Hi All,
We are using Curator (version 4.0.1) as client to connect to ZooKeeper
(version 3.5.5) in our application.
When we are trying to connect with secured option SSL through curator to
ZooKeeper.
1) We are successfully established secured connection between ZK server to
server.
2) When we are trying to establish secured connection between client and
server we get error on client side.On server side in zookeeper logs it is
expecting SSL request, however, it is not getting it from client side and
so it showing exception on server side.
3) On client side we added below properties to enable client to server
secured connection in application's properties file from where we pass
properties.
*zookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNettyzookeeper.client.secure=true
zookeeper.ssl.trustStore.location=/opt/ssl/truststore.jkszookeeper.ssl.trustStore.password=testpass*
We added few logger print statements in following zookeeper code base
classes recompile them and added recompiled classes in zookeeper-3.5.5.jar
to check if passed above inputs values from client side are reached there
or not.
*1) ClientCnxnSocketNetty.java *
private class ZKClientPipelineFactory extends
ChannelInitializer<SocketChannel> {
private SSLContext sslContext = null;
private SSLEngine sslEngine = null;
private String host;
private int port;
public *ZKClientPipelineFactory*(String host, int port) {
this.host = host;
this.port = port;
*System.out.println("SMG>>> ZKClientPipelineFactor
initializer"); // This is added and printed in logs*
}
@Override
protected void *initChannel*(SocketChannel ch) throws Exception {
ChannelPipeline pipeline = ch.pipeline();
*System.out.println("SMG>>> initChannel value of
ZKClientConfig.SECURE_CLIENT: " +
clientConfig.getBoolean(ZKClientConfig.SECURE_CLIENT)); // Getting value
of this flag as false*
if (clientConfig.getBoolean(ZKClientConfig.SECURE_CLIENT)) {
* System.out.println("SMG>>> calling initSSL"); // This is not
getting called due to if condition false*
initSSL(pipeline);
}
pipeline.addLast("handler", new ZKClientHandler());
}
As we passed * zookeeper.client.secure=true *from client side, however, in
initChannel() the value of flag
*clientConfig.getBoolean(ZKClientConfig.SECURE_CLIENT)
*is getting as* FALSE.* It is printed in logs on client side. Due to that
*initSSL(pipeline); doesn't get called.*
*2) ZKConfig.java*
private void *putSSLProperties*(X509Util x509Util) {
properties.put(x509Util.getSslProtocolProperty(),
System.getProperty(x509Util.getSslProtocolProperty()));
|
|
properties.put(x509Util.getSslTruststoreLocationProperty(),
System.getProperty(x509Util.getSslTruststoreLocationProperty()));
properties.put(x509Util.getSslTruststorePasswdProperty(),
System.getProperty(x509Util.getSslTruststorePasswdProperty()));
*System.out.println("SMG>>> ZKConfig putSSLProperties exit " +
properties); // *This *properties *object displays all parameters values
passed from client side in logs as below
}
*SMG>>> ZKConfig putSSLProperties exit*
{zookeeper.ssl.hostnameVerification=null,
zookeeper.ssl.quorum.clientAuth=null,
*zookeeper.ssl.trustStore.password=testpass,
*zookeeper.ssl.quorum.ciphersuites=null,
zookeeper.ssl.quorum.keyStore.location=null,
zookeeper.ssl.quorum.trustStore.password=null,
zookeeper.ssl.quorum.crl=null, zookeeper.ssl.keyStore.type=null,
zookeeper.ssl.trustStore.type=null, zookeeper.ssl.quorum.ocsp=null,
zookeeper.ssl.protocol=null, *zookeeper.ssl.trustStore.location=
/opt/ssl/truststore.jks,* zookeeper.ssl.ocsp=null,
zookeeper.ssl.authProvider=null, zookeeper.ssl.quorum.trustStore.type=null,
zookeeper.ssl.quorum.enabledProtocols=null,
zookeeper.ssl.keyStore.password=null,
zookeeper.ssl.quorum.keyStore.type=null, zookeeper.ssl.ciphersuites=null,
zookeeper.ssl.crl=null, sun.security.jgss.native=null,
zookeeper.ssl.handshakeDetectionTimeoutMillis=null,
zookeeper.ssl.quorum.handshakeDetectionTimeoutMillis=null,
jute.maxbuffer=null, zookeeper.ssl.enabledProtocols=null,
zookeeper.ssl.quorum.keyStore.password=null, zookeeper.kinit=null,
zookeeper.ssl.keyStore.location=null, zookeeper.ssl.quorum.protocol=null,
zookeeper.ssl.quorum.trustStore.location=null,
zookeeper.ssl.quorum.hostnameVerification=null,
zookeeper.ssl.clientAuth=null}
3) *ZKClientConfig.java*
@Override
protected void *handleBackwardCompatibility*() {
/**
* backward compatibility for properties which are common to both
client
* and server
*/
super.handleBackwardCompatibility();
/**
* backward compatibility for client specific properties
*/
setProperty(ZK_SASL_CLIENT_USERNAME,
System.getProperty(ZK_SASL_CLIENT_USERNAME));
setProperty(LOGIN_CONTEXT_NAME_KEY,
System.getProperty(LOGIN_CONTEXT_NAME_KEY));
setProperty(ENABLE_CLIENT_SASL_KEY,
System.getProperty(ENABLE_CLIENT_SASL_KEY));
setProperty(ZOOKEEPER_SERVER_REALM,
System.getProperty(ZOOKEEPER_SERVER_REALM));
setProperty(DISABLE_AUTO_WATCH_RESET,
System.getProperty(DISABLE_AUTO_WATCH_RESET));
setProperty(ZOOKEEPER_CLIENT_CNXN_SOCKET,
System.getProperty(ZOOKEEPER_CLIENT_CNXN_SOCKET));
* System.out.println("SMG>>> ZKClientConfig.handleBackwardCompatibility()
setting " + SECURE_CLIENT + " to " + System.getProperty(SECURE_CLIENT)); *
setProperty(SECURE_CLIENT, System.getProperty(SECURE_CLIENT));
*// Value of flag **System.getProperty(SECURE_CLIENT) * is getting *true
*here and printed in logs on client side.
}
So Value of * SECURE_CLIENT* is set to true in *ZKClientConfig.java* and
value of SECURE_CLIENT is set to false in * ClientCnxnSocketNetty.java *even
if *zookeeper.client.secure=true *passed though client side and due to
that *initSSL(pipeline);
doesn't get called* and secure connection between client and server is
failed.
Please help me to resolve this issue and let me know if I missed anything
in configuration.
Thanks,
Mohan Ingole
