Print

[broiyan]

I ran the tutorial application on a single computer. Then I deployed the application to machine A. Then I deployed the driver to machine A. Then I deployed the node to machine B. 

I want to get the tutorial application working with SSL. What must be done?

My guess is the following:

1. edit the application config properties file to enable SSL
2. edit the application config SSL properties file to use the machine A keystore and truststore

3. edit the driver config SSL properties file to use the machine A keystore and truststore.
4. edit the driver config properties file to disable plain connections on port 11111 (port 11443 is enabled by default)
5. also: look around the driver properties file for an enable SSL property but there is no such boolean (why?)

6. edit the node config SSL properties file to use the machine B keystore and truststore
7. edit the node config properties file to target the actual IP of machine A
8. edit the node config properties file to target port 11443 of machine A
9. edit the node config properties file to enable SSL

I then start the server and it reports "accepting secure connections on port 11443".

Next I start the node and I get the following error:

  "Attempting connection to the class server at 255.255.255.255:11443"

where 255.255.255.255 is the IP of machine A. This error message repeats.

On the driver side, the log file indicates the certificate is unknown.

[WARN ][org.jppf.nio.StateTransitionTask.run(89)]: error on channel SelectionKeyWrapper[id=4, readyOps=1, interestOps=0, context=NodeClassContext[channel=SelectionKeyWrapper[id=4], state=WAITING_INITIAL_NODE_REQUEST, resource=null, pendingResponses=0, type=node, peer=false, uuid=null, secure=true, ssl=true]] : javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

Listing the driver's trust store, I can see the correct hash: it is the hash of the node.

What is the cause of this problem?

Details: JPPF version 5.1.2, ubuntu 14.04, java 8 update 66

[lolo]

Hello,

My understanding of the exception you have in the server's log file is that the certificate in the node's trust store is not known to the server, i.e. there is no corresponding private key in the server's key store. Is there any way you could extract the certificates from the node's trust store and the server keystore and see if they match? You can use the "keytool" utility to export the certificates:

Code: [Select]

# use "-keystore truststore.ks" for the node, "-keystore keytore.ks" for the server
keytool -export -alias jppf -keypass password -keystore truststore.ks -storepass password -rfc -file jppf_cert.cer
On my side, to make it work with secure connections only, I changed the following properties in the server, node and application template configurations:

In jppf-driver.properties:

Code: [Select]

# disable plain connections
jppf.server.port = -1
jppf.ssl.server.port = 11443
jppf.ssl.configuration.source = org.jppf.ssl.FileStoreSource config/ssl/ssl-server.properties
jppf.management.enabled = false
jppf.management.ssl.enabled = true
In jppf-node.properties:

Code: [Select]

jppf.server.host = a.b.c.d
jppf.server.port = 11443
jppf.ssl.enabled = true
jppf.ssl.configuration.source = org.jppf.ssl.FileStoreSource config/ssl/ssl.properties
jppf.discovery.enabled = false
In application template jppf.properties:

Code: [Select]

jppf.drivers = driver1
driver1.jppf.server.host = a.b.c.d
driver1.jppf.server.port = 11443
driver1.jppf.ssl.enabled = true
jppf.ssl.configuration.file = config/ssl/ssl.properties
jppf.discovery.enabled = false
Lastly, to answer your question:

look around the driver properties file for an enable SSL property but there is no such boolean (why?)

In the server configuration, plain and secure connections are enabled or disabled by setting a positive or negative value  for the corresponding ports, the "jppf.server.port" and "jppf.ssl.server.port" properties.

Sincerely,
-Laurent

[broiyan]

You were right. The driver is complaining about the node's trust store. I don't know why the driver cares what the node will trust. Perhaps a more easy to understand error message would come from the node instead of the driver. Regardless of why the driver cares what the node will trust, the problem was that the property setting for the node trust store file was commented out (and also the node trust store password commented out) in the default versions of the node's ssl.properties file.

Although I edited to point to the correct file, the fact that I used gedit meant that I did not have coloring to help show me that it was a comment. Later, I used vim and I could see that this was colored as a comment.

Note: The JPPF version 5.1.2 node ssl.properties file has the settings for the node trust store file and password as comments in a fresh installation.

[lolo]

Hi,

Thank you very much for your feedback. To answer you concern about the default configuration:

The JPPF version 5.1.2 node ssl.properties file has the settings for the node trust store file and password as comments in a fresh installation.

While it is true that "jppf.ssl.truststore.file" and "jppf.ssl.truststore.password" are commented out in a fresh installation, the alternate properties "jppf.ssl.truststore.source" and "jppf.ssl.truststore.password.source" are not. These properties allow you to get the trust/key store location and password in a more opaque way, so that they don't have to be in clear text in the ssl configuration file.

For instance, you could define a password source like this:

Code: [Select]

package test;
import java.util.concurrent.Callable;

public class MyPasswordSource implements Callable<char[]> {
  public MyPasswordSource(final String... args) throws Exception {
  }

  @Override
  public char[] call() throws Exception {
    return getPassword();
  }

  // lookup the encrypted password and decrypt it
  private final char [] getPassword() {
    ...
  }
}
and then use it like this in the ssl configuration file:

Code: [Select]

jppf.ssl.truststore.password.source = test.MyPasswordSource
This way, the password does not appear at all in the config file, adding another measure of security, which is the initial goal of this feature.

Best regards,
-Laurent

[broiyan]

Ok, thanks for the information about programming the trust store.

It seems that the jppf.ssl.configuration.file property is commented out for both the driver and the node and that SSL between the driver and the nodes works regardless. This is how the original JPPF 5.1.12 files are configured.

The application has the jppf.ssl.configuration.file property specified, that is, it is not a comment, in the original JPPF 5.1.12 files.

I wanted to inform you about this inconsistency.

[lolo]

I agree 100% and registered the bug JPPF-441 Inconsistencies in the SSL settings of the distributed configuration. Thanks for pointing this out.

-Laurent