Hello,
I am using Cassandra 2.1.0-rc1 and trying to set up internode encryption.
Here's how I have generated the certificates and keystores:
keytool -genkeypair -v -keyalg RSA -keysize 1024 -alias node1 -keystore
node1.keystore -storepass 'mypassword' -dname 'CN=Development' -keypass
'mypassword' -validity 3650
keytool -export -v -alias node1 -file node1.cer -keystore node1.keystore
-storepass 'mypassword'
keytool -import -v -trustcacerts -alias node1 -file node1.cer -keystore
global.truststore -storepass 'mypassword' -noprompt
Now, I have create a folder /etc/cassandra/certs
and copied the certs there: node1.keystore and global.truststore
Set the ownership and permissions of both to chown cassandra:cassandra and
chmod 600
Then on Cassandra.yaml I did the following:
server_encryption_options:
internode_encryption: all
keystore: /etc/cassandra/certs/node1.keystore
keystore_password: mypassword
truststore: /etc/cassandra/certs/global.truststore
truststore_password: mypassword
When starting the server I get the following error:
ERROR [main] 2014-06-19 15:00:03,701 CassandraDaemon.java:340 - Fatal
configuration error
org.apache.cassandra.exceptions.ConfigurationException: Unable to create
ssl socket
at
org.apache.cassandra.net.MessagingService.getServerSockets(MessagingService.java:431)
~[apache-cassandra-2.1.0~rc1.jar:2.1.0~rc1]
at
org.apache.cassandra.net.MessagingService.listen(MessagingService.java:411)
~[apache-cassandra-2.1.0~rc1.jar:2.1.0~rc1]
at
org.apache.cassandra.service.StorageService.prepareToJoin(StorageService.java:694)
~[apache-cassandra-2.1.0~rc1.jar:2.1.0~rc1]
at
org.apache.cassandra.service.StorageService.initServer(StorageService.java:628)
~[apache-cassandra-2.1.0~rc1.jar:2.1.0~rc1]
at
org.apache.cassandra.service.StorageService.initServer(StorageService.java:511)
~[apache-cassandra-2.1.0~rc1.jar:2.1.0~rc1]
at
org.apache.cassandra.service.CassandraDaemon.setup(CassandraDaemon.java:336)
[apache-cassandra-2.1.0~rc1.jar:2.1.0~rc1]
at
org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:455)
[apache-cassandra-2.1.0~rc1.jar:2.1.0~rc1]
at
org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:544)
[apache-cassandra-2.1.0~rc1.jar:2.1.0~rc1]
Caused by: java.io.IOException: Error creating the initializing the SSL
Context
at
org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:124)
~[apache-cassandra-2.1.0~rc1.jar:2.1.0~rc1]
at
org.apache.cassandra.security.SSLFactory.getServerSocket(SSLFactory.java:53)
~[apache-cassandra-2.1.0~rc1.jar:2.1.0~rc1]
at
org.apache.cassandra.net.MessagingService.getServerSockets(MessagingService.java:427)
~[apache-cassandra-2.1.0~rc1.jar:2.1.0~rc1]
... 7 common frames omitted
Caused by: java.io.IOException: Keystore was tampered with, or password was
incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772)
~[na:1.8.0_05]
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
~[na:1.8.0_05]
at java.security.KeyStore.load(KeyStore.java:1433) ~[na:1.8.0_05]
at
org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:108)
~[apache-cassandra-2.1.0~rc1.jar:2.1.0~rc1]
... 9 common frames omitted
Caused by: java.security.UnrecoverableKeyException: Password verification
failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:770)
~[na:1.8.0_05]
... 12 common frames omitted
INFO [StorageServiceShutdownHook] 2014-06-19 15:00:03,705
Gossiper.java:1272 - Announcing shutdown
Why would the certificate fail and the error "Keystore was tampered with,
or password was incorrect" is displayed?
I have tested the keystore password by doing keytool -list -keystore
node1.keystore
And it shows the certficate and password is correct:
keytool -list -keystore node1.keystore -storepass mypassword
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
node1, Jun 19, 2014, PrivateKeyEntry,
Certificate fingerprint (SHA1):
85:28:6F:75:B5:E2:CE:5C:52:84:AC:A6:12:FC:45:FB:BA:8D:97:4D
Have no idea what went wrong as I have tried to find out.
It does not seem to be a Cassandra issue but more likely an issue while
generating the keystore and trustore.
I am doing it for 4 nodes, which is why trustore is the same file name,
only keystores are different names which are unique for the nodes.
Thanks.
