[Logo] Terracotta Discussion Forums (LEGACY READ-ONLY ARCHIVE)
  [Search] Search   [Recent Topics] Recent Topics   [Members]  Member Listing   [Groups] Back to home page 
[Register] Register / 
[Login] Login 
[Expert]
Issue with client connecting to secure server  XML
Forum Index -> Terracotta Platform
Author Message
mmoldenh

neo

Joined: 12/04/2012 10:55:49
Messages: 8
Offline

I am having issues connecting a client to a secure server. I can get both servers in the mirror group talking to each other, but I get an exception when connecting the client.

I get the following exception:
Caused by: java.lang.IllegalStateException: Looks like the secret is still null ?! Was it ever fetched ?
at com.terracotta.toolkit.DelegatingSecretProvider$DefaultSecretProvider.getSecret(DelegatingSecretProvider.java:65)
at com.terracotta.toolkit.DelegatingSecretProvider.getSecret(DelegatingSecretProvider.java:29)
at com.terracotta.management.security.SecretProvider.getSecret(SecretProvider.java:16)
at com.tc.net.core.security.TCSecurityManagerImpl.initSecretProvider(TCSecurityManagerImpl.java:79)
at com.tc.net.core.security.TCClientSecurityManager.fetchSecret(TCClientSecurityManager.java:24)
at com.tc.client.EnterpriseClientFactory.createClientSecurityManager(EnterpriseClientFactory.java:70)
... 115 more

I have the ehcache.xml configuration as follows:
<terracottaConfig url="client1username@127.0.0.1:9510" />

The local keychain for the appserver was created with:
\dev\servers\TerracottaEE\bin\keychain.bat -c keychain.tkc tc://server1username@127.0.0.1:9510

providing the password set as described in http://terracotta.org/documentation/bigmemorymax/terracotta-server-array/tsa-security#client-keychain under the "Self-Signed Certificates Using Java Keytool" section.

I added the client user name to the server as follows:
bin/usermanagement.sh my_auth.ini client1username terracotta

Something seems lacking in these instructions, but I'm not sure what it is. I am trying to to this in a Enterprise ehCache environment.

Do I need to add the client password somehow to the keychain?
mmoldenh

neo

Joined: 12/04/2012 10:55:49
Messages: 8
Offline

I got past this by specifying the following as a system property.
-DSecretProvider.secret=server1pass

But I'm still having issues. My WebLogic 10.3.4 app server is now getting this:

Caused by: java.lang.ClassCastException: weblogic.net.http.SOAPHttpsURLConnection cannot be cast to javax.net.ssl.HttpsURLConnection
at com.tc.util.io.ServerURL.openStream(ServerURL.java:64)
at com.tc.config.schema.setup.sources.ServerConfigurationSource.getInputStream(ServerConfigurationSource.java:39)
at com.tc.config.schema.setup.StandardXMLFileConfigurationCreator.trySource(StandardXMLFileConfigurationCreator.java:361)
at com.tc.config.schema.setup.StandardXMLFileConfigurationCreator.getConfigDataSourceStrean(StandardXMLFileConfigurationCreator.java:307)
at com.tc.config.schema.setup.StandardXMLFileConfigurationCreator.loadConfigDataFromSources(StandardXMLFileConfigurationCreator.java:240)
at com.tc.config.schema.setup.StandardXMLFileConfigurationCreator.loadConfigAndSetIntoRepositories(StandardXMLFileConfigurationCreator.java:129)
at com.tc.config.schema.setup.StandardXMLFileConfigurationCreator.createConfigurationIntoRepositories(StandardXMLFileConfigurationCreator.java:111)
at com.terracotta.express.StandaloneL1Boot.resolveEmbedded(StandaloneL1Boot.java:193)
at com.terracotta.express.StandaloneL1Boot.resolveConfig(StandaloneL1Boot.java:138)
... 115 more
mmoldenh

neo

Joined: 12/04/2012 10:55:49
Messages: 8
Offline

Looks like I need a patch to do the following.
java.net.URL wsURL = new URL(...,new sun.net.www.protocol.https.Handler());

This should prevent weblogic from returning its SOAPHttpsURLConnection.
rajoshi

seraphim

Joined: 07/04/2011 04:36:10
Messages: 1491
Offline

Does it resolves the issue or it's still there ?

Rakesh Joshi
Senior Consultant
Terracotta.
mmoldenh

neo

Joined: 12/04/2012 10:55:49
Messages: 8
Offline

I would need a patch from the Terracotta side to change the code in com.tc.util.io.ServerURL.openStream where the URL is constructed. I do not know for sure if it would fix the problem.
mmoldenh

neo

Joined: 12/04/2012 10:55:49
Messages: 8
Offline

I pulled the code from http://svn.terracotta.org/svn/tc/dso/trunk/common/src/main/java/com/tc/util/io/ServerURL.java and compiled. It got me past the current problem, b ut now I am seeing.

2012-12-05 07:39:30,008 WARN - We couldn't load configuration data from the server at '127.0.0.1:9510'; retrying. (Error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.)
rajoshi

seraphim

Joined: 07/04/2011 04:36:10
Messages: 1491
Offline

You can raise a community JIRA for this here with all the details regarding the issue:
https://jira.terracotta.org/jira/browse

Rakesh Joshi
Senior Consultant
Terracotta.
mmoldenh

neo

Joined: 12/04/2012 10:55:49
Messages: 8
Offline

Where would I raise issues with the terracotta documentation? I have security working now, but the documentation was misleading and confusing.
mmoldenh

neo

Joined: 12/04/2012 10:55:49
Messages: 8
Offline

I've opened the following for the ClassCastException:
https://jira.terracotta.org/jira/browse/CDV-1641
rajoshi

seraphim

Joined: 07/04/2011 04:36:10
Messages: 1491
Offline

You can create a Doc jira for documentation by selecting Documentation in "Other" option.

Rakesh Joshi
Senior Consultant
Terracotta.
mmoldenh

neo

Joined: 12/04/2012 10:55:49
Messages: 8
Offline

Thanks. I've opened another here: https://jira.terracotta.org/jira/browse/CDV-1642.
talbert

neo

Joined: 02/26/2014 10:47:12
Messages: 1
Offline

Two points:
(1) For security reasons, do NOT use the SecretProvider.secret system property outside of development or test environments.
In other words, please ignore the suggestion posted on 12/04/2012 about
-DSecretProvider.secret=server1pass system property
(2) Information about client-side security is now more accessible. See http://terracotta.org/documentation/4.1/bigmemorymax/configuration/security-overview or http://terracotta.org/documentation/3.7.4/security-overview
 
Forum Index -> Terracotta Platform
Go to:   
Powered by JForum 2.1.7 © JForum Team