6 Replies Latest reply on Aug 2, 2016 6:51 AM by stejas7

    Hot Rod Encryption

    stejas7
    stejas7 Aug 1, 2016 7:49 AM

      Hello nadirx rvansa,

       

      I am trying to connect infinispan with hotrod client using SSL hot rod encyption.but i facing a one error while connecting through hot rod client.

       

      For that i was created two files in domain/configuration folder keystore_server.jks ,truststore_server.jks and server.certi. some changes in domain.xml and host.xml as per tutorial.


      Same .jks both file are in my java program resources folder.when i run java program its gives me below error.


      public class TestSSL

      {

        public static void main(String[] args)

        {

        try

        {

        ClassLoader classLoader = Thread.currentThread().getContextClassLoader();

       

       

        ConfigurationBuilder builder = new ConfigurationBuilder();

        builder.addServer()

        .host("tejas.local.com")

        .port(11222)

        .socketTimeout(3000)

        .security()

        .ssl()

        .enabled(false)

        .trustStoreFileName(classLoader.getResource("truststore_server.jks").getPath())

        .trustStorePassword("CollaborateSSLPassword".toCharArray());

       

       

        RemoteCacheManager rcm = new RemoteCacheManager(builder.build());

       

       

        System.out.println("SSL START");

        RemoteCache<Integer, String> cache = rcm.getCache("Test");  // Line num 29

        System.out.println("SSL START 2");

        cache.put(1, "Tejas");

       

       

        while (true)

        {

        Thread.sleep(1000);

        System.out.println(cache.get(1));

        }

        }

        catch (Exception e)

        {

        e.printStackTrace();

        }

        }

      }


       

      ERROR :

       

      06:23:44.180 [main] ERROR org.infinispan.client.hotrod.impl.operations.RetryOnFailureOperation - ISPN004007: Exception encountered. Retry 10 out of 10

      org.infinispan.client.hotrod.exceptions.TransportException: End of stream reached!

        at org.infinispan.client.hotrod.impl.transport.tcp.TcpTransport.readByte(TcpTransport.java:198) ~[infinispan-remote-8.2.3.Final.jar:8.2.3.Final]

        at org.infinispan.client.hotrod.impl.protocol.Codec20.readMagic(Codec20.java:305) ~[infinispan-remote-8.2.3.Final.jar:8.2.3.Final]

        at org.infinispan.client.hotrod.impl.protocol.Codec20.readHeader(Codec20.java:115) ~[infinispan-remote-8.2.3.Final.jar:8.2.3.Final]

        at org.infinispan.client.hotrod.impl.operations.HotRodOperation.readHeaderAndValidate(HotRodOperation.java:56) ~[infinispan-remote-8.2.3.Final.jar:8.2.3.Final]

        at org.infinispan.client.hotrod.impl.operations.PingOperation.execute(PingOperation.java:45) ~[infinispan-remote-8.2.3.Final.jar:8.2.3.Final]

        at org.infinispan.client.hotrod.impl.operations.FaultTolerantPingOperation.executeOperation(FaultTolerantPingOperation.java:31) ~[infinispan-remote-8.2.3.Final.jar:8.2.3.Final]

        at org.infinispan.client.hotrod.impl.operations.FaultTolerantPingOperation.executeOperation(FaultTolerantPingOperation.java:17) ~[infinispan-remote-8.2.3.Final.jar:8.2.3.Final]

        at org.infinispan.client.hotrod.impl.operations.RetryOnFailureOperation.execute(RetryOnFailureOperation.java:54) [infinispan-remote-8.2.3.Final.jar:8.2.3.Final]

        at org.infinispan.client.hotrod.impl.RemoteCacheImpl.ping(RemoteCacheImpl.java:673) [infinispan-remote-8.2.3.Final.jar:8.2.3.Final]

        at org.infinispan.client.hotrod.impl.RemoteCacheImpl.resolveCompatibility(RemoteCacheImpl.java:734) [infinispan-remote-8.2.3.Final.jar:8.2.3.Final]

        at org.infinispan.client.hotrod.RemoteCacheManager.createRemoteCache(RemoteCacheManager.java:666) [infinispan-remote-8.2.3.Final.jar:8.2.3.Final]

        at org.infinispan.client.hotrod.RemoteCacheManager.getCache(RemoteCacheManager.java:536) [infinispan-remote-8.2.3.Final.jar:8.2.3.Final]

        at org.infinispan.client.hotrod.RemoteCacheManager.getCache(RemoteCacheManager.java:532) [infinispan-remote-8.2.3.Final.jar:8.2.3.Final]

        at com.encryption.TestSSL.main(TestSSL.java:29) [bin/:?]

      org.infinispan.client.hotrod.exceptions.TransportException:: End of stream reached!

        at org.infinispan.client.hotrod.impl.transport.tcp.TcpTransport.readByte(TcpTransport.java:198)

        at org.infinispan.client.hotrod.impl.protocol.Codec20.readMagic(Codec20.java:305)

        at org.infinispan.client.hotrod.impl.protocol.Codec20.readHeader(Codec20.java:115)

        at org.infinispan.client.hotrod.impl.operations.HotRodOperation.readHeaderAndValidate(HotRodOperation.java:56)

        at org.infinispan.client.hotrod.impl.operations.PingOperation.execute(PingOperation.java:45)

        at org.infinispan.client.hotrod.impl.operations.FaultTolerantPingOperation.executeOperation(FaultTolerantPingOperation.java:31)

        at org.infinispan.client.hotrod.impl.operations.FaultTolerantPingOperation.executeOperation(FaultTolerantPingOperation.java:17)

        at org.infinispan.client.hotrod.impl.operations.RetryOnFailureOperation.execute(RetryOnFailureOperation.java:54)

        at org.infinispan.client.hotrod.impl.RemoteCacheImpl.ping(RemoteCacheImpl.java:673)

        at org.infinispan.client.hotrod.impl.RemoteCacheImpl.resolveCompatibility(RemoteCacheImpl.java:734)

        at org.infinispan.client.hotrod.RemoteCacheManager.createRemoteCache(RemoteCacheManager.java:666)

        at org.infinispan.client.hotrod.RemoteCacheManager.getCache(RemoteCacheManager.java:536)

        at org.infinispan.client.hotrod.RemoteCacheManager.getCache(RemoteCacheManager.java:532)

        at com.encryption.TestSSL.main(TestSSL.java:29)

       

       

      Kindly please help me the resolve this problem.

       

      Please find all attachments.

        • 1. Re: Hot Rod Encryption
          nadirx
          nadirx Aug 1, 2016 7:55 AM (in response to stejas7)

          The answer is all in this (wrong) code:

           

          .ssl()
  .enabled(false)

           

          where you should set it to true.

            • Actions
          • 2. Re: Hot Rod Encryption
            sebastian.laskawiec
            sebastian.laskawiec Aug 1, 2016 8:01 AM (in response to stejas7)

            Hi Tejas!

             

            From the domain.xml file I see you are using require-ssl-client-auth="true". This means that the client will be challenged by the server and needs additionally keystores (unless there is a reason why you need this, I suggest removing this option). And of course as Tristan suggested, please turn the security on

             

            Thanks

            Sebastian

              • Actions
            • 3. Re: Hot Rod Encryption
              stejas7
              stejas7 Aug 1, 2016 2:03 PM (in response to stejas7)

              Thanks sebastian.laskawiec and nadirx

               

              I have one more question.

               

              I have specify require-ssl-client-auth="false" in  <encryption> tag of <hotrod-connector> tag in domain.xml , then also why do I need to pass the keystore file in ConfigurationBuilder? Does that mean both the truststore and keystore file are required at the client side?

               

               

              Domain.xml

               

                              <hotrod-connector cache-container="clustered" socket-binding="hotrod">

                                  <topology-state-transfer lazy-retrieval="false" lock-timeout="1000" replication-timeout="5000"/>

                                  <encryption require-ssl-client-auth="false" security-realm="ApplicationRealm"/>

                              </hotrod-connector>

               

               

              Host.xml

                       

                           

                          <security-realm name="ApplicationRealm">

                              <server-identities>

                                    <ssl>

                                            <keystore path="keystore_server.jks" relative-to="jboss.domain.config.dir" keystore-password="CollaborateSSLPassword" alias="CollaborateServer" key-password="CollaborateSSLPassword" />

                                        </ssl>

                              </server-identities>

                              <authentication>

                                        <truststore path="keystore_server.jks" relative-to="jboss.domain.config.dir" keystore-password="CollaborateSSLPassword"/>

                                          <local default-user="$local" allowed-users="*" skip-group-loading="true"/>

                                          <properties path="application-users.properties" relative-to="jboss.domain.config.dir"/>

                              </authentication>

                        </security-realm>

               

               

               

               

              Client side code.

               

                        ClassLoader classLoader = Thread.currentThread().getContextClassLoader();

                                 

                          ConfigurationBuilder builder = new ConfigurationBuilder();

                          builder

                                  .addServer()

                                  .host("127.0.0.1")

                                  .port(11222)

                                  .security()

                                  .ssl()

                                  .enabled(true)

              in comment  //  .keyStoreFileName(classLoader.getResource("keystore_server.jks").getPath())

              in  comment  //  .keyStorePassword("CollaborateSSLPassword".toCharArray())

                                  .trustStoreFileName(classLoader.getResource("truststore_server.jks").getPath())

                                  .trustStorePassword("CollaborateSSLPassword".toCharArray());

               

                          RemoteCacheManager rcm = new RemoteCacheManager(builder.build());

                     

                          RemoteCache<String, String> cache = rcm.getCache();

                   

                          cache.put("key", "This is the value");

                     

                          for(int i =0;i<1000;i++)

                          {

                            Thread.sleep(1000);

                            System.out.printf("Cache retrieved = %s\n", cache.get("key"));

                          }

                     

                          }

                      catch (Exception e)

                      {

                          e.printStackTrace();

                      }

                  }

               

               

              If i am not put a keyStored_server.jks at client side. It will give me a below error.

               

              org.infinispan.commons.CacheConfigurationException: ISPN004023: SSL Enabled but no KeyStore specified

                at org.infinispan.client.hotrod.configuration.SslConfigurationBuilder.validate(SslConfigurationBuilder.java:105)

                at org.infinispan.client.hotrod.configuration.SecurityConfigurationBuilder.validate(SecurityConfigurationBuilder.java:44)

                at org.infinispan.client.hotrod.configuration.ConfigurationBuilder.validate(ConfigurationBuilder.java:316)

                at org.infinispan.client.hotrod.configuration.ConfigurationBuilder.build(ConfigurationBuilder.java:361)

                at org.infinispan.client.hotrod.configuration.ConfigurationBuilder.build(ConfigurationBuilder.java:356)

                at com.highq.TestSSL.main(TestSSL.java:28)

               

              and if i open the client side program comment part it is run perfectly. why we should required client side keystore_server.jks.??


                • Actions
              • 4. Re: Hot Rod Encryption
                sebastian.laskawiec
                sebastian.laskawiec Aug 2, 2016 2:55 AM (in response to stejas7)

                It looks like this is a bug (I created a ticket to fix it: https://issues.jboss.org/browse/ISPN-6917). Until we fix it, please supply both trustore and keystore.

                  • Actions
                • 5. Re: Hot Rod Encryption
                  nadirx
                  nadirx Aug 2, 2016 4:43 AM (in response to sebastian.laskawiec)

                  Indeed, the keystore on the client should be required only when client certificate is enabled.

                    • Actions
                  • 6. Re: Hot Rod Encryption
                    stejas7
                    stejas7 Aug 2, 2016 6:51 AM (in response to stejas7)

                    Thanks sebastian.laskawiec nadirx

                     

                    Can please change the bug priority? If it is possible. I need urgently.

                      • Actions