Pivotal Knowledge Base

Follow

Gfsh "connect" or console client application prompts to input Key/Trust Store Type

Environment 

Pivotal GemFire 9.0 or later

Symptom

When using the interactive gfsh "connect" command or a console application to connect to GemFire cache servers as a client with SSL/TLS enables, you may be prompted to input your Key/Trust Store Type manually as illustrated in the following example.

Example of Key/Trust Store Type prompt (gfsh case): 

gfsh>connect --locator=locatorHost[locatorPort] --use-ssl --security-properties-file=/path/to/gfclientsecurity.properties
Connecting to Locator at [host=locatorHost, port=locatorPort] ..
Please enter the keyStoreType (javax.net.ssl.keyStoreType) : jks
Please enter the trustStoreType (javax.net.ssl.trustStoreType) : jks
Connecting to Manager at [host=locatorHost, port=1099] ..
Successfully connected to: [host=locatorHost, port=1099]

Ideally, you would specify those store types in a property file or similar rather than have each client application prompt for input every time it tries to connect to the cache servers. Unfortunately, (as of July, 2017) there are no official GemFire properties to set these store types.

Cause

The interactive gfsh "connect" command of current implementations of GemFire 9.x (or any console client application based on the java API of said versions) will try to get the Key/Trust Store Type required for secured connections from the following java system properties:

javax.net.ssl.keyStoreType
javax.net.ssl.trustStoreType

If those system properties are not set, GemFire will prompt you to manually input those types from your current active console.

Resolution

You can avoid these prompts by setting the above given java system properties specifically using one of the following approaches.

For the interactive gfsh "connect" command case, set environment variable JAVA_ARGS:

%export JAVA_ARGS="-Djavax.net.ssl.keyStoreType=jks -Djavax.net.ssl.trustStoreType=jks $JAVA_ARGS"
%gfsh

For the console java client application case,

1. Set system properties via the "-D" option for java command:

%java -Djavax.net.ssl.keyStoreType=jks -Djavax.net.ssl.trustStoreType=jks ... io.pivotal.GemFireConsoleClient

2. Set the properties in application code:

System.setProperty("javax.net.ssl.keyStoreType","jks");
System.setProperty("javax.net.ssl.trustStoreType","jks");

Additional Information

Alternately, you can workaround this issue by setting the "ssl-keystore-type" property in your gemfire.properties or gfsecurity.properties file.

Comments

Powered by Zendesk