Josh, I had miss this email from you before. So I have done as you suggested. Let me summarize what I have done.
1- Followed https://blogs.apache.org/accumulo/entry/generating_keystores_for_configuring_accumulo I have a master (master)node and 4 slaves (slave1, slave2, slave3, slave4) I have created certificates for the 5 nodes and I have also created certificate for a client which is sitting in slave1. 2-Since I am running the shell from slave1 I have created a client.conf file which I pass to the shell via the --config-file parameter. INSTANCE_NAME=comet INSTANCE_RPC_SSL_ENABLED=true INSTANCE_RPC_SSL_CLIENT_AUTH=true INSTANCE_ZK_HOST=slave1,slave2,slave3,slave4 #the trustore is the same along all the nodes since it stores the pub key of the CA RPC_SSL_TRUSTSTORE_PATH=/home/hadoop/accumulo-1.7.0/conf/clientSSL/truststore.jks RPC_SSL_TRUSTSTORE_TYPE=JKS RPC_SSL_TRUSTSTORE_PASSWORD=accumuloAuth RPC_SSL_KEYSTORE_PATH=/home/hadoop/accumulo-1.7.0/conf/clientSSL/client.jks RPC_SSL_KEYSTORE_TYPE=JKS RPC_SSL_KEYSTORE_PASSWORD=mypass 3-I run the shell with --debug and this is what I get: 2015-07-15 22:53:06,380 [impl.ThriftTransportPool] DEBUG: Failed to connect to ssl:slave1:9997 (120000) org.apache.thrift.transport.TTransportException: Error creating the transport at org.apache.accumulo.core.rpc.ThriftUtil.createSSLContext(ThriftUtil.java:371) at org.apache.accumulo.core.rpc.ThriftUtil.createClientTransport(ThriftUtil.java:248) at org.apache.accumulo.core.client.impl.ThriftTransportPool.createNewTransport(ThriftTransportPool.java:478) at org.apache.accumulo.core.client.impl.ThriftTransportPool.getAnyTransport(ThriftTransportPool.java:466) at org.apache.accumulo.core.client.impl.ServerClient.getConnection(ServerClient.java:141) at org.apache.accumulo.core.client.impl.ServerClient.getConnection(ServerClient.java:117) at org.apache.accumulo.core.client.impl.ServerClient.getConnection(ServerClient.java:113) at org.apache.accumulo.core.client.impl.ServerClient.executeRaw(ServerClient.java:95) at org.apache.accumulo.core.client.impl.ServerClient.execute(ServerClient.java:61) at org.apache.accumulo.core.client.impl.ConnectorImpl.<init>(ConnectorImpl.java:67) at org.apache.accumulo.core.client.ZooKeeperInstance.getConnector(ZooKeeperInstance.java:248) at org.apache.accumulo.shell.Shell.config(Shell.java:362) at org.apache.accumulo.shell.Shell.execute(Shell.java:571) at org.apache.accumulo.start.Main$1.run(Main.java:93) at java.lang.Thread.run(Thread.java:745) Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772) at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55) at java.security.KeyStore.load(KeyStore.java:1214) at org.apache.accumulo.core.rpc.ThriftUtil.createSSLContext(ThriftUtil.java:348) ... 14 more Caused by: java.security.UnrecoverableKeyException: Password verification failed at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:770) This error repeats for every slave. I have tested the password for every keystore and truststore file in the cluster and it is correct--it is the same everywhere. I am very positive about this at this point. Do you have any suggestion on what else could be wrong? I appreciate your help. I am stuck! pundutech On Tue, Jul 7, 2015 at 2:56 PM, Josh Elser <[email protected]> wrote: > Pundu, > > The password to use would be the "root" user's password that you set when > calling `accumulo init`. A limitation of the SSL approach is that it only > uses sets up a secure RPC, it isn't a "complete" security implementation > (as you might get with Kerberos in 1.7). > > Sadly, the error messages for SSL are very sparse when the client fails to > negotiate the handshake with a server. With the Accumulo shell, you can try > passing in the --debug option to get more information. > > Alternatively, try turning up org.apache.accumulo.core.client to DEBUG or > TRACE in $ACCUMULO_CONF_DIR/log4j.properties. > > - Josh > > > pundu tech wrote: > >> I have a SSL enabled-accumulo setup. >> >> I have followed: >> >> https://blogs.apache.org/accumulo/entry/generating_keystores_for_configuring_accumulo >> to the teeth and as far as my undersatnding goes on SSL it is all >> correct. >> >> I have created a $ACCUMULO_HOME/conf/client.conf with the following >> properties >> >> INSTANCE_NAME=accumulo >> >> INSTANCE_RPC_SSL_ENABLED=true >> >> NSTANCE_RPC_SSL_CLIENT_AUTH=true >> >> INSTANCE_ZK_HOST=host1 >> >> RPC_SSL_TRUSTSTORE_PATH=/home/hadoop/truststore.jks >> >> RPC_SSL_TRUSTSTORE_TYPE=JKS >> >> RPC_SSL_TRUSTSTORE_PASSWORD=mypass >> >> RPC_SSL_KEYSTORE_PATH=/home/hadoop/server.jks >> >> RPC_SSL_KEYSTORE_TYPE=JKS >> >> RPC_SSL_KEYSTORE_PASSWORD=mypass >> >> >> but when I try to connect via shell I am prompted for a password. Which >> password is this? It does not seem to be the tracer password (which user >> is "root"). >> >> ./accumulo shell -u root >> >> /usr/local/zookeeper-3.4.6 >> >> /usr/local/jdk1.7.0_79 >> >> Password: ----> ? >> >> >> Thanks >> >> pundu tech >> >>
