无法通过sqh cqlsh连接ssl节点 [英] Not able to connect the ssl node throgh cqlsh

问题描述

在解释我所面临的问题之前，我将让您知道本地计算机上已验证的点.

Before explaining the issue which I'm facing, I will let you know the verified points from my local machine.

• 我具有与Cassandra相关的所有配置，并且具有我的计算机所需的特权(访问权限).

• 我能够通过 连接已禁用 SSL 的Cassandra节点或已禁用 TLS 的节点cqlsh .

• I have all the Cassandra related configuration and I have the required privileges (access) to my machine .

• I'm able to connect the Cassandra node which is SSL disabled or the node which is TLS disabled through cqlsh.

• 例如，我可以使用以下命令连接到C *节点以下
• cqlsh -u xxxxx -p xxxxxx 123.abc.com
• 但是同时我无法使用SSL选项连接到以下节点
• cqlsh --ssl -u xxxxx -p xxxxxx 123.xyz.com

以下是我的cqlshrc文件内容:

Below is my content of cqlshrc file:

<代码>[验证]用户名= xxxx密码= xxxx[联系]主机名= 123.xyz.com端口= 9042工厂= cqlshlib.ssl.ssl_transport_factory[ssl]certfile =〜/certfiles/xyz.pemvalidate = false

甚至我尝试将certFile路径设置为环境变量.

Even I tried setting the certFile path as an environment variable.

我收到以下异常:

已启用验证；SSL传输工厂要求指定有效的certfile.请在[ssl]部分中提供certfile的路径，作为/XXXX/XXXXX/.cassandra/cqlshrc中的"certfile"选项(或使用[certfiles]部分)，或设置SSL_CERTFILE环境变量.

Validation is enabled; SSL transport factory requires a valid certfile to be specified. Please provide path to the certfile in [ssl] section as 'certfile' option in /XXXX/XXXXX/.cassandra/cqlshrc (or use [certfiles] section) or set SSL_CERTFILE environment variable.

推荐答案

我将猜测您的路径可能有效，但您的certfile可能无效.以下是一些快速步骤，这些步骤将从您的节点之一的密钥库中生成有效的证书文件:

I'm going to guess that your path is probably valid, but that your certfile may not be. Here are some quick steps that will generate a valid certfile from the keystore of one of your nodes:

1-检查您的cassandra.yaml以获取密钥库的位置和密码:

1 - Check your cassandra.yaml for the keystore location and password:

client_encryption_options:
  enabled: true
  keystore: /etc/cassandra/.keystore
  keystore_password: flynnLives

2-将您的密钥库转换为PKCS12密钥库:

2 - Convert your keystore to a PKCS12 keystore:

$ keytool -importkeystore -srckeystore /etc/cassandra/.keystore 
    -destkeystore ~/.cassandra/p12.keystore -deststoretype PKCS12 
    -srcstorepass flynnLives -deststorepass flynnLives

3-从PKCS12密钥库生成证书文件:

3 - Generate a certfile from the PKCS12 keystore:

$ openssl pkcs12 -in ~/.cassandra/p12.keystore -nokeys -out ~/.cassandra/xyz.pem
    -passin pass:flynnLives

4-在cqlshrc中指定连接和ssl部分，以及默认的传输工厂和证书名称.除非您使用双向SSL，否则将validate设置为false.

4 - Specify the connection and ssl sections in your cqlshrc, as well as the default transport factory and the name of your certificate. And unless you're using two-way SSL, set validate to false.

[connection]
factory = cqlshlib.ssl.ssl_transport_factory

[ssl]
certfile = ~/.cassandra/xyz.pem
validate = false

5-通过cqlsh连接:

5 - Connect via cqlsh:

$ bin/cqlsh 192.168.0.100 -u flynn -p reindeerFlotilla --ssl
Connected to MasterControl at 192.168.0.100:9042.
[cqlsh 5.0.1 | Cassandra 2.2.5 | CQL spec 3.3.1 | Native protocol v4]
Use HELP for help.
flynn@cqlsh>

这篇关于无法通过sqh cqlsh连接ssl节点的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！