Ignite ZooKeeper TLS Discovery Issue on Windows

Tue, 15 Jul 2025 06:27:55 -0700 

Hi Ignite Community,

We're currently using Apache Ignite with ZooKeeper Discovery SPI and TLS 
configured on both Linux and Windows platforms.

While TLS works perfectly between Ignite and ZooKeeper on Linux (via port 
2281), the same configuration fails on Windows. From ZooKeeper logs, we see:

2025-06-26 13:19:01,729 [myid:] - ERROR 
[nioEventLoopGroup-4-1:o.a.z.s.NettyServerCnxnFactory$CertificateVerifier@468] 
- Unsuccessful handshake with session 0x0 2025-06-26 13:19:01,730 [myid:] - 
WARN 
[nioEventLoopGroup-4-1:o.a.z.s.NettyServerCnxnFactory$CnxnChannelHandler@304] - 
Exception caught io.netty.handler.codec.DecoderException: 
io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record:


It seems like Ignite is sending plain-text over the TLS port when running on 
Windows. Is it true that Ignite's ZooKeeper Discovery SPI does not natively 
support TLS, and requires stunnel or a similar workaround on Windows?

If so, is this a known limitation? And is there an official or recommended way 
to handle this?

Also, attached are sample config files that work fine for Linux but not for 
windows. Another file is an alternate config as per Ignite docs but I still got 
the same "not an SSL/TLS record" error.

Last thing to add, I am able to make the config alright using Stunnel. Traffic 
flow is Ignite to Stunnel to Zookeeper.

Thanks in advance,
Sourav

Attachment: Sample-zoo.config
Description: Sample-zoo.config

Attachment: Sample-Ignite.config
Description: Sample-Ignite.config

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans";
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
       xsi:schemaLocation="http://www.springframework.org/schema/beans
                           
http://www.springframework.org/schema/beans/spring-beans.xsd";>

  <bean class="org.apache.ignite.configuration.IgniteConfiguration">

    <property name="discoverySpi">
      <bean class="org.apache.ignite.spi.discovery.zk.ZookeeperDiscoverySpi">
        <property name="zkConnectionString" value="10.79.89.191:2283"/>
        <property name="sessionTimeout" value="30000"/>
        <property name="zkRootPath" value="/apacheIgnite"/>
        <property name="joinTimeout" value="10000"/>
      </bean>
    </property>

    <property name="sslContextFactory">
      <bean class="org.apache.ignite.ssl.SslContextFactory">
        <property name="keyStoreFilePath" 
value="C:\apache-ignite-2.17.0-bin\ignite-keystore.jks"/>
        <property name="keyStorePassword" value="password"/>
        <property name="trustStoreFilePath" 
value="C:\apache-ignite-2.17.0-bin\ignite-truststore.jks"/>
        <property name="trustStorePassword" value="password"/>
        <property name="protocol" value="TLSv1.3"/>
      </bean>
    </property>

  </bean>
</beans>

Reply via email to