Hi Kyle - Thanks for the info. Just so you know, setting check_clr = off means that Riak will not validate the signing chain of your client certificate.
What value are you using for "CN=" for the certificates pointed to by the various "ssl.*" settings in riak.conf? http://docs.basho.com/riak/kv/2.1.4/using/security/basics/#certificate-configuration I ask because the validation of the server certificate by the client during the TLS handshake depends on the CN= value. -- Luke Bakken Engineer lbak...@basho.com On Mon, Aug 29, 2016 at 2:07 PM, Nguyen, Kyle <kyle.ngu...@philips.com> wrote: > Thanks a lot, Luke! I finally got the mutual certificate based authentication > working by setting check_clr = off since I don't see any documentation on how > to set this up and we might not need this feature. Another thing that I added > to make it work is to add the correct entry for cidr. I was using > 127.0.0.1/32 instead of 10.0.2.2/32 which is the Ubuntu ip that my laptop > localhost is sending the request to. > > +--------------------+------------+-----------+----------+ > | users | cidr | source | options | > +--------------------+------------+-----------+----------+ > | kyle |10.0.2.2/32 |certificate| [] > > TLS also works without using the DNS-resolvable hostname with protocol > buffer. Hence, I thought you must have referred to HTTPS. > > -Kyle- > > -----Original Message----- > From: Luke Bakken [mailto:lbak...@basho.com] > Sent: Monday, August 29, 2016 7:59 AM > To: Nguyen, Kyle > Cc: Riak Users > Subject: Re: Need help with Riak-KV (2.1.4) certificate based authentication > using Java client > > Kyle - > > What is the output of these commands? > > riak-admin security print-users > riak-admin security print-sources > > http://docs.basho.com/riak/kv/2.1.4/using/security/basics/#user-management > > Please note that setting up certificate authentication *requires* that you > have set up SSL / TLS in Riak as well. > > http://docs.basho.com/riak/kv/2.1.4/using/security/basics/#enabling-ssl > > The SSL certificates used by Riak *must* have their "CN=" section match the > server's DNS-resolvable host name. This is an SSL/TLS requirement, not > specific to Riak. Then, when you connect via the Java client, you must use > the DNS name and not IP address. The client must have the appropriate public > key information to validate the server cert as well (from Get a Cert). > > -- > Luke Bakken > Engineer > lbak...@basho.com _______________________________________________ riak-users mailing list riak-users@lists.basho.com http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
