Re: upgrade from 3.4.5 to 3.5.6
Thanks for the reply. Now my ZKCli cmd is working fine as we use some our customized authentication and we resolve the issue. Now I am going to implement Server to Server communication. Thanks, - Kuldeep Singh Budania On Thu, Jul 2, 2020 at 3:53 PM Szalay-Bekő Máté wrote: > I think SSL is working for you already... If you managed to start the > zkCli.sh and be able to connect to ZooKeeper on the secure port and issue > any kind of command (like: " ls / "), then the wire encryption is working > and your server/client communication is secured by ZooKeeper. > > Why you want to run the following command? > addauth ztpasswd zooadmin: > > Do you also want to configure a superDigest user in ZooKeeper? Please note > that this command is independent from SSL. If you need to create a > username-password pair for digest authentication then please use the > command in the following way: > addauth digest zooadmin:yourSuperSecretPassword > > Kind regards, > Mate > > On Thu, Jul 2, 2020 at 6:59 AM kuldeep singh > wrote: > > > 1. sh zkCli.sh --config /etc/zookeeper -server localhost:2281 > > > > 2. addauth ztpasswd zooadmin: > > > > > > Thanks, > > - > > Kuldeep Singh Budania > > > > > > > > On Thu, Jul 2, 2020 at 9:56 AM kuldeep singh > > wrote: > > > > > Hi Team, > > > > > > Any update on this? > > > > > > Thanks, > > > - > > > Kuldeep Singh Budania > > > > > > > > > > > > On Wed, Jul 1, 2020 at 6:43 PM kuldeep singh < > kuldeep.sing...@gmail.com> > > > wrote: > > > > > >> Sorry this is my bad, there were server setting like below > > >> > > >> export SERVER_JVMFLAGS=" > > >> > > >> > > >> > > > -Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > > >> > > >> -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > > >> -Dzookeeper.ssl.keyStore.password=testpass > > >> > > > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > > >> -Dzookeeper.ssl.trustStore.password=testpass" > > >> > > >> > > >> > > >> export CLIENT_JVMFLAGS=" > > >> > > >> > -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > > >> -Dzookeeper.client.secure=true > > >> -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > > >> -Dzookeeper.ssl.keyStore.password=testpass > > >> > > > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > > >> -Dzookeeper.ssl.trustStore.password=testpass" > > >> > > >> I want to have SSL between client to server communication > > >> > > >> I am already following the same link which you have shared with me but > > >> that is not working. > > >> > > >> Zoo.cfg > > >> > > >> secureClientPort=2281 > > >> initLimit=10 > > >> syncLimit=5 > > >> dataDir=/var/lib/zookeeper/data > > >> tickTime=2000 > > >> autopurge.snapRetainCount=3 > > >> autopurge.purgeInterval=1 > > >> admin.enableServer=false > > >> standaloneEnabled=false > > >> jute.maxbuffer=2147483648 > > >> serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > > >> server.1=host1_priv:10288:10388 > > >> server.2=host2_priv:10288:10388 > > >> server.3=host3_priv:10288:10388 > > >> > > >> > > >> command to connect using zkcli > > >> > > >> 1. zkcli zoo.cfg localhost:2281 > > >> 2. addauth ztpasswd usernaem:password > > >> > > >> after second step we are getting below error > > >> > > >> WatchedEvent state:AuthFailed type:None path:null > > >> > > >> > > >> Zookeeper logs :- *2020-07-01 07:38:09,342 - WARN > > >> [nioEventLoopGroup-4-2:ZooKeeperServer@1119] - No authentication > > provider > > >> for scheme: ztpasswd has x509 ip digest* > > >> > > >> Thanks, > > >> - > > >> Kuldeep Singh Budania > > >> > > >> > > >> > > >> On Wed, Jul 1, 2020 at 6:25 PM Szalay-Bekő Máté < > > >> szalay.beko.m...@gmail.com> wrote: > > >> > > >>> > No authentication provider for scheme: ztpasswd has x509 ip > digest* > > >>> > > >>> This suggest you have some configuration error... Where did you use > the > > >>> "ztpasswd" string in your configs / commands? > > >>> > > >>> On Wed, Jul 1, 2020 at 2:53 PM Szalay-Bekő Máté < > > >>> szalay.beko.m...@gmail.com> > > >>> wrote: > > >>> > > >>> > > My ZK server is up and running in secure mode > > >>> > > > >>> > What is your goal? You want to setup client-server SSL connection? > > >>> > > > >>> > see: > > >>> > > > >>> > > > https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide > > >>> > > > >>> > (or you want to have both SSL and SASL enabled?) > > >>> > > > >>> > Anyway, please remove the following line from the SERVER_JVMFLAGS: > > >>> > > > -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > > >>> > This is a configuration that makes sense only for the ZooKeeper > > client, > > >>> > not for the server. For the server, use the following: > > >>> > > > >>> > > > >>> > > > -Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > >
Re: upgrade from 3.4.5 to 3.5.6
I think SSL is working for you already... If you managed to start the zkCli.sh and be able to connect to ZooKeeper on the secure port and issue any kind of command (like: " ls / "), then the wire encryption is working and your server/client communication is secured by ZooKeeper. Why you want to run the following command? addauth ztpasswd zooadmin: Do you also want to configure a superDigest user in ZooKeeper? Please note that this command is independent from SSL. If you need to create a username-password pair for digest authentication then please use the command in the following way: addauth digest zooadmin:yourSuperSecretPassword Kind regards, Mate On Thu, Jul 2, 2020 at 6:59 AM kuldeep singh wrote: > 1. sh zkCli.sh --config /etc/zookeeper -server localhost:2281 > > 2. addauth ztpasswd zooadmin: > > > Thanks, > - > Kuldeep Singh Budania > > > > On Thu, Jul 2, 2020 at 9:56 AM kuldeep singh > wrote: > > > Hi Team, > > > > Any update on this? > > > > Thanks, > > - > > Kuldeep Singh Budania > > > > > > > > On Wed, Jul 1, 2020 at 6:43 PM kuldeep singh > > wrote: > > > >> Sorry this is my bad, there were server setting like below > >> > >> export SERVER_JVMFLAGS=" > >> > >> > >> > -Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > >> > >> -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > >> -Dzookeeper.ssl.keyStore.password=testpass > >> > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > >> -Dzookeeper.ssl.trustStore.password=testpass" > >> > >> > >> > >> export CLIENT_JVMFLAGS=" > >> > >> -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > >> -Dzookeeper.client.secure=true > >> -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > >> -Dzookeeper.ssl.keyStore.password=testpass > >> > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > >> -Dzookeeper.ssl.trustStore.password=testpass" > >> > >> I want to have SSL between client to server communication > >> > >> I am already following the same link which you have shared with me but > >> that is not working. > >> > >> Zoo.cfg > >> > >> secureClientPort=2281 > >> initLimit=10 > >> syncLimit=5 > >> dataDir=/var/lib/zookeeper/data > >> tickTime=2000 > >> autopurge.snapRetainCount=3 > >> autopurge.purgeInterval=1 > >> admin.enableServer=false > >> standaloneEnabled=false > >> jute.maxbuffer=2147483648 > >> serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > >> server.1=host1_priv:10288:10388 > >> server.2=host2_priv:10288:10388 > >> server.3=host3_priv:10288:10388 > >> > >> > >> command to connect using zkcli > >> > >> 1. zkcli zoo.cfg localhost:2281 > >> 2. addauth ztpasswd usernaem:password > >> > >> after second step we are getting below error > >> > >> WatchedEvent state:AuthFailed type:None path:null > >> > >> > >> Zookeeper logs :- *2020-07-01 07:38:09,342 - WARN > >> [nioEventLoopGroup-4-2:ZooKeeperServer@1119] - No authentication > provider > >> for scheme: ztpasswd has x509 ip digest* > >> > >> Thanks, > >> - > >> Kuldeep Singh Budania > >> > >> > >> > >> On Wed, Jul 1, 2020 at 6:25 PM Szalay-Bekő Máté < > >> szalay.beko.m...@gmail.com> wrote: > >> > >>> > No authentication provider for scheme: ztpasswd has x509 ip digest* > >>> > >>> This suggest you have some configuration error... Where did you use the > >>> "ztpasswd" string in your configs / commands? > >>> > >>> On Wed, Jul 1, 2020 at 2:53 PM Szalay-Bekő Máté < > >>> szalay.beko.m...@gmail.com> > >>> wrote: > >>> > >>> > > My ZK server is up and running in secure mode > >>> > > >>> > What is your goal? You want to setup client-server SSL connection? > >>> > > >>> > see: > >>> > > >>> > https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide > >>> > > >>> > (or you want to have both SSL and SASL enabled?) > >>> > > >>> > Anyway, please remove the following line from the SERVER_JVMFLAGS: > >>> > > -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > >>> > This is a configuration that makes sense only for the ZooKeeper > client, > >>> > not for the server. For the server, use the following: > >>> > > >>> > > >>> > -Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > >>> > > >>> > If it doesn't solve the issue, then can you please send your zoo.cfg > >>> file? > >>> > Also can you please send the zkCli command you execute? (you need to > >>> > connect to the secure ZooKeeper port, unless portUnification is > >>> enabled) > >>> > > >>> > Kind regards, > >>> > Mate > >>> > > >>> > On Wed, Jul 1, 2020 at 9:48 AM kuldeep singh < > >>> kuldeep.sing...@gmail.com> > >>> > wrote: > >>> > > >>> >> Hi, > >>> >> > >>> >> we have done below changes in java.env file > >>> >> > >>> >> export SERVER_JVMFLAGS=" > >>> >> > >>> >> > >>> -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > >>> >> >