Get geode REST API going with SSL

Question

I've setup gemfire.properties to make the web component require SSL using ssl-enabled-components=web and setting up a keystore. The locator and server are starting ok and GFSH connects to the JMX manager. However, when I try and start the Swagger UI then I am getting ERR_SSL_VERSION_OR_CIPHER_MISMATCH. It happens when the config is that ssl-ciphers= and ssl-protocols= or set to any...

So what's the required REST API cipher for Apache Geode? Thanks

I've tried to use TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 as a default and same error, I can't get the Swagger browser to work with SSL enabled Geode... — rupweb, Sep 22 '17 at 10:43
The answer is TLS_RSA_WITH_AES_256_CBC_SHA and this changes the error to ERR_SSL_PROTOCOL_ERROR so what's the best protocol to use ?! — rupweb, Sep 22 '17 at 11:27
Which version of the JDK are you using on the backend and which browser/OS for the frontend? — Jens D, Sep 22 '17 at 14:07

Jens D · Accepted Answer · 2017-09-23T17:11:15.240

3

I tested this with a basic cert created with the following:

keytool -genkeypair -alias self -dname "CN=trusted" \
  -validity 3650 -keypass password -keystore ./trusted.keystore \
  -storepass password -storetype JKS

It failed in the way you describe. I recreated the cert and used a different key algorithm with -keyalg EC and then worked. I'll see if I can give a more detailed explanation at some point.

UPDATE:

I'm using Mac OS and my /Library/Java/JavaVirtualMachines/jdk1.8.0_121.jdk/Contents/Home/jre/lib/security/java.security file contains the following restriction for certificates:

jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
  DSA keySize < 1024, EC keySize < 224

With -keyalg EC, the generated certificate is signed with SHA256withECDSA, but without that option it is signed with SHA1withDSA, so not acceptable.

edited Sep 23 '17 at 17:11

answered Sep 22 '17 at 22:20

Jens D

4,229
3
16
19

so it was the way to generate the cert... it has to be with `-keyalg EC` and https://geode.apache.org/docs/guide/12/managing/security/ssl_example.html needs to be updated! – rupweb Oct 02 '17 at 12:08
we now have a Comodo trusted SSL certificate signed with SHA256withRSA but this same error has recurred. The Geode is hosted on a Win 2012 server. We imported the cert into the keystore with '-keyalg EC' or '-keyalg RSA' and same errors as above... – rupweb Oct 18 '17 at 14:18

rupweb · Answer 2 · 2017-10-19T13:33:01.820

0

For the signed SSL certificate I had to go through this process using openssl to generate a pfx file, and then this process to import that pfx into the java keystore, with the -keyalg EC flag. The Swagger then works fine using HTTPS.

edited Oct 19 '17 at 13:33

answered Oct 18 '17 at 16:16

rupweb

3,052
1
30
57

Get geode REST API going with SSL

2 Answers2

Linked