Billie, **THANKS** Hard to believe I missed this. I was able to login to the shell.
On Thu, Jul 16, 2015 at 9:34 AM, Billie Rinaldi <[email protected]> wrote: > Regarding the client.conf file, it seems you are using the Property enums > (such as INSTANCE_NAME) rather than their associated property names (such > as instance.name). Your client.conf file should look like: > > instance.name=comet > instance.rpc.ssl.enabled=true > instance.rpc.ssl.clientAuth=true > > and so on. If you're generating the file programmatically, you can get > those property names using the getKey() method of the Property: > > Property.INSTANCE_RPC_SSL_ENABLED.getKey() > > On Wed, Jul 15, 2015 at 8:05 PM, pundu tech <[email protected]> wrote: > >> Josh, >> I had miss this email from you before. >> >> So I have done as you suggested. Let me summarize what I have done. >> >> 1- Followed >> https://blogs.apache.org/accumulo/entry/generating_keystores_for_configuring_accumulo >> I have a master (master)node and 4 slaves (slave1, slave2, slave3, slave4) >> I have created certificates for the 5 nodes and I have also created >> certificate for a client which is sitting in slave1. >> 2-Since I am running the shell from slave1 I have created a client.conf >> file which I pass to the shell via the --config-file parameter. >> >> INSTANCE_NAME=comet >> >> INSTANCE_RPC_SSL_ENABLED=true >> >> INSTANCE_RPC_SSL_CLIENT_AUTH=true >> >> INSTANCE_ZK_HOST=slave1,slave2,slave3,slave4 >> >> #the trustore is the same along all the nodes since it stores the pub key >> of the CA >> >> >> RPC_SSL_TRUSTSTORE_PATH=/home/hadoop/accumulo-1.7.0/conf/clientSSL/truststore.jks >> >> RPC_SSL_TRUSTSTORE_TYPE=JKS >> >> RPC_SSL_TRUSTSTORE_PASSWORD=accumuloAuth >> >> >> RPC_SSL_KEYSTORE_PATH=/home/hadoop/accumulo-1.7.0/conf/clientSSL/client.jks >> >> RPC_SSL_KEYSTORE_TYPE=JKS >> >> RPC_SSL_KEYSTORE_PASSWORD=mypass >> >> 3-I run the shell with --debug and this is what I get: >> >> 2015-07-15 22:53:06,380 [impl.ThriftTransportPool] DEBUG: Failed to >> connect to ssl:slave1:9997 (120000) >> >> org.apache.thrift.transport.TTransportException: Error creating the >> transport >> >> at >> org.apache.accumulo.core.rpc.ThriftUtil.createSSLContext(ThriftUtil.java:371) >> >> at >> org.apache.accumulo.core.rpc.ThriftUtil.createClientTransport(ThriftUtil.java:248) >> >> at >> org.apache.accumulo.core.client.impl.ThriftTransportPool.createNewTransport(ThriftTransportPool.java:478) >> >> at >> org.apache.accumulo.core.client.impl.ThriftTransportPool.getAnyTransport(ThriftTransportPool.java:466) >> >> at >> org.apache.accumulo.core.client.impl.ServerClient.getConnection(ServerClient.java:141) >> >> at >> org.apache.accumulo.core.client.impl.ServerClient.getConnection(ServerClient.java:117) >> >> at >> org.apache.accumulo.core.client.impl.ServerClient.getConnection(ServerClient.java:113) >> >> at >> org.apache.accumulo.core.client.impl.ServerClient.executeRaw(ServerClient.java:95) >> >> at >> org.apache.accumulo.core.client.impl.ServerClient.execute(ServerClient.java:61) >> >> at >> org.apache.accumulo.core.client.impl.ConnectorImpl.<init>(ConnectorImpl.java:67) >> >> at >> org.apache.accumulo.core.client.ZooKeeperInstance.getConnector(ZooKeeperInstance.java:248) >> >> at org.apache.accumulo.shell.Shell.config(Shell.java:362) >> >> at org.apache.accumulo.shell.Shell.execute(Shell.java:571) >> >> at org.apache.accumulo.start.Main$1.run(Main.java:93) >> >> at java.lang.Thread.run(Thread.java:745) >> >> Caused by: java.io.IOException: Keystore was tampered with, or password >> was incorrect >> >> at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772) >> >> at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55) >> >> at java.security.KeyStore.load(KeyStore.java:1214) >> >> at >> org.apache.accumulo.core.rpc.ThriftUtil.createSSLContext(ThriftUtil.java:348) >> >> ... 14 more >> >> Caused by: java.security.UnrecoverableKeyException: Password verification >> failed >> >> at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:770) >> >> This error repeats for every slave. >> I have tested the password for every keystore and truststore file in the >> cluster and it is correct--it is the same everywhere. I am very positive >> about this at this point. Do you have any suggestion on what else could be >> wrong? >> >> I appreciate your help. I am stuck! >> >> pundutech >> >> On Tue, Jul 7, 2015 at 2:56 PM, Josh Elser <[email protected]> wrote: >> >>> Pundu, >>> >>> The password to use would be the "root" user's password that you set >>> when calling `accumulo init`. A limitation of the SSL approach is that it >>> only uses sets up a secure RPC, it isn't a "complete" security >>> implementation (as you might get with Kerberos in 1.7). >>> >>> Sadly, the error messages for SSL are very sparse when the client fails >>> to negotiate the handshake with a server. With the Accumulo shell, you can >>> try passing in the --debug option to get more information. >>> >>> Alternatively, try turning up org.apache.accumulo.core.client to DEBUG >>> or TRACE in $ACCUMULO_CONF_DIR/log4j.properties. >>> >>> - Josh >>> >>> >>> pundu tech wrote: >>> >>>> I have a SSL enabled-accumulo setup. >>>> >>>> I have followed: >>>> >>>> https://blogs.apache.org/accumulo/entry/generating_keystores_for_configuring_accumulo >>>> to the teeth and as far as my undersatnding goes on SSL it is all >>>> correct. >>>> >>>> I have created a $ACCUMULO_HOME/conf/client.conf with the following >>>> properties >>>> >>>> INSTANCE_NAME=accumulo >>>> >>>> INSTANCE_RPC_SSL_ENABLED=true >>>> >>>> NSTANCE_RPC_SSL_CLIENT_AUTH=true >>>> >>>> INSTANCE_ZK_HOST=host1 >>>> >>>> RPC_SSL_TRUSTSTORE_PATH=/home/hadoop/truststore.jks >>>> >>>> RPC_SSL_TRUSTSTORE_TYPE=JKS >>>> >>>> RPC_SSL_TRUSTSTORE_PASSWORD=mypass >>>> >>>> RPC_SSL_KEYSTORE_PATH=/home/hadoop/server.jks >>>> >>>> RPC_SSL_KEYSTORE_TYPE=JKS >>>> >>>> RPC_SSL_KEYSTORE_PASSWORD=mypass >>>> >>>> >>>> but when I try to connect via shell I am prompted for a password. Which >>>> password is this? It does not seem to be the tracer password (which user >>>> is "root"). >>>> >>>> ./accumulo shell -u root >>>> >>>> /usr/local/zookeeper-3.4.6 >>>> >>>> /usr/local/jdk1.7.0_79 >>>> >>>> Password: ----> ? >>>> >>>> >>>> Thanks >>>> >>>> pundu tech >>>> >>>> >> >
