无法通过sqh cqlsh连接ssl节点 [英] Not able to connect the ssl node throgh cqlsh

查看:70
本文介绍了无法通过sqh cqlsh连接ssl节点的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

在解释我所面临的问题之前,我将让您知道本地计算机上已验证的点.

Before explaining the issue which I'm facing, I will let you know the verified points from my local machine.

  • 我具有与Cassandra相关的所有配置,并且具有我的计算机所需的特权(访问权限).
  • 我能够通过 连接已禁用 SSL 的Cassandra节点或已禁用 TLS 的节点cqlsh .

  • I have all the Cassandra related configuration and I have the required privileges (access) to my machine .
  • I'm able to connect the Cassandra node which is SSL disabled or the node which is TLS disabled through cqlsh.

  • 例如,我可以使用以下命令连接到C *节点以下
  • cqlsh -u xxxxx -p xxxxxx 123.abc.com
  • 但是同时我无法使用SSL选项连接到以下节点
  • cqlsh --ssl -u xxxxx -p xxxxxx 123.xyz.com

以下是我的cqlshrc文件内容:

Below is my content of cqlshrc file:

<代码>[验证]用户名= xxxx密码= xxxx[联系]主机名= 123.xyz.com端口= 9042工厂= cqlshlib.ssl.ssl_transport_factory[ssl]certfile =〜/certfiles/xyz.pemvalidate = false

甚至我尝试将certFile路径设置为环境变量.

Even I tried setting the certFile path as an environment variable.

我收到以下异常:

已启用验证;SSL传输工厂要求指定有效的certfile.请在[ssl]部分中提供certfile的路径,作为/XXXX/XXXXX/.cassandra/cqlshrc中的"certfile"选项(或使用[certfiles]部分),或设置SSL_CERTFILE环境变量.

Validation is enabled; SSL transport factory requires a valid certfile to be specified. Please provide path to the certfile in [ssl] section as 'certfile' option in /XXXX/XXXXX/.cassandra/cqlshrc (or use [certfiles] section) or set SSL_CERTFILE environment variable.

推荐答案

我将猜测您的路径可能有效,但您的certfile可能无效.以下是一些快速步骤,这些步骤将从您的节点之一的密钥库中生成有效的证书文件:

I'm going to guess that your path is probably valid, but that your certfile may not be. Here are some quick steps that will generate a valid certfile from the keystore of one of your nodes:

1-检查您的cassandra.yaml以获取密钥库的位置和密码:

1 - Check your cassandra.yaml for the keystore location and password:

client_encryption_options:
  enabled: true
  keystore: /etc/cassandra/.keystore
  keystore_password: flynnLives

2-将您的密钥库转换为PKCS12密钥库:

2 - Convert your keystore to a PKCS12 keystore:

$ keytool -importkeystore -srckeystore /etc/cassandra/.keystore 
    -destkeystore ~/.cassandra/p12.keystore -deststoretype PKCS12 
    -srcstorepass flynnLives -deststorepass flynnLives

3-从PKCS12密钥库生成证书文件:

3 - Generate a certfile from the PKCS12 keystore:

$ openssl pkcs12 -in ~/.cassandra/p12.keystore -nokeys -out ~/.cassandra/xyz.pem
    -passin pass:flynnLives

4-在cqlshrc中指定连接和ssl部分,以及默认的传输工厂和证书名称.除非您使用双向SSL,否则将validate设置为false.

4 - Specify the connection and ssl sections in your cqlshrc, as well as the default transport factory and the name of your certificate. And unless you're using two-way SSL, set validate to false.

[connection]
factory = cqlshlib.ssl.ssl_transport_factory

[ssl]
certfile = ~/.cassandra/xyz.pem
validate = false

5-通过cqlsh连接:

5 - Connect via cqlsh:

$ bin/cqlsh 192.168.0.100 -u flynn -p reindeerFlotilla --ssl
Connected to MasterControl at 192.168.0.100:9042.
[cqlsh 5.0.1 | Cassandra 2.2.5 | CQL spec 3.3.1 | Native protocol v4]
Use HELP for help.
flynn@cqlsh>

这篇关于无法通过sqh cqlsh连接ssl节点的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆