That's great! :-) On Jul 16, 2015 10:19 AM, "pundu tech" <[email protected]> wrote:
> Billie, > **THANKS** > Hard to believe I missed this. I was able to login to the shell. > > > On Thu, Jul 16, 2015 at 9:34 AM, Billie Rinaldi <[email protected]> > wrote: > >> Regarding the client.conf file, it seems you are using the Property enums >> (such as INSTANCE_NAME) rather than their associated property names >> (such as instance.name). Your client.conf file should look like: >> >> instance.name=comet >> instance.rpc.ssl.enabled=true >> instance.rpc.ssl.clientAuth=true >> >> and so on. If you're generating the file programmatically, you can get >> those property names using the getKey() method of the Property: >> >> Property.INSTANCE_RPC_SSL_ENABLED.getKey() >> >> On Wed, Jul 15, 2015 at 8:05 PM, pundu tech <[email protected]> wrote: >> >>> Josh, >>> I had miss this email from you before. >>> >>> So I have done as you suggested. Let me summarize what I have done. >>> >>> 1- Followed >>> https://blogs.apache.org/accumulo/entry/generating_keystores_for_configuring_accumulo >>> I have a master (master)node and 4 slaves (slave1, slave2, slave3, >>> slave4) >>> I have created certificates for the 5 nodes and I have also created >>> certificate for a client which is sitting in slave1. >>> 2-Since I am running the shell from slave1 I have created a client.conf >>> file which I pass to the shell via the --config-file parameter. >>> >>> INSTANCE_NAME=comet >>> >>> INSTANCE_RPC_SSL_ENABLED=true >>> >>> INSTANCE_RPC_SSL_CLIENT_AUTH=true >>> >>> INSTANCE_ZK_HOST=slave1,slave2,slave3,slave4 >>> >>> #the trustore is the same along all the nodes since it stores the pub >>> key of the CA >>> >>> >>> RPC_SSL_TRUSTSTORE_PATH=/home/hadoop/accumulo-1.7.0/conf/clientSSL/truststore.jks >>> >>> RPC_SSL_TRUSTSTORE_TYPE=JKS >>> >>> RPC_SSL_TRUSTSTORE_PASSWORD=accumuloAuth >>> >>> >>> RPC_SSL_KEYSTORE_PATH=/home/hadoop/accumulo-1.7.0/conf/clientSSL/client.jks >>> >>> RPC_SSL_KEYSTORE_TYPE=JKS >>> >>> RPC_SSL_KEYSTORE_PASSWORD=mypass >>> >>> 3-I run the shell with --debug and this is what I get: >>> >>> 2015-07-15 22:53:06,380 [impl.ThriftTransportPool] DEBUG: Failed to >>> connect to ssl:slave1:9997 (120000) >>> >>> org.apache.thrift.transport.TTransportException: Error creating the >>> transport >>> >>> at >>> org.apache.accumulo.core.rpc.ThriftUtil.createSSLContext(ThriftUtil.java:371) >>> >>> at >>> org.apache.accumulo.core.rpc.ThriftUtil.createClientTransport(ThriftUtil.java:248) >>> >>> at >>> org.apache.accumulo.core.client.impl.ThriftTransportPool.createNewTransport(ThriftTransportPool.java:478) >>> >>> at >>> org.apache.accumulo.core.client.impl.ThriftTransportPool.getAnyTransport(ThriftTransportPool.java:466) >>> >>> at >>> org.apache.accumulo.core.client.impl.ServerClient.getConnection(ServerClient.java:141) >>> >>> at >>> org.apache.accumulo.core.client.impl.ServerClient.getConnection(ServerClient.java:117) >>> >>> at >>> org.apache.accumulo.core.client.impl.ServerClient.getConnection(ServerClient.java:113) >>> >>> at >>> org.apache.accumulo.core.client.impl.ServerClient.executeRaw(ServerClient.java:95) >>> >>> at >>> org.apache.accumulo.core.client.impl.ServerClient.execute(ServerClient.java:61) >>> >>> at >>> org.apache.accumulo.core.client.impl.ConnectorImpl.<init>(ConnectorImpl.java:67) >>> >>> at >>> org.apache.accumulo.core.client.ZooKeeperInstance.getConnector(ZooKeeperInstance.java:248) >>> >>> at org.apache.accumulo.shell.Shell.config(Shell.java:362) >>> >>> at org.apache.accumulo.shell.Shell.execute(Shell.java:571) >>> >>> at org.apache.accumulo.start.Main$1.run(Main.java:93) >>> >>> at java.lang.Thread.run(Thread.java:745) >>> >>> Caused by: java.io.IOException: Keystore was tampered with, or password >>> was incorrect >>> >>> at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772) >>> >>> at >>> sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55) >>> >>> at java.security.KeyStore.load(KeyStore.java:1214) >>> >>> at >>> org.apache.accumulo.core.rpc.ThriftUtil.createSSLContext(ThriftUtil.java:348) >>> >>> ... 14 more >>> >>> Caused by: java.security.UnrecoverableKeyException: Password >>> verification failed >>> >>> at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:770) >>> >>> This error repeats for every slave. >>> I have tested the password for every keystore and truststore file in the >>> cluster and it is correct--it is the same everywhere. I am very positive >>> about this at this point. Do you have any suggestion on what else could be >>> wrong? >>> >>> I appreciate your help. I am stuck! >>> >>> pundutech >>> >>> On Tue, Jul 7, 2015 at 2:56 PM, Josh Elser <[email protected]> wrote: >>> >>>> Pundu, >>>> >>>> The password to use would be the "root" user's password that you set >>>> when calling `accumulo init`. A limitation of the SSL approach is that it >>>> only uses sets up a secure RPC, it isn't a "complete" security >>>> implementation (as you might get with Kerberos in 1.7). >>>> >>>> Sadly, the error messages for SSL are very sparse when the client fails >>>> to negotiate the handshake with a server. With the Accumulo shell, you can >>>> try passing in the --debug option to get more information. >>>> >>>> Alternatively, try turning up org.apache.accumulo.core.client to DEBUG >>>> or TRACE in $ACCUMULO_CONF_DIR/log4j.properties. >>>> >>>> - Josh >>>> >>>> >>>> pundu tech wrote: >>>> >>>>> I have a SSL enabled-accumulo setup. >>>>> >>>>> I have followed: >>>>> >>>>> https://blogs.apache.org/accumulo/entry/generating_keystores_for_configuring_accumulo >>>>> to the teeth and as far as my undersatnding goes on SSL it is all >>>>> correct. >>>>> >>>>> I have created a $ACCUMULO_HOME/conf/client.conf with the following >>>>> properties >>>>> >>>>> INSTANCE_NAME=accumulo >>>>> >>>>> INSTANCE_RPC_SSL_ENABLED=true >>>>> >>>>> NSTANCE_RPC_SSL_CLIENT_AUTH=true >>>>> >>>>> INSTANCE_ZK_HOST=host1 >>>>> >>>>> RPC_SSL_TRUSTSTORE_PATH=/home/hadoop/truststore.jks >>>>> >>>>> RPC_SSL_TRUSTSTORE_TYPE=JKS >>>>> >>>>> RPC_SSL_TRUSTSTORE_PASSWORD=mypass >>>>> >>>>> RPC_SSL_KEYSTORE_PATH=/home/hadoop/server.jks >>>>> >>>>> RPC_SSL_KEYSTORE_TYPE=JKS >>>>> >>>>> RPC_SSL_KEYSTORE_PASSWORD=mypass >>>>> >>>>> >>>>> but when I try to connect via shell I am prompted for a password. Which >>>>> password is this? It does not seem to be the tracer password (which >>>>> user >>>>> is "root"). >>>>> >>>>> ./accumulo shell -u root >>>>> >>>>> /usr/local/zookeeper-3.4.6 >>>>> >>>>> /usr/local/jdk1.7.0_79 >>>>> >>>>> Password: ----> ? >>>>> >>>>> >>>>> Thanks >>>>> >>>>> pundu tech >>>>> >>>>> >>> >> >
