我使用参考配置了客户端节点加密http://cloudurable.com/blog/cassandra-ssl-cluster-setup/index.html
cassandra version 2.1.16
java version jdk1.8.0_131
JCE version JAVA 8
netty-all-4.0.23.Final
Python version Python 2.7.5
请有人帮帮我,哪一步是错误的?这些版本兼容吗?
cassandra.yaml 上的 SSL
server_encryption_options:
internode_encryption: all
keystore: /home/cassandra/resources/opt/cassandra/conf/certs/cassandra.keystore
keystore_password: cassandra
truststore: /home/cassandra/resources/opt/cassandra/conf/certs/cassandra.truststore
truststore_password: cassandra
# More advanced defaults below:
protocol: TLS
# algorithm: SunX509
# store_type: JKS
cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA]
# require_client_auth: false
# enable or disable client/server encryption.
client_encryption_options:
enabled: true
# If enabled and optional is set to true encrypted and unencrypted connections are handled.
optional: false
keystore: /home/cassandra/resources/opt/cassandra/conf/certs/cassandra.keystore
keystore_password: cassandra
require_client_auth: true
# Set trustore and truststore_password if require_client_auth is true
truststore: /home/cassandra/resources/opt/cassandra/conf/certs/cassandra.truststore
truststore_password: cassandra
# More advanced defaults below:
protocol: TLS
# algorithm: SunX509
# store_type: JKS
cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA]
==========
System.log 错误:
INFO [main] 2018-04-17 18:10:14,110 StorageService.java:1715 - Node /192.168.0.6 state jump to NORMAL
INFO [main] 2018-04-17 18:10:14,121 CassandraDaemon.java:613 - Waiting for gossip to settle before accepting client requests...
INFO [main] 2018-04-17 18:10:22,123 CassandraDaemon.java:645 - No gossip backlog; proceeding
INFO [main] 2018-04-17 18:10:22,225 Server.java:155 - Netty using native Epoll event loop
INFO [main] 2018-04-17 18:10:22,252 Server.java:183 - Enabling encrypted CQL connections between client and server
INFO [main] 2018-04-17 18:10:22,273 Server.java:193 - Using Netty Version: [netty-buffer=netty-buffer-4.0.23.Final.208198c, netty-codec=netty-codec-4.0.23.Final.208198c, netty-codec-http=netty-codec-http-4.0.23.Final.208198c, netty-codec-socks=netty-codec-socks-4.0.23.Final.208198c, netty-common=netty-common-4.0.23.Final.208198c, netty-handler=netty-handler-4.0.23.Final.208198c, netty-transport=netty-transport-4.0.23.Final.208198c, netty-transport-rxtx=netty-transport-rxtx-4.0.23.Final.208198c, netty-transport-sctp=netty-transport-sctp-4.0.23.Final.208198c, netty-transport-udt=netty-transport-udt-4.0.23.Final.208198c]
INFO [main] 2018-04-17 18:10:22,273 Server.java:194 - Starting listening for CQL clients on /192.168.0.6:9042...
INFO [main] 2018-04-17 18:10:22,361 ThriftServer.java:119 - Binding thrift service to /192.168.0.6:9160
INFO [main] 2018-04-17 18:10:22,368 CustomTThreadPoolServer.java:250 - enabling encrypted thrift connections between client and server
INFO [Thread-15] 2018-04-17 18:10:22,378 ThriftServer.java:136 - Listening for thrift clients...
INFO [SharedPool-Worker-1] 2018-04-17 18:10:22,542 Message.java:532 - Unexpected exception during request; channel = [id: 0xf1dc0a76, /192.168.0.6:47506 => /192.168.0.6:9042]
io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 0300000001000000160001000b43514c5f56455253494f4e0005332e302e30
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:860) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:249) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:149) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:333) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:319) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:787) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
at io.netty.channel.epoll.EpollSocketChannel$EpollSocketUnsafe.epollInReady(EpollSocketChannel.java:722) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:326) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:264) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:116) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
at io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:137) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_131]
答案1
您的种子是否也启用了 SSL?因为看起来它们仍在使用“纯文本”本机协议。您可能需要检查其配置中的以下选项:native_transport_port_ssl
- 可以将其设置为值- 然后 SSL 应该通过此端口发生。检查此选项周围的9142
注释。cassandra.yaml