Regarding the client.conf file, it seems you are using the Property enums (such as INSTANCE_NAME) rather than their associated property names (such as instance.name). Your client.conf file should look like:
instance.name=comet instance.rpc.ssl.enabled=true instance.rpc.ssl.clientAuth=true and so on. If you're generating the file programmatically, you can get those property names using the getKey() method of the Property: Property.INSTANCE_RPC_SSL_ENABLED.getKey() On Wed, Jul 15, 2015 at 8:05 PM, pundu tech <[email protected]> wrote: > Josh, > I had miss this email from you before. > > So I have done as you suggested. Let me summarize what I have done. > > 1- Followed > https://blogs.apache.org/accumulo/entry/generating_keystores_for_configuring_accumulo > I have a master (master)node and 4 slaves (slave1, slave2, slave3, slave4) > I have created certificates for the 5 nodes and I have also created > certificate for a client which is sitting in slave1. > 2-Since I am running the shell from slave1 I have created a client.conf > file which I pass to the shell via the --config-file parameter. > > INSTANCE_NAME=comet > > INSTANCE_RPC_SSL_ENABLED=true > > INSTANCE_RPC_SSL_CLIENT_AUTH=true > > INSTANCE_ZK_HOST=slave1,slave2,slave3,slave4 > > #the trustore is the same along all the nodes since it stores the pub key > of the CA > > > RPC_SSL_TRUSTSTORE_PATH=/home/hadoop/accumulo-1.7.0/conf/clientSSL/truststore.jks > > RPC_SSL_TRUSTSTORE_TYPE=JKS > > RPC_SSL_TRUSTSTORE_PASSWORD=accumuloAuth > > RPC_SSL_KEYSTORE_PATH=/home/hadoop/accumulo-1.7.0/conf/clientSSL/client.jks > > RPC_SSL_KEYSTORE_TYPE=JKS > > RPC_SSL_KEYSTORE_PASSWORD=mypass > > 3-I run the shell with --debug and this is what I get: > > 2015-07-15 22:53:06,380 [impl.ThriftTransportPool] DEBUG: Failed to > connect to ssl:slave1:9997 (120000) > > org.apache.thrift.transport.TTransportException: Error creating the > transport > > at > org.apache.accumulo.core.rpc.ThriftUtil.createSSLContext(ThriftUtil.java:371) > > at > org.apache.accumulo.core.rpc.ThriftUtil.createClientTransport(ThriftUtil.java:248) > > at > org.apache.accumulo.core.client.impl.ThriftTransportPool.createNewTransport(ThriftTransportPool.java:478) > > at > org.apache.accumulo.core.client.impl.ThriftTransportPool.getAnyTransport(ThriftTransportPool.java:466) > > at > org.apache.accumulo.core.client.impl.ServerClient.getConnection(ServerClient.java:141) > > at > org.apache.accumulo.core.client.impl.ServerClient.getConnection(ServerClient.java:117) > > at > org.apache.accumulo.core.client.impl.ServerClient.getConnection(ServerClient.java:113) > > at > org.apache.accumulo.core.client.impl.ServerClient.executeRaw(ServerClient.java:95) > > at > org.apache.accumulo.core.client.impl.ServerClient.execute(ServerClient.java:61) > > at > org.apache.accumulo.core.client.impl.ConnectorImpl.<init>(ConnectorImpl.java:67) > > at > org.apache.accumulo.core.client.ZooKeeperInstance.getConnector(ZooKeeperInstance.java:248) > > at org.apache.accumulo.shell.Shell.config(Shell.java:362) > > at org.apache.accumulo.shell.Shell.execute(Shell.java:571) > > at org.apache.accumulo.start.Main$1.run(Main.java:93) > > at java.lang.Thread.run(Thread.java:745) > > Caused by: java.io.IOException: Keystore was tampered with, or password > was incorrect > > at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772) > > at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55) > > at java.security.KeyStore.load(KeyStore.java:1214) > > at > org.apache.accumulo.core.rpc.ThriftUtil.createSSLContext(ThriftUtil.java:348) > > ... 14 more > > Caused by: java.security.UnrecoverableKeyException: Password verification > failed > > at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:770) > > This error repeats for every slave. > I have tested the password for every keystore and truststore file in the > cluster and it is correct--it is the same everywhere. I am very positive > about this at this point. Do you have any suggestion on what else could be > wrong? > > I appreciate your help. I am stuck! > > pundutech > > On Tue, Jul 7, 2015 at 2:56 PM, Josh Elser <[email protected]> wrote: > >> Pundu, >> >> The password to use would be the "root" user's password that you set when >> calling `accumulo init`. A limitation of the SSL approach is that it only >> uses sets up a secure RPC, it isn't a "complete" security implementation >> (as you might get with Kerberos in 1.7). >> >> Sadly, the error messages for SSL are very sparse when the client fails >> to negotiate the handshake with a server. With the Accumulo shell, you can >> try passing in the --debug option to get more information. >> >> Alternatively, try turning up org.apache.accumulo.core.client to DEBUG or >> TRACE in $ACCUMULO_CONF_DIR/log4j.properties. >> >> - Josh >> >> >> pundu tech wrote: >> >>> I have a SSL enabled-accumulo setup. >>> >>> I have followed: >>> >>> https://blogs.apache.org/accumulo/entry/generating_keystores_for_configuring_accumulo >>> to the teeth and as far as my undersatnding goes on SSL it is all >>> correct. >>> >>> I have created a $ACCUMULO_HOME/conf/client.conf with the following >>> properties >>> >>> INSTANCE_NAME=accumulo >>> >>> INSTANCE_RPC_SSL_ENABLED=true >>> >>> NSTANCE_RPC_SSL_CLIENT_AUTH=true >>> >>> INSTANCE_ZK_HOST=host1 >>> >>> RPC_SSL_TRUSTSTORE_PATH=/home/hadoop/truststore.jks >>> >>> RPC_SSL_TRUSTSTORE_TYPE=JKS >>> >>> RPC_SSL_TRUSTSTORE_PASSWORD=mypass >>> >>> RPC_SSL_KEYSTORE_PATH=/home/hadoop/server.jks >>> >>> RPC_SSL_KEYSTORE_TYPE=JKS >>> >>> RPC_SSL_KEYSTORE_PASSWORD=mypass >>> >>> >>> but when I try to connect via shell I am prompted for a password. Which >>> password is this? It does not seem to be the tracer password (which user >>> is "root"). >>> >>> ./accumulo shell -u root >>> >>> /usr/local/zookeeper-3.4.6 >>> >>> /usr/local/jdk1.7.0_79 >>> >>> Password: ----> ? >>> >>> >>> Thanks >>> >>> pundu tech >>> >>> >
