Ask Your Question
1

streamsets cli with ssl

asked 2018-04-03 03:34:29 -0500

oleksii.petrovskyi gravatar image

updated 2018-04-03 06:09:31 -0500

I've been trying to use streamset cli with https but no luck.

# ./streamsets cli -U https://10.1.5.104:18630 -u admin -p admin definitions javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present

Ok, this error tells that ssl certificate is not trusted. The documentation says how to point a custom keystore file for CLI

# export SDC_CLI_JAVA_OPTS="-Djavax.net.ssl.trustStore=/etc/sdc/keystore.jks" The error remains the same.

Just in case added a password property for a keystore.

# export SDC_CLI_JAVA_OPTS="-Djavax.net.ssl.trustStore=/etc/sdc/keystore.jks -Djavax.net.ssl.trustStorePassword=$(cat /etc/sdc/keystore-password.txt)" The same error.

I've also tried to start CLI as java process

# java -Djavax.net.ssl.trustStore=/etc/sdc/keystore.jks -jar streamsets-datacollector-cli-3.1.2.0.jar -U https://10.1.5.104:18630 -u admin -p admin definitions The same error.

It looks like this property is never read. Did someone manage to use CLI with https? I'de appreciate any help. Thank you.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
1

answered 2018-04-03 06:32:17 -0500

oleksii.petrovskyi gravatar image

Java handles ssl a little different than a web browser. When a request is made with a host name, it's possible to fall back to the Common Name in the Subject DN of the server certificate, instead of using the Subject Alternative Name. When using an IP address, there must be a Subject Alternative Name entry (of type IP address, not DNS name) in the certificate.

From RFC 2818 (Section 3.1):

If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.

[...]

In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.

Default keystore that is provisioned with sdc distribution has only one record CN=localhost.

The solution that works for me is:

# export SDC_CLI_JAVA_OPTS="-Djavax.net.ssl.trustStore=/etc/sdc/keystore.jks -Djavax.net.ssl.trustStorePassword=$(cat /etc/sdc/keystore-password.txt)"

# ./streamsets cli -U https://localhost:18630 -u admin -p admin definitions

Otherwise, you have to create your own certificate with IP address entry in it. (add this for keytool command: -ext san=ip:10.1.5.104)

edit flag offensive delete link more
Login/Signup to Answer

Question Tools

1 follower

Stats

Asked: 2018-04-03 03:34:29 -0500

Seen: 62 times

Last updated: Apr 03