Назад | Перейти на главную страницу

Невозможно запустить кластер Cassandra после настройки конфигурации SSL

Я настроил шифрование клиент-узел, используя ссылку http://cloudurable.com/blog/cassandra-ssl-cluster-setup/index.html

cassandra version 2.1.16
java version jdk1.8.0_131
JCE version JAVA 8
netty-all-4.0.23.Final
Python version Python 2.7.5

кто-нибудь, пожалуйста, помогите мне, какой шаг неправильный? а эти версии совместимы?

SSL на cassandra.yaml

server_encryption_options:
    internode_encryption: all
    keystore: /home/cassandra/resources/opt/cassandra/conf/certs/cassandra.keystore
    keystore_password: cassandra
    truststore: /home/cassandra/resources/opt/cassandra/conf/certs/cassandra.truststore
    truststore_password: cassandra
    # More advanced defaults below:
    protocol: TLS
    # algorithm: SunX509
    # store_type: JKS
    cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA]
    # require_client_auth: false

# enable or disable client/server encryption.
client_encryption_options:
    enabled: true
    # If enabled and optional is set to true encrypted and unencrypted connections are handled.
    optional: false
    keystore: /home/cassandra/resources/opt/cassandra/conf/certs/cassandra.keystore
    keystore_password: cassandra
    require_client_auth: true
    # Set trustore and truststore_password if require_client_auth is true
    truststore: /home/cassandra/resources/opt/cassandra/conf/certs/cassandra.truststore
    truststore_password: cassandra
    # More advanced defaults below:
    protocol: TLS
    # algorithm: SunX509
    # store_type: JKS
    cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA]
==========

Ошибки System.log:

INFO  [main] 2018-04-17 18:10:14,110 StorageService.java:1715 - Node /192.168.0.6 state jump to NORMAL
INFO  [main] 2018-04-17 18:10:14,121 CassandraDaemon.java:613 - Waiting for gossip to settle before accepting client requests...
INFO  [main] 2018-04-17 18:10:22,123 CassandraDaemon.java:645 - No gossip backlog; proceeding
INFO  [main] 2018-04-17 18:10:22,225 Server.java:155 - Netty using native Epoll event loop
INFO  [main] 2018-04-17 18:10:22,252 Server.java:183 - Enabling encrypted CQL connections between client and server
INFO  [main] 2018-04-17 18:10:22,273 Server.java:193 - Using Netty Version: [netty-buffer=netty-buffer-4.0.23.Final.208198c, netty-codec=netty-codec-4.0.23.Final.208198c, netty-codec-http=netty-codec-http-4.0.23.Final.208198c, netty-codec-socks=netty-codec-socks-4.0.23.Final.208198c, netty-common=netty-common-4.0.23.Final.208198c, netty-handler=netty-handler-4.0.23.Final.208198c, netty-transport=netty-transport-4.0.23.Final.208198c, netty-transport-rxtx=netty-transport-rxtx-4.0.23.Final.208198c, netty-transport-sctp=netty-transport-sctp-4.0.23.Final.208198c, netty-transport-udt=netty-transport-udt-4.0.23.Final.208198c]
INFO  [main] 2018-04-17 18:10:22,273 Server.java:194 - Starting listening for CQL clients on /192.168.0.6:9042...
INFO  [main] 2018-04-17 18:10:22,361 ThriftServer.java:119 - Binding thrift service to /192.168.0.6:9160
INFO  [main] 2018-04-17 18:10:22,368 CustomTThreadPoolServer.java:250 - enabling encrypted thrift connections between client and server
INFO  [Thread-15] 2018-04-17 18:10:22,378 ThriftServer.java:136 - Listening for thrift clients...
INFO  [SharedPool-Worker-1] 2018-04-17 18:10:22,542 Message.java:532 - Unexpected exception during request; channel = [id: 0xf1dc0a76, /192.168.0.6:47506 => /192.168.0.6:9042]
io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 0300000001000000160001000b43514c5f56455253494f4e0005332e302e30
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:860) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:249) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:149) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:333) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:319) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:787) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
        at io.netty.channel.epoll.EpollSocketChannel$EpollSocketUnsafe.epollInReady(EpollSocketChannel.java:722) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
        at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:326) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
        at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:264) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
        at io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:116) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
        at io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:137) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
        at java.lang.Thread.run(Thread.java:748) [na:1.8.0_131]

Ваши семена также поддерживают SSL? Потому что похоже, что они все еще используют собственный протокол «обычного текста». Возможно, вам потребуется проверить следующую опцию в их конфигурации: native_transport_port_ssl - может быть установлено значение 9142 - тогда SSL должен происходить через этот порт. Проверить комментарий в cassandra.yaml вокруг этого варианта.