Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to create SSL connection for Cassandra #618

Open
edewata opened this issue Aug 3, 2020 · 2 comments
Open

Unable to create SSL connection for Cassandra #618

edewata opened this issue Aug 3, 2020 · 2 comments

Comments

@edewata
Copy link
Contributor

edewata commented Aug 3, 2020

JSS fails to establish an SSL connection for Cassandra. This may be required by PKI ACME in certain environments.

Steps to reproduce:

  1. Install JSS 4.7 and DataStax Java Driver 4.7.2.
  2. Prepare a Cassandra database.
  3. Prepare a client application similar to this example.
  4. Run the client application.

Actual result: The client application failed to connect to Cassandra database over SSL.

Expected result: The client application should be able to connect to Cassandra database over SSL.

Additional info: The client application showed the following stack trace:

com.datastax.oss.driver.api.core.DriverExecutionException
	at com.datastax.oss.driver.internal.core.util.concurrent.CompletableFutures.getUninterruptibly(CompletableFutures.java:152)
	at com.datastax.oss.driver.api.core.session.SessionBuilder.build(SessionBuilder.java:633)
	at org.dogtagpki.acme.database.CassandraDatabase.init(CassandraDatabase.java:90)
	at org.dogtagpki.acme.server.ACMEEngine.initDatabase(ACMEEngine.java:264)
	at org.dogtagpki.acme.server.ACMEEngine.start(ACMEEngine.java:417)
	at org.dogtagpki.acme.server.ACMEEngine.contextInitialized(ACMEEngine.java:1067)
	at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4690)
	at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5151)
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
	at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:717)
	at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129)
	at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:150)
	at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:140)
	at java.security.AccessController.doPrivileged(Native Method)
	at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:688)
	at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:705)
	at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:631)
	at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1831)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
	at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:112)
	at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:526)
	at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:425)
	at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1576)
	at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:309)
	at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
	at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423)
	at org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366)
	at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:936)
	at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:841)
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
	at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1384)
	at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1374)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
	at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:134)
	at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:909)
	at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:262)
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
	at org.apache.catalina.core.StandardService.startInternal(StandardService.java:421)
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
	at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:930)
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
	at org.apache.catalina.startup.Catalina.start(Catalina.java:633)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
Caused by: java.security.KeyStoreException: Unable to initialize JSSKeyManagerFactory with key store from non-JSS provider.
	at org.mozilla.jss.provider.javax.crypto.JSSKeyManagerFactory.engineInitKeyStore(JSSKeyManagerFactory.java:54)
	at org.mozilla.jss.provider.javax.crypto.JSSKeyManagerFactory.engineInit(JSSKeyManagerFactory.java:26)
	at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
	at com.datastax.oss.driver.internal.core.config.cloud.CloudConfigFactory.createKeyManagerFactory(CloudConfigFactory.java:212)
	at com.datastax.oss.driver.internal.core.config.cloud.CloudConfigFactory.createSslContext(CloudConfigFactory.java:198)
	at com.datastax.oss.driver.internal.core.config.cloud.CloudConfigFactory.createCloudConfig(CloudConfigFactory.java:130)
	at com.datastax.oss.driver.api.core.session.SessionBuilder.buildDefaultSessionAsync(SessionBuilder.java:671)
	at com.datastax.oss.driver.api.core.session.SessionBuilder.buildAsync(SessionBuilder.java:619)
	... 50 more
Caused by: java.security.KeyStoreException: Unable to initialize JSSKeyManagerFactory with key store from non-JSS provider.
	at org.mozilla.jss.provider.javax.crypto.JSSKeyManagerFactory.engineInitKeyStore(JSSKeyManagerFactory.java:49)
	... 57 more

The stack trace points to the following code in DataStax Java Driver:
https://github.com/datastax/java-driver/blob/4.7.2/core/src/main/java/com/datastax/oss/driver/internal/core/config/cloud/CloudConfigFactory.java#L212
@cipherboy
Copy link
Member

This is an issue with how Cassandra is creating the KeyStore. It needs to be configured to use a JSS keystore, (or null suffices) rather than a JDK-provided key store.

This isn't really a JSS problem; SunJSSE in FIPS mode would have the same requirements. We've wanted to work around this, but would require hacks around NSS features, which I wouldn't do in a wrapper over NSS.

Perhaps this documentation will help?

We can provide the JKS keystore, but that'd be a lie; we'd probably have to implement the JKS spec.

@cipherboy
Copy link
Member

Simplest would be to patch datastax; I'll see what contributing upstream looks like.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cipherboy @edewata