Pivotal Knowledge Base

Follow

Seeing the error: "Certificate is not recognized" when using SSL

Environment

Product Version
Pivotal GemFire 8.x
OS RHEL 6.x

Symptom

Users see the error "Certificate is not recognized" when using SSL as they need to   configure SSL. This article explains how to configure SSL.

Prerequisites

When trying to enable SSL communication from a Gemfire Client to Gemfire Locators or Servers, the following exception is thrown: "Certificate is not recognized".

Note: We assume that the following steps were followed to set up SSL:

  1. Create a new a public and private key pair for the client;
  2. Export the self-signed certificate.
  3. Import the new self-signed certificate into the client side JRE key store at: /Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/lib/security/cacerts;
  4. Import the same certificate to gemfire8.keystore, which is being used by GemFire locator and server; and,
  5. When the client attempts to make a connection to the GemFire distributed system, the Fatal Exception that certificate is not recognized is thrown.

Additionally, we assume the following properties are configured:

gemfire-server.properties:

mcast-port=0
locators=localhost[10334]
log-level=config
cache-xml-file=../config/server-cache.xml
statistic-sampling-enabled=true
statistic-sample-rate=1000
statistic-archive-file=myStatisticsArchiveFile.gfs
enable-time-statistics=false
jmx-manager-ssl-enabled=false
cluster-ssl-enabled=true
cluster-ssl-require-authentication=false

gfsecurity.properties:

cluster-ssl-keystore=/Users/gemfire/Documents/gemfire/security/gemfire8.keystore
cluster-ssl-keystore-password=password
cluster-ssl-truststore=/Users/gemfire/Documents/gemfire/security/gemfire8.keystore
cluster-ssl-truststore-password=password

locator.properties:

mcast-port=0
log-level=config
locators=localhost[10334]
cluster-ssl-enabled=true
server-ssl-require-authentication=false

gemfire-client.properties:

mcast-port=0
log-level=config
log-file=gemClient.log
ssl-enabled=true

Resolution

The Java client uses the same GemFire properties as are used on the server side, so you should point the client to the key stores with the gfsecurity.properties file.

Do not use the "ssl-*" properties. They deprecated in favor of the "cluster-ssl-*" properties.

Since the locator is not a cache server, the "server-ssl-*" properties will never be used. However, you should set "cluster-ssl-require-authentication=false", so that your locator will not require authentication for clients connecting to it.

Once these changes are made, you should be able to create the ClientCache using:

ClientCache cache = new ClientCacheFactory().set("name", "GemClient")
.set("log-level", "info")
.set("cluster-ssl-enabled", "true")
.set("cache-xml-file","gemfire/config/clientCache.xml").create();

Comments

  • Avatar
    Chi Xie

    Nice work Tommy.

    BTW, could you please also provide some sample scripts that you used to setup SSL according to the following steps you provided? That might make this direction more practical and clear. Thanks

    1. create a new a public and private key pair for the client;
    2. export the self signed certificate;
    3. import the new self signed certificate into the client side JRE keystore at /Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/lib/security/cacerts;
    4. Import the same certificate to gemfire8.keystore, which is being used by Gemfire locator and server; and,
    5. when the client attempts to make a connection to the Gemfire distributed system, the Fatal Exception that certificate is not recognized is thrown.
  • Avatar
    Shuvro Das
Powered by Zendesk