.5.1, 3.6.0
>
> Attachments: testKeyStore.jks, testTrustStore.jks, 
> ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch
>
>
> Supporting SSL on Netty client-server communication. 
> 1. It supports keystore and trustore usage. 
> 2. It adds an additional ZK server port which supports SSL. This would be 
> useful for rolling upgrade.
> RB: https://reviews.apache.org/r/31277/
> The patch includes three files: 
> * testing purpose keystore and truststore under 
> "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/".
> * latest ZOOKEEPER-2125.patch
> h2. How to use it
> You need to set some parameters on both ZK server and client.
> h3. Server
> You need to specify a listening SSL port in "zoo.cfg":
> {code}
> secureClientPort=2281
> {code}
> Just like what you did with "clientPort". And then set some jvm flags:
> {code}
> export 
> SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
>  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
> -Dzookeeper.ssl.keyStore.password=testpass 
> -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
> -Dzookeeper.ssl.trustStore.password=testpass"
> {code}
> Please change keystore and truststore parameters accordingly.
> h3. Client
> You need to set jvm flags:
> {code}
> export 
> CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
>  -Dzookeeper.client.secure=true 
> -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
> -Dzookeeper.ssl.keyStore.password=testpass 
> -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
> -Dzookeeper.ssl.trustStore.password=testpass"
> {code}
> change keystore and truststore parameters accordingly.
> And then connect to the server's SSL port, in this case:
> {code}
> bin/zkCli.sh -server 127.0.0.1:2281
> {code}
> If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Flavio Junqueira (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15843297#comment-15843297
 ] 

Flavio Junqueira commented on ZOOKEEPER-2125:
-

I remember having a different user on our list also requesting a backport of 
this feature. I'd have to look for the thread, but the message we gave at the 
time was that it is ok to work on a patch and share with the community, but we 
won't be merging it o 3.4 because it is a stable branch and we generally avoid 
merging new features to a stable branch, we target merging only bug fixes.

As for it being technically possible, I don't see why i wouldn't be, but I 
haven't actually tried.

> SSL on Netty client-server communication
> 
>
> Key: ZOOKEEPER-2125
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
> Project: ZooKeeper
>  Issue Type: Sub-task
>Reporter: Hongchao Deng
>Assignee: Hongchao Deng
> Fix For: 3.5.1, 3.6.0
>
> Attachments: testKeyStore.jks, testTrustStore.jks, 
> ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch
>
>
> Supporting SSL on Netty client-server communication. 
> 1. It supports keystore and trustore usage. 
> 2. It adds an additional ZK server port which supports SSL. This would be 
> useful for rolling upgrade.
> RB: https://reviews.apache.org/r/31277/
> The patch includes three files: 
> * testing purpose keystore and truststore under 
> "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/".
> * latest ZOOKEEPER-2125.patch
> h2. How to use it
> You need to set some parameters on both ZK server and client.
> h3. Server
> You need to specify a listening SSL port in "zoo.cfg":
> {code}
> secureClientPort=2281
> {code}
> Just like what you did with "clientPort". And then set some jvm flags:
> {code}
> export 
> SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
>  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
> -Dzookeeper.ssl.keyStore.password=testpass 
> -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
> -Dzookeeper.ssl.trustStore.password=testpass"
> {code}
> Please change keystore and truststore parameters accordingly.
> h3. Client
> You need to set jvm flags:
> {code}
> export 
> CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
>  -Dzookeeper.client.secure=true 
> -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
> -Dzookeeper.ssl.keyStore.password=testpass 
> -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
> -Dzookeeper.ssl.trustStore.password=testpass"
> {code}
> change keystore and truststore parameters accordingly.
> And then connect to the server's SSL port, in this case:
> {code}
> bin/zkCli.sh -server 127.0.0.1:2281
> {code}
> If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Shivam (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15843196#comment-15843196
 ] 

Shivam commented on ZOOKEEPER-2125:
---

Do you know any expected release date for stable 3.5.x release ?
we are using 3.4.9 stable release and need ssl asap. I can work on back porting 
it , if you say it is technically possible ?

> SSL on Netty client-server communication
> 
>
> Key: ZOOKEEPER-2125
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
> Project: ZooKeeper
>  Issue Type: Sub-task
>Reporter: Hongchao Deng
>Assignee: Hongchao Deng
> Fix For: 3.5.1, 3.6.0
>
> Attachments: testKeyStore.jks, testTrustStore.jks, 
> ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch
>
>
> Supporting SSL on Netty client-server communication. 
> 1. It supports keystore and trustore usage. 
> 2. It adds an additional ZK server port which supports SSL. This would be 
> useful for rolling upgrade.
> RB: https://reviews.apache.org/r/31277/
> The patch includes three files: 
> * testing purpose keystore and truststore under 
> "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/".
> * latest ZOOKEEPER-2125.patch
> h2. How to use it
> You need to set some parameters on both ZK server and client.
> h3. Server
> You need to specify a listening SSL port in "zoo.cfg":
> {code}
> secureClientPort=2281
> {code}
> Just like what you did with "clientPort". And then set some jvm flags:
> {code}
> export 
> SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
>  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
> -Dzookeeper.ssl.keyStore.password=testpass 
> -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
> -Dzookeeper.ssl.trustStore.password=testpass"
> {code}
> Please change keystore and truststore parameters accordingly.
> h3. Client
> You need to set jvm flags:
> {code}
> export 
> CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
>  -Dzookeeper.client.secure=true 
> -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
> -Dzookeeper.ssl.keyStore.password=testpass 
> -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
> -Dzookeeper.ssl.trustStore.password=testpass"
> {code}
> change keystore and truststore parameters accordingly.
> And then connect to the server's SSL port, in this case:
> {code}
> bin/zkCli.sh -server 127.0.0.1:2281
> {code}
> If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Flavio Junqueira (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15842884#comment-15842884
 ] 

Flavio Junqueira commented on ZOOKEEPER-2125:
-

hello [~shivamvds], this is not a bug fix, but a feature and as such we have no 
plan to back port it to the 3.4 branch. we are working towards a stable 3.5.x 
release, though.

> SSL on Netty client-server communication
> 
>
> Key: ZOOKEEPER-2125
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
> Project: ZooKeeper
>  Issue Type: Sub-task
>Reporter: Hongchao Deng
>Assignee: Hongchao Deng
> Fix For: 3.5.1, 3.6.0
>
> Attachments: testKeyStore.jks, testTrustStore.jks, 
> ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch
>
>
> Supporting SSL on Netty client-server communication. 
> 1. It supports keystore and trustore usage. 
> 2. It adds an additional ZK server port which supports SSL. This would be 
> useful for rolling upgrade.
> RB: https://reviews.apache.org/r/31277/
> The patch includes three files: 
> * testing purpose keystore and truststore under 
> "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/".
> * latest ZOOKEEPER-2125.patch
> h2. How to use it
> You need to set some parameters on both ZK server and client.
> h3. Server
> You need to specify a listening SSL port in "zoo.cfg":
> {code}
> secureClientPort=2281
> {code}
> Just like what you did with "clientPort". And then set some jvm flags:
> {code}
> export 
> SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
>  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
> -Dzookeeper.ssl.keyStore.password=testpass 
> -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
> -Dzookeeper.ssl.trustStore.password=testpass"
> {code}
> Please change keystore and truststore parameters accordingly.
> h3. Client
> You need to set jvm flags:
> {code}
> export 
> CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
>  -Dzookeeper.client.secure=true 
> -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
> -Dzookeeper.ssl.keyStore.password=testpass 
> -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
> -Dzookeeper.ssl.trustStore.password=testpass"
> {code}
> change keystore and truststore parameters accordingly.
> And then connect to the server's SSL port, in this case:
> {code}
> bin/zkCli.sh -server 127.0.0.1:2281
> {code}
> If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Shivam (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15840986#comment-15840986
 ] 

Shivam commented on ZOOKEEPER-2125:
---

Can this fix be back ported to last stable release 3.4.9 ??

> SSL on Netty client-server communication
> 
>
> Key: ZOOKEEPER-2125
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
> Project: ZooKeeper
>  Issue Type: Sub-task
>Reporter: Hongchao Deng
>Assignee: Hongchao Deng
> Fix For: 3.5.1, 3.6.0
>
> Attachments: testKeyStore.jks, testTrustStore.jks, 
> ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
> ZOOKEEPER-2125.patch
>
>
> Supporting SSL on Netty client-server communication. 
> 1. It supports keystore and trustore usage. 
> 2. It adds an additional ZK server port which supports SSL. This would be 
> useful for rolling upgrade.
> RB: https://reviews.apache.org/r/31277/
> The patch includes three files: 
> * testing purpose keystore and truststore under 
> "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/".
> * latest ZOOKEEPER-2125.patch
> h2. How to use it
> You need to set some parameters on both ZK server and client.
> h3. Server
> You need to specify a listening SSL port in "zoo.cfg":
> {code}
> secureClientPort=2281
> {code}
> Just like what you did with "clientPort". And then set some jvm flags:
> {code}
> export 
> SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
>  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
> -Dzookeeper.ssl.keyStore.password=testpass 
> -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
> -Dzookeeper.ssl.trustStore.password=testpass"
> {code}
> Please change keystore and truststore parameters accordingly.
> h3. Client
> You need to set jvm flags:
> {code}
> export 
> CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
>  -Dzookeeper.client.secure=true 
> -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
> -Dzookeeper.ssl.keyStore.password=testpass 
> -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
> -Dzookeeper.ssl.trustStore.password=testpass"
> {code}
> change keystore and truststore parameters accordingly.
> And then connect to the server's SSL port, in this case:
> {code}
> bin/zkCli.sh -server 127.0.0.1:2281
> {code}
> If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hongchao Deng (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14375218#comment-14375218
 ] 

Hongchao Deng commented on ZOOKEEPER-2125:
--

Sounds excellent.
I have created ZOOKEEPER-2148 for it.

I'm pretty occupied by other stuff right now. I will continue to work on it and 
would like to include things in ZOOKEEPER-2123 in the guide too :)

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1, 3.6.0

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, 
 testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Michi Mutsuzaki (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14375213#comment-14375213
 ] 

Michi Mutsuzaki commented on ZOOKEEPER-2125:


This feature probably deserves a dedicated user guide, something similar to 
https://cwiki.apache.org/confluence/display/ZOOKEEPER/Zookeeper+and+SASL . What 
do you guys think?

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1, 3.6.0

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, 
 testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hudson (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14366986#comment-14366986
 ] 

Hudson commented on ZOOKEEPER-2125:
---

SUCCESS: Integrated in ZooKeeper-trunk #2633 (See 
[https://builds.apache.org/job/ZooKeeper-trunk/2633/])
ZOOKEEPER-2125 SSL on Netty client-server communication (Hongchao, Ian Dimayuga 
via rakeshr) (rakeshr: 
http://svn.apache.org/viewcvs.cgi/?root=Apache-SVNview=revrev=1667358)
* /zookeeper/trunk/CHANGES.txt
* /zookeeper/trunk/build.xml
* /zookeeper/trunk/src/docs/src/documentation/content/xdocs/zookeeperAdmin.xml
* /zookeeper/trunk/src/java/main/org/apache/zookeeper/ClientCnxnSocketNetty.java
* /zookeeper/trunk/src/java/main/org/apache/zookeeper/ZooKeeper.java
* /zookeeper/trunk/src/java/main/org/apache/zookeeper/common/X509Exception.java
* /zookeeper/trunk/src/java/main/org/apache/zookeeper/common/X509Util.java
* 
/zookeeper/trunk/src/java/main/org/apache/zookeeper/server/FinalRequestProcessor.java
* 
/zookeeper/trunk/src/java/main/org/apache/zookeeper/server/NIOServerCnxnFactory.java
* 
/zookeeper/trunk/src/java/main/org/apache/zookeeper/server/NettyServerCnxnFactory.java
* 
/zookeeper/trunk/src/java/main/org/apache/zookeeper/server/ServerCnxnFactory.java
* /zookeeper/trunk/src/java/main/org/apache/zookeeper/server/ServerConfig.java
* 
/zookeeper/trunk/src/java/main/org/apache/zookeeper/server/ZooKeeperServer.java
* 
/zookeeper/trunk/src/java/main/org/apache/zookeeper/server/ZooKeeperServerBean.java
* 
/zookeeper/trunk/src/java/main/org/apache/zookeeper/server/ZooKeeperServerMain.java
* /zookeeper/trunk/src/java/main/org/apache/zookeeper/server/quorum/Leader.java
* /zookeeper/trunk/src/java/main/org/apache/zookeeper/server/quorum/Learner.java
* 
/zookeeper/trunk/src/java/main/org/apache/zookeeper/server/quorum/QuorumPeer.java
* 
/zookeeper/trunk/src/java/main/org/apache/zookeeper/server/quorum/QuorumPeerConfig.java
* 
/zookeeper/trunk/src/java/main/org/apache/zookeeper/server/quorum/QuorumPeerMain.java
* 
/zookeeper/trunk/src/java/main/org/apache/zookeeper/server/quorum/ReadOnlyZooKeeperServer.java
* /zookeeper/trunk/src/java/test/data/ssl
* /zookeeper/trunk/src/java/test/data/ssl/README.md
* /zookeeper/trunk/src/java/test/data/ssl/testKeyStore.jks
* /zookeeper/trunk/src/java/test/data/ssl/testTrustStore.jks
* 
/zookeeper/trunk/src/java/test/org/apache/zookeeper/server/quorum/QuorumPeerTestBase.java
* 
/zookeeper/trunk/src/java/test/org/apache/zookeeper/server/quorum/Zab1_0Test.java
* /zookeeper/trunk/src/java/test/org/apache/zookeeper/test/ReconfigTest.java
* /zookeeper/trunk/src/java/test/org/apache/zookeeper/test/SSLTest.java


 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1, 3.6.0

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, 
 testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Rakesh R (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14364686#comment-14364686
 ] 

Rakesh R commented on ZOOKEEPER-2125:
-

Thanks [~iandi] for the good work and [~rgs] for the review efforts.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, 
 testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hadoop QA (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14364305#comment-14364305
 ] 

Hadoop QA commented on ZOOKEEPER-2125:
--

-1 overall.  Here are the results of testing the latest attachment 
  http://issues.apache.org/jira/secure/attachment/12704925/ZOOKEEPER-2125.patch
  against trunk revision 1666908.

+1 @author.  The patch does not contain any @author tags.

+1 tests included.  The patch appears to include 27 new or modified tests.

+1 javadoc.  The javadoc tool did not generate any warning messages.

+1 javac.  The applied patch does not increase the total number of javac 
compiler warnings.

+1 findbugs.  The patch does not introduce any new Findbugs (version 2.0.3) 
warnings.

+1 release audit.  The applied patch does not increase the total number of 
release audit warnings.

-1 core tests.  The patch failed core unit tests.

+1 contrib tests.  The patch passed contrib unit tests.

Test results: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2575//testReport/
Findbugs warnings: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2575//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
Console output: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2575//console

This message is automatically generated.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, 
 testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hongchao Deng (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14364611#comment-14364611
 ] 

Hongchao Deng commented on ZOOKEEPER-2125:
--

Thanks [~rgs] too! Most of the refactoring work are from his comments.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, 
 testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Rakesh R (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14364609#comment-14364609
 ] 

Rakesh R commented on ZOOKEEPER-2125:
-

Thanks a lot [~fpj], [~michim] for the reviews and [~hdeng] for taking care the 
patch. I will push this in tonight(IST timezone) if no other comments.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, 
 testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Flavio Junqueira (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14364136#comment-14364136
 ] 

Flavio Junqueira commented on ZOOKEEPER-2125:
-

[~hdeng], code looks good. there is just a small thing I'd like to improve 
here, which is the comment right above:

{noformat}
ZOOKEEPER-558:
In some cases the server would not close the connection
(closeconn buffer was not being queued) properly.
This would happen anyway when the client closed the connection,
but the server should do the right thing regardless -- close session.
Calling closeSession() if we have lost the cnxn results in the client's
close session response.
{noformat}

I tried to rephrase in a way that is more understandable to me, but feel free 
to complain. I just want to make it a bit more meaningful:

{noformat}
In some cases the server does not close the connection (e.g., closeconn buffer 
was not being queued — ZOOKEEPER-558) properly. This happens, for example, when 
the client closes the connection. The server should still close the session, 
though. Calling closeSession() after losing the cnxn, results in the client 
close session response being dropped.
{noformat}

Let me know if this makes sense and if it reads better.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, testKeyStore.jks, testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hongchao Deng (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14364163#comment-14364163
 ] 

Hongchao Deng commented on ZOOKEEPER-2125:
--

The rephrase def looks better! Thanks for it.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, testKeyStore.jks, testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Flavio Junqueira (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14364170#comment-14364170
 ] 

Flavio Junqueira commented on ZOOKEEPER-2125:
-

Cool, I'm signing off on this one. +1, looks good, thanks for bearing with me, 
[~hdeng].

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, 
 testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hongchao Deng (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14362080#comment-14362080
 ] 

Hongchao Deng commented on ZOOKEEPER-2125:
--

I'm almost getting consensus from Flavio. Waiting for his response.

The point that we have discussed is [this 
code|https://github.com/apache/zookeeper/blob/b7698101e3cb02bd570b4098878e85882b3c2a22/src/java/main/org/apache/zookeeper/server/FinalRequestProcessor.java#L136]:
{code}
  if (request.type == OpCode.closeSession) {
ServerCnxnFactory scxn = zks.getServerCnxnFactory();
// this might be possible since
// we might just be playing diffs from the leader
if (scxn != null  request.cnxn == null) {
// calling this if we have the cnxn results in the client's
// close session response being lost - we've already closed
// the session/socket here before we can send the closeSession
// in the switch block below
scxn.closeSession(request.sessionId);
return;
}
}
{code}

The patch adds another `zks.secureServerCnxnFactory`. So I have to change the 
ServerCnxnFactory#closeSession to return boolean to check if session is found 
and closed in either normal or secure factory. This is what I thought code 
originally was.

If Michi or Camille can share some thoughts or original design on this code, 
that would be very nice.

Thanks in advance for the long reading.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, testKeyStore.jks, testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hongchao Deng (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14362081#comment-14362081
 ] 

Hongchao Deng commented on ZOOKEEPER-2125:
--

The new code looks like:
{code}
   if (request.type == OpCode.closeSession  connClosedByClient(request)) {
// We need to check if we can close the session id.
// Sometimes the corresponding ServerCnxnFactory could be null 
because
// we are just playing diffs from the leader.
if (closeSession(zks.serverCnxnFactory, request.sessionId) ||
closeSession(zks.secureServerCnxnFactory, 
request.sessionId)) {
return;
}
}

private boolean closeSession(ServerCnxnFactory serverCnxnFactory, long 
sessionId) {
if (serverCnxnFactory == null) {
return false;
}
return serverCnxnFactory.closeSession(sessionId);
}

private boolean connClosedByClient(Request request) {
return request.cnxn == null;
}
{code}

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, testKeyStore.jks, testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Michi Mutsuzaki (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14362076#comment-14362076
 ] 

Michi Mutsuzaki commented on ZOOKEEPER-2125:


[~fournc] could you also take a look if you get a chance? thanks!

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, testKeyStore.jks, testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Camille Fournier (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14362113#comment-14362113
 ] 

Camille Fournier commented on ZOOKEEPER-2125:
-

[~michim] tbh not sure there's much I can add unless very specifically 
directed. Any areas you folks are really concerned with having another set of 
eyes on?

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, testKeyStore.jks, testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hongchao Deng (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14360695#comment-14360695
 ] 

Hongchao Deng commented on ZOOKEEPER-2125:
--

Addressed the comments. Please take another look.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, 
 testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hadoop QA (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14361578#comment-14361578
 ] 

Hadoop QA commented on ZOOKEEPER-2125:
--

-1 overall.  Here are the results of testing the latest attachment 
  http://issues.apache.org/jira/secure/attachment/12704566/ZOOKEEPER-2125.patch
  against trunk revision 1665315.

+1 @author.  The patch does not contain any @author tags.

+1 tests included.  The patch appears to include 27 new or modified tests.

+1 javadoc.  The javadoc tool did not generate any warning messages.

+1 javac.  The applied patch does not increase the total number of javac 
compiler warnings.

+1 findbugs.  The patch does not introduce any new Findbugs (version 2.0.3) 
warnings.

+1 release audit.  The applied patch does not increase the total number of 
release audit warnings.

-1 core tests.  The patch failed core unit tests.

+1 contrib tests.  The patch passed contrib unit tests.

Test results: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2563//testReport/
Findbugs warnings: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2563//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
Console output: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2563//console

This message is automatically generated.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, testKeyStore.jks, testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hadoop QA (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14361549#comment-14361549
 ] 

Hadoop QA commented on ZOOKEEPER-2125:
--

-1 overall.  Here are the results of testing the latest attachment 
  http://issues.apache.org/jira/secure/attachment/12704565/ZOOKEEPER-2125.patch
  against trunk revision 1665315.

+1 @author.  The patch does not contain any @author tags.

+1 tests included.  The patch appears to include 27 new or modified tests.

+1 javadoc.  The javadoc tool did not generate any warning messages.

-1 javac.  The patch appears to cause tar ant target to fail.

+1 findbugs.  The patch does not introduce any new Findbugs (version 2.0.3) 
warnings.

+1 release audit.  The applied patch does not increase the total number of 
release audit warnings.

-1 core tests.  The patch failed core unit tests.

+1 contrib tests.  The patch passed contrib unit tests.

Test results: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2562//testReport/
Findbugs warnings: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2562//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
Console output: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2562//console

This message is automatically generated.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 testKeyStore.jks, testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Flavio Junqueira (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14361276#comment-14361276
 ] 

Flavio Junqueira commented on ZOOKEEPER-2125:
-

Thanks, Hongchao. I've left a comment there about the loop on connections. 

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, 
 testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hadoop QA (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14359707#comment-14359707
 ] 

Hadoop QA commented on ZOOKEEPER-2125:
--

-1 overall.  Here are the results of testing the latest attachment 
  http://issues.apache.org/jira/secure/attachment/12704296/ZOOKEEPER-2125.patch
  against trunk revision 1665315.

+1 @author.  The patch does not contain any @author tags.

+1 tests included.  The patch appears to include 27 new or modified tests.

+1 javadoc.  The javadoc tool did not generate any warning messages.

+1 javac.  The applied patch does not increase the total number of javac 
compiler warnings.

+1 findbugs.  The patch does not introduce any new Findbugs (version 2.0.3) 
warnings.

+1 release audit.  The applied patch does not increase the total number of 
release audit warnings.

-1 core tests.  The patch failed core unit tests.

+1 contrib tests.  The patch passed contrib unit tests.

Test results: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2560//testReport/
Findbugs warnings: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2560//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
Console output: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2560//console

This message is automatically generated.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, 
 testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Flavio Junqueira (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14359489#comment-14359489
 ] 

Flavio Junqueira commented on ZOOKEEPER-2125:
-

I have added some minor points to the rb. I have also run tests locally and 
they pass just fine for me.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, testKeyStore.jks, testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hadoop QA (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14358169#comment-14358169
 ] 

Hadoop QA commented on ZOOKEEPER-2125:
--

-1 overall.  Here are the results of testing the latest attachment 
  http://issues.apache.org/jira/secure/attachment/12704094/ZOOKEEPER-2125.patch
  against trunk revision 1665315.

+1 @author.  The patch does not contain any @author tags.

+1 tests included.  The patch appears to include 19 new or modified tests.

+1 javadoc.  The javadoc tool did not generate any warning messages.

+1 javac.  The applied patch does not increase the total number of javac 
compiler warnings.

+1 findbugs.  The patch does not introduce any new Findbugs (version 2.0.3) 
warnings.

+1 release audit.  The applied patch does not increase the total number of 
release audit warnings.

-1 core tests.  The patch failed core unit tests.

+1 contrib tests.  The patch passed contrib unit tests.

Test results: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2558//testReport/
Findbugs warnings: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2558//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
Console output: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2558//console

This message is automatically generated.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, testKeyStore.jks, testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Rakesh R (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14356786#comment-14356786
 ] 

Rakesh R commented on ZOOKEEPER-2125:
-

Since this is major change and to make sure that we are not breaking anything. 
It would be great if I can get +1 from [~fpj], [~michim], [~phunt]. Thanks!

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 testKeyStore.jks, testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Michi Mutsuzaki (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14358101#comment-14358101
 ] 

Michi Mutsuzaki commented on ZOOKEEPER-2125:


For the release audit warnings, please update the releaseaudit target in 
build.xml to exclude files that you want to ignore.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 testKeyStore.jks, testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hongchao Deng (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14356021#comment-14356021
 ] 

Hongchao Deng commented on ZOOKEEPER-2125:
--

Hi [~rakeshr].
In case you didn't know the process in ZOOKEEPER-1513, SVN (unlike GIT) won't 
take in any binary changes, even if diff patch contains it.
It needs the committer to review it more carefully. They will need to run the 
tests rather than rely on jenkins (in this case, the SSLTest). Then commit 
both the patches and binaries (I've provided instructions in description 
section) :)

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 testKeyStore.jks, testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Rakesh R (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14355208#comment-14355208
 ] 

Rakesh R commented on ZOOKEEPER-2125:
-

ZOOKEEPER-1513 patch includes the test resources like,
{code}
diff --git src/java/test/data/buffersize/create/version-2/log.1 
src/java/test/data/buffersize/create/version-2/log.1
...
...
{code}

but in your case, ${basedir}/src/java/test/data/ssl path doesn't has the ssl 
test resources. Thats the reason while copying its fails to find the source 
files which need to be copied.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, 
 testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hongchao Deng (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14355222#comment-14355222
 ] 

Hongchao Deng commented on ZOOKEEPER-2125:
--

Uploaded a new patch.
Added the src/java/test/data/ssl/ dir in the patch.

Is it right?

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 testKeyStore.jks, testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Rakesh R (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14355333#comment-14355333
 ] 

Rakesh R commented on ZOOKEEPER-2125:
-

OK. Will see the jenkins report.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 testKeyStore.jks, testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hadoop QA (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14355342#comment-14355342
 ] 

Hadoop QA commented on ZOOKEEPER-2125:
--

-1 overall.  Here are the results of testing the latest attachment 
  http://issues.apache.org/jira/secure/attachment/12703686/ZOOKEEPER-2125.patch
  against trunk revision 1665315.

+1 @author.  The patch does not contain any @author tags.

+1 tests included.  The patch appears to include 23 new or modified tests.

+1 javadoc.  The javadoc tool did not generate any warning messages.

+1 javac.  The applied patch does not increase the total number of javac 
compiler warnings.

+1 findbugs.  The patch does not introduce any new Findbugs (version 2.0.3) 
warnings.

-1 release audit.  The applied patch generated 1 release audit warnings 
(more than the trunk's current 0 warnings).

-1 core tests.  The patch failed core unit tests.

+1 contrib tests.  The patch passed contrib unit tests.

Test results: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2556//testReport/
Release audit warnings: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2556//artifact/trunk/patchprocess/patchReleaseAuditProblems.txt
Findbugs warnings: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2556//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
Console output: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2556//console

This message is automatically generated.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 testKeyStore.jks, testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hongchao Deng (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14355158#comment-14355158
 ] 

Hongchao Deng commented on ZOOKEEPER-2125:
--

Here's a detailed explanation.

The final patch add the change in build.xml:
{code}
copy todir=${test.data.ssl.dir}
fileset dir=${basedir}/src/java/test/data/ssl/
/copy
{code}

This copies the test data from src/java/test/data/ssl to 
build/test/data/ssl. This is similar to ZOOKEEPER-1513.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, 
 testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Rakesh R (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14355207#comment-14355207
 ] 

Rakesh R commented on ZOOKEEPER-2125:
-

ZOOKEEPER-1513 patch includes the test resources like,
{code}
diff --git src/java/test/data/buffersize/create/version-2/log.1 
src/java/test/data/buffersize/create/version-2/log.1
...
...
{code}

but in your case, ${basedir}/src/java/test/data/ssl path doesn't has the ssl 
test resources. Thats the reason while copying its fails to find the source 
files which need to be copied.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, 
 testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Raul Gutierrez Segales (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14355328#comment-14355328
 ] 

Raul Gutierrez Segales commented on ZOOKEEPER-2125:
---

[~hdeng]: do you mind updating the RB as well? I'd like to take a last look - 
thanks!

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 testKeyStore.jks, testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hongchao Deng (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14356178#comment-14356178
 ] 

Hongchao Deng commented on ZOOKEEPER-2125:
--

Did you try --force:

http://svnbook.red-bean.com/en/1.6/svn.ref.svn.c.add.html

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 testKeyStore.jks, testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Patrick Hunt (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14356181#comment-14356181
 ] 

Patrick Hunt commented on ZOOKEEPER-2125:
-

Hi [~rakeshr] - what do you mean apply? You should be able to svn add the 
binaries and then commit if you're talking about source control.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 testKeyStore.jks, testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Rakesh R (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14356239#comment-14356239
 ] 

Rakesh R commented on ZOOKEEPER-2125:
-

bq. what do you mean apply? 
I meant, svn or git command to apply the {{ZOOKEEPER-2125.patch}} which will 
inturn create testKeyStore.jks, testTrustStore.jks files into my local 
repository. What I've done is, applied the patch and then copy these files 
separately into my local repository. I understand that later when committing I 
can do svn add these files separately and do the commits together.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 testKeyStore.jks, testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Patrick Hunt (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14356249#comment-14356249
 ] 

Patrick Hunt commented on ZOOKEEPER-2125:
-

That's normal. Unfortunately diff and patch doesn't support binary files 
(changes). So typically you need to apply the patch, then copy the binaries 
into their respective locations, then svn add the new files (e.g. the 
binaries), then svn commit it all. That make sense? I'm not sure, are you stuck 
or are you ok at this point?

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 testKeyStore.jks, testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Rakesh R (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14356269#comment-14356269
 ] 

Rakesh R commented on ZOOKEEPER-2125:
-

Thanks [~phunt]. I got your point. I'm not stuck at this moment.

+1 latest patch looks fine for me. I'll wait for one day to see any more 
comments and will checkin the patch after that.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 testKeyStore.jks, testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Rakesh R (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14356172#comment-14356172
 ] 

Rakesh R commented on ZOOKEEPER-2125:
-

I ran the SSLTest.java testcases successfully in my env. I've manually copied 
the attached testKeyStore.jks, testTrustStore.jks files to 
{{$HOME/test/data/ssl}} directories, unfortunately I couldn't find command to 
apply the binary files.



 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 testKeyStore.jks, testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hongchao Deng (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14355147#comment-14355147
 ] 

Hongchao Deng commented on ZOOKEEPER-2125:
--

Right.

You need to put testing purpose keystore and truststore under 
$(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/ since it 
didn't exist.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, 
 testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hongchao Deng (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14355418#comment-14355418
 ] 

Hongchao Deng commented on ZOOKEEPER-2125:
--

I was trying to run the test without build failing immediately so I added a 
README in the ssl/ directory.
Jenkins complains a release audit warning..
[~rakeshr], do you think I should remove the file or add an Apache License 
header?

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 testKeyStore.jks, testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hongchao Deng (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14355516#comment-14355516
 ] 

Hongchao Deng commented on ZOOKEEPER-2125:
--

I think the readme file is fine. No readme file should contain License 
header. Just ignore the release audit warning.


 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 testKeyStore.jks, testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Rakesh R (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14354542#comment-14354542
 ] 

Rakesh R commented on ZOOKEEPER-2125:
-

{code}
[exec] BUILD FAILED
 [exec] 
/home/jenkins/jenkins-slave/workspace/PreCommit-ZOOKEEPER-Build/trunk/build.xml:1278:
 
/home/jenkins/jenkins-slave/workspace/PreCommit-ZOOKEEPER-Build/trunk/src/java/test/data/ssl
 does not exist.
 [exec] 
 [exec] Total time: 3 seconds
{code}

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, 
 testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hongchao Deng (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14353467#comment-14353467
 ] 

Hongchao Deng commented on ZOOKEEPER-2125:
--

Right.

The test needs the binary files, which couldn't be uploaded by SVN patch.
I've run local jenkins to make sure the patch works :)
Will update the final patch shortly.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, testKeyStore.jks, testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hadoop QA (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14353492#comment-14353492
 ] 

Hadoop QA commented on ZOOKEEPER-2125:
--

-1 overall.  Here are the results of testing the latest attachment 
  http://issues.apache.org/jira/secure/attachment/12703483/ZOOKEEPER-2125.patch
  against trunk revision 1665315.

+1 @author.  The patch does not contain any @author tags.

+1 tests included.  The patch appears to include 17 new or modified tests.

+1 javadoc.  The javadoc tool did not generate any warning messages.

+1 javac.  The applied patch does not increase the total number of javac 
compiler warnings.

+1 findbugs.  The patch does not introduce any new Findbugs (version 2.0.3) 
warnings.

+1 release audit.  The applied patch does not increase the total number of 
release audit warnings.

-1 core tests.  The patch failed core unit tests.

+1 contrib tests.  The patch passed contrib unit tests.

Test results: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2553//testReport/
Findbugs warnings: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2553//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
Console output: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2553//console

This message is automatically generated.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, 
 testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Rakesh R (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14353361#comment-14353361
 ] 

Rakesh R commented on ZOOKEEPER-2125:
-

+1 latest patch looks good to me

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 testKeyStore.jks, testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hadoop QA (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14353456#comment-14353456
 ] 

Hadoop QA commented on ZOOKEEPER-2125:
--

-1 overall.  Here are the results of testing the latest attachment 
  http://issues.apache.org/jira/secure/attachment/12703464/ZOOKEEPER-2125.patch
  against trunk revision 1665315.

+1 @author.  The patch does not contain any @author tags.

+1 tests included.  The patch appears to include 14 new or modified tests.

+1 javadoc.  The javadoc tool did not generate any warning messages.

+1 javac.  The applied patch does not increase the total number of javac 
compiler warnings.

+1 findbugs.  The patch does not introduce any new Findbugs (version 2.0.3) 
warnings.

+1 release audit.  The applied patch does not increase the total number of 
release audit warnings.

-1 core tests.  The patch failed core unit tests.

+1 contrib tests.  The patch passed contrib unit tests.

Test results: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2552//testReport/
Findbugs warnings: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2552//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
Console output: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2552//console

This message is automatically generated.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, testKeyStore.jks, testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Rakesh R (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14353382#comment-14353382
 ] 

Rakesh R commented on ZOOKEEPER-2125:
-

[~hdeng] btw I've noticed the test case added is not running in CI.

{code}
Skipped
org.apache.zookeeper.test.SSLTest.testSecureStandaloneServer

Skipped for the past 1 build (Since Failed#2547 )
Took 0 ms.

Skip Message
need example binary keystore and truststore
{code}

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, testKeyStore.jks, testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hongchao Deng (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14354216#comment-14354216
 ] 

Hongchao Deng commented on ZOOKEEPER-2125:
--

Hi Rakesh,

I've uploaded the final patch. And also instructions where to put the example 
binaries in the description section. Let me know if you have any other 
questions. Thanks!

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, 
 testTrustStore.jks


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 The patch includes three files: 
 * testing purpose keystore and truststore under 
 $(ZK_REPO_HOME)/src/java/test/data/ssl. Might need to create ssl/.
 * latest ZOOKEEPER-2125.patch
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hadoop QA (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14351746#comment-14351746
 ] 

Hadoop QA commented on ZOOKEEPER-2125:
--

-1 overall.  Here are the results of testing the latest attachment 
  http://issues.apache.org/jira/secure/attachment/12703254/ZOOKEEPER-2125.patch
  against trunk revision 1663127.

+1 @author.  The patch does not contain any @author tags.

+1 tests included.  The patch appears to include 14 new or modified tests.

+1 javadoc.  The javadoc tool did not generate any warning messages.

+1 javac.  The applied patch does not increase the total number of javac 
compiler warnings.

+1 findbugs.  The patch does not introduce any new Findbugs (version 2.0.3) 
warnings.

+1 release audit.  The applied patch does not increase the total number of 
release audit warnings.

-1 core tests.  The patch failed core unit tests.

+1 contrib tests.  The patch passed contrib unit tests.

Test results: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2547//testReport/
Findbugs warnings: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2547//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
Console output: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2547//console

This message is automatically generated.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hongchao Deng (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14351728#comment-14351728
 ] 

Hongchao Deng commented on ZOOKEEPER-2125:
--

Attached a new patch to address findbugs and Rakesh's comments.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hongchao Deng (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14351081#comment-14351081
 ] 

Hongchao Deng commented on ZOOKEEPER-2125:
--

Attached a new patch addressing Rakesh's comments.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hadoop QA (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14351315#comment-14351315
 ] 

Hadoop QA commented on ZOOKEEPER-2125:
--

-1 overall.  Here are the results of testing the latest attachment 
  http://issues.apache.org/jira/secure/attachment/12703189/ZOOKEEPER-2125.patch
  against trunk revision 1663127.

+1 @author.  The patch does not contain any @author tags.

+1 tests included.  The patch appears to include 14 new or modified tests.

+1 javadoc.  The javadoc tool did not generate any warning messages.

+1 javac.  The applied patch does not increase the total number of javac 
compiler warnings.

-1 findbugs.  The patch appears to introduce 1 new Findbugs (version 2.0.3) 
warnings.

+1 release audit.  The applied patch does not increase the total number of 
release audit warnings.

-1 core tests.  The patch failed core unit tests.

+1 contrib tests.  The patch passed contrib unit tests.

Test results: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2545//testReport/
Findbugs warnings: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2545//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
Console output: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2545//console

This message is automatically generated.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hongchao Deng (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14349558#comment-14349558
 ] 

Hongchao Deng commented on ZOOKEEPER-2125:
--

1. Finished the docs on newly added options.

2. Regarding the the example keystore and truststore binaries, I think we 
should use static files. I figure out most people create credentials using the 
official keytool. If we wanna dynamically create keystores, we might need the 
build process to depend on keytool. This isn't optimal to keep things simple 
here.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Raul Gutierrez Segales (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14346003#comment-14346003
 ] 

Raul Gutierrez Segales commented on ZOOKEEPER-2125:
---

Gave the RB a shipit - great work [~hdeng]! I think what's missing is:


* updating CHANGES.txt 
* updating docs 

Would be great to see this merged soon!

cc: [~phunt], [~rakeshr], [~fpj]

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Raul Gutierrez Segales (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14346398#comment-14346398
 ] 

Raul Gutierrez Segales commented on ZOOKEEPER-2125:
---

Could we not bundle in a dummy key store (and certs, etc.) so that SSL tests 
always run?

p.s.: I am happy to help reviewing (or writing parts of) the docs that I 
mentioned in the previous comment.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hongchao Deng (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14346422#comment-14346422
 ] 

Hongchao Deng commented on ZOOKEEPER-2125:
--

1. not bundle in dummy key store

Yes. That's possible. We can programmatically create certs and run SSL test.

2. docs

It would be great if [~rgs] you can help write the docs from a user's 
perspective. We can make it in this JIRA or create another. At the mean time, I 
can fix #1.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hadoop QA (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14343638#comment-14343638
 ] 

Hadoop QA commented on ZOOKEEPER-2125:
--

-1 overall.  Here are the results of testing the latest attachment 
  http://issues.apache.org/jira/secure/attachment/12701941/ZOOKEEPER-2125.patch
  against trunk revision 1663127.

+1 @author.  The patch does not contain any @author tags.

+1 tests included.  The patch appears to include 14 new or modified tests.

+1 javadoc.  The javadoc tool did not generate any warning messages.

-1 javac.  The applied patch generated 9 javac compiler warnings (more than 
the trunk's current 6 warnings).

+1 findbugs.  The patch does not introduce any new Findbugs (version 2.0.3) 
warnings.

+1 release audit.  The applied patch does not increase the total number of 
release audit warnings.

-1 core tests.  The patch failed core unit tests.

+1 contrib tests.  The patch passed contrib unit tests.

Test results: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2540//testReport/
Findbugs warnings: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2540//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
Console output: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2540//console

This message is automatically generated.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hongchao Deng (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14343652#comment-14343652
 ] 

Hongchao Deng commented on ZOOKEEPER-2125:
--

Compile warnings are serial warning. Will add @SuppressWarnings(serial) 
to custom exceptions later. It doesn't affect reviewing now.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hongchao Deng (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14340406#comment-14340406
 ] 

Hongchao Deng commented on ZOOKEEPER-2125:
--

I just figured out a flaw in current design and would like to ask for help.

The current client will retry connecting if failed. This isn't desired in SSL 
case where user put wrong parameters and client would keep failing. There are a 
few options:

1. the connection could failed over to normal unencrypted mode.
2. client could die on knowing SSL exception.
3. Server can failover to accepting any credentials.

I'm not sure what's the right way to go, nor the technical details to implement 
it. Anyone can help here?

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Patrick Hunt (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14340969#comment-14340969
 ] 

Patrick Hunt commented on ZOOKEEPER-2125:
-

You certainly don't want to do 3 - that would be a bad idea from a security 
perspective. We need to ensure that the connection uses SSL if that's what the 
client is expecting, better to never connect than to connect insecurely in that 
case.

What do we do in the case where you specify an invalid ZK server? Don't we 
continue retrying? I suspect that's what we should do in this case, log the 
issue and let the operator address it. Especially given that this is typically 
only going to happen when you first setup the cluster. Thereafter I wouldn't 
expect the parameters to change.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hongchao Deng (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14337051#comment-14337051
 ] 

Hongchao Deng commented on ZOOKEEPER-2125:
--

Thanks [~rgs] for the review. I have some questions before I can do further 
improvement. Please help answer it. :)

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  -Dzookeeper.client.secure=true 
 -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hadoop QA (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14336912#comment-14336912
 ] 

Hadoop QA commented on ZOOKEEPER-2125:
--

-1 overall.  Here are the results of testing the latest attachment 
  http://issues.apache.org/jira/secure/attachment/12700812/ZOOKEEPER-2125.patch
  against trunk revision 1662055.

+1 @author.  The patch does not contain any @author tags.

+1 tests included.  The patch appears to include 14 new or modified tests.

+1 javadoc.  The javadoc tool did not generate any warning messages.

+1 javac.  The applied patch does not increase the total number of javac 
compiler warnings.

+1 findbugs.  The patch does not introduce any new Findbugs (version 2.0.3) 
warnings.

+1 release audit.  The applied patch does not increase the total number of 
release audit warnings.

-1 core tests.  The patch failed core unit tests.

+1 contrib tests.  The patch passed contrib unit tests.

Test results: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2536//testReport/
Findbugs warnings: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2536//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
Console output: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2536//console

This message is automatically generated.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Raul Gutierrez Segales (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14336919#comment-14336919
 ] 

Raul Gutierrez Segales commented on ZOOKEEPER-2125:
---

Hi [~hdeng],

I did a first pass on the RB - let me know what you think of my feedback and 
then I'll do another pass. Thanks!

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Fix For: 3.5.1

 Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hadoop QA (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14336135#comment-14336135
 ] 

Hadoop QA commented on ZOOKEEPER-2125:
--

-1 overall.  Here are the results of testing the latest attachment 
  http://issues.apache.org/jira/secure/attachment/12700686/ZOOKEEPER-2125.patch
  against trunk revision 1662055.

+1 @author.  The patch does not contain any @author tags.

+1 tests included.  The patch appears to include 17 new or modified tests.

+1 javadoc.  The javadoc tool did not generate any warning messages.

+1 javac.  The applied patch does not increase the total number of javac 
compiler warnings.

+1 findbugs.  The patch does not introduce any new Findbugs (version 2.0.3) 
warnings.

-1 release audit.  The applied patch generated 1 release audit warnings 
(more than the trunk's current 0 warnings).

-1 core tests.  The patch failed core unit tests.

+1 contrib tests.  The patch passed contrib unit tests.

Test results: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2535//testReport/
Release audit warnings: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2535//artifact/trunk/patchprocess/patchReleaseAuditProblems.txt
Findbugs warnings: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2535//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
Console output: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2535//console

This message is automatically generated.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hongchao Deng (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14336080#comment-14336080
 ] 

Hongchao Deng commented on ZOOKEEPER-2125:
--

Added test code. Currently the test are ignored because they need the binary 
keys stuff. Just showing the test code.

Please review and give feedback: https://reviews.apache.org/r/31277/diff/#

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, 
 ZOOKEEPER-2125.patch


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/
 h2. How to use it
 You need to set some parameters on both ZK server and client.
 h3. Server
 You need to specify a listening SSL port in zoo.cfg:
 {code}
 secureClientPort=2281
 {code}
 Just like what you did with clientPort. And then set some jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 Please change keystore and truststore parameters accordingly.
 h3. Client
 You need to set jvm flags:
 {code}
 export 
 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
  -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks 
 -Dzookeeper.ssl.keyStore.password=testpass 
 -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks 
 -Dzookeeper.ssl.trustStore.password=testpass
 {code}
 change keystore and truststore parameters accordingly.
 And then connect to the server's SSL port, in this case:
 {code}
 bin/zkCli.sh -server 127.0.0.1:2281
 {code}
 If you have any feedback, you are more than welcome to discuss it here!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hadoop QA (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14332322#comment-14332322
 ] 

Hadoop QA commented on ZOOKEEPER-2125:
--

-1 overall.  Here are the results of testing the latest attachment 
  http://issues.apache.org/jira/secure/attachment/12700108/ZOOKEEPER-2125.patch
  against trunk revision 165.

+1 @author.  The patch does not contain any @author tags.

+1 tests included.  The patch appears to include 6 new or modified tests.

+1 javadoc.  The javadoc tool did not generate any warning messages.

+1 javac.  The applied patch does not increase the total number of javac 
compiler warnings.

+1 findbugs.  The patch does not introduce any new Findbugs (version 2.0.3) 
warnings.

+1 release audit.  The applied patch does not increase the total number of 
release audit warnings.

-1 core tests.  The patch failed core unit tests.

+1 contrib tests.  The patch passed contrib unit tests.

Test results: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2528//testReport/
Findbugs warnings: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2528//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
Console output: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2528//console

This message is automatically generated.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hadoop QA (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14332265#comment-14332265
 ] 

Hadoop QA commented on ZOOKEEPER-2125:
--

-1 overall.  Here are the results of testing the latest attachment 
  http://issues.apache.org/jira/secure/attachment/12700100/ZOOKEEPER-2125.patch
  against trunk revision 165.

+1 @author.  The patch does not contain any @author tags.

+1 tests included.  The patch appears to include 6 new or modified tests.

+1 javadoc.  The javadoc tool did not generate any warning messages.

+1 javac.  The applied patch does not increase the total number of javac 
compiler warnings.

+1 findbugs.  The patch does not introduce any new Findbugs (version 2.0.3) 
warnings.

+1 release audit.  The applied patch does not increase the total number of 
release audit warnings.

-1 core tests.  The patch failed core unit tests.

+1 contrib tests.  The patch passed contrib unit tests.

Test results: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2527//testReport/
Findbugs warnings: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2527//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
Console output: 
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2527//console

This message is automatically generated.

 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Attachments: ZOOKEEPER-2125.patch


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server communication

[Hongchao Deng (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14332460#comment-14332460
 ] 

Hongchao Deng commented on ZOOKEEPER-2125:
--

Hi, [~fpj] [~rakeshr] [~iandi].

I have uploaded a simplified patch based on ZK-2094:
1. The work handles encrypted communication. Authentication, ZooKeeperMain(CLI) 
and 4lws changes are NOT included.
2. It only supports keystore and truststore. I think [~iandi] can work out the 
custom key_manager/trust_manager in another JIRA so that we can cherry pick 
commits based on our needs. I'm pretty open on this so more discussion is 
welcome.
3. Addressed Rakesh's comments. Code improvement, refactoring, reduce the 
coupling between classes.

About testing:
I have manually tried the patch and it works great for normal cases. It doesn't 
look well when user specifies any wrong ssl parameters.. I don't know how to 
nicely deal with it so let's keep it open for people like [~rgs] to talk about 
or write the patch for it.

The patch isn't final -- there is also unit test. The unit test needs example 
binary certificates. I am not including them to show jenkins test result. Final 
patch will include unit test.

I prefer docs in another JIRA.

Review board is at the Description section (top of the page).

Please review and give feedback. Thanks!


 SSL on Netty client-server communication
 

 Key: ZOOKEEPER-2125
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
 Project: ZooKeeper
  Issue Type: Sub-task
Reporter: Hongchao Deng
Assignee: Hongchao Deng
 Attachments: ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch


 Supporting SSL on Netty client-server communication. 
 1. It supports keystore and trustore usage. 
 2. It adds an additional ZK server port which supports SSL. This would be 
 useful for rolling upgrade.
 RB: https://reviews.apache.org/r/31277/



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)