问题:
使用spring数据启用客户端到节点加密
暨成双
我有一个项目与spring和Cassadra DB。实际上,将cassandra.yml中的客户机enrcyption设置为false会起作用。
工作设置(使用spring XML bean和设置为false的客户端封装)
<cassandra:cluster contact-points="${cassandra.contactpoints}"
port="${cassandra.port}"
username="${cassandra.username}"
password="${cassandra.password}" />
<cassandra:session id="cassandraSession"
keyspace-name="${cassandra.keyspace}" />
<cassandra:mapping />
<cassandra:converter />
<cassandra:template id="cassandraTemplate" />
现在我想要启用客户端到节点加密(节点到节点已经设置好并正在工作)。我在网上找到了一些教程,解释了如何创建所需的密钥库,但我无法找到如何建立一个spring项目来处理它。
我在cassandra.yml中启用了客户端到节点加密,并尝试在集群bean中设置ssl-enabled=“true”,但我无法从spring连接到cassandra。我知道cassandra集群bean中有一个ssl-options-ref属性,但是我找不到任何关于如何使用这个属性的教程。
我也尝试过:如何在运行时设置系统属性spring 3 MVC在运行时设置系统属性以加载正确的信任库文件,但是添加这些代码并没有什么区别。我总是遇到这样的错误:
2016-08-19 13:46:26 INFO NettyUtil:83 - Did not find Netty's native epoll transport in the classpath, defaulting to NIO.
2016-08-19 13:46:26 WARN DefaultPromise:151 - An exception was thrown by com.datastax.driver.core.Connection$10.operationComplete()
java.util.concurrent.RejectedExecutionException: Task com.datastax.driver.core.Connection$10$1@5c21d76e rejected from java.util.concurrent.ThreadPoolExecutor@78eaecc1[Terminated, pool size = 0, active threads = 0, queued tasks = 0, completed tasks = 0]
at java.util.concurrent.ThreadPoolExecutor$AbortPolicy.rejectedExecution(ThreadPoolExecutor.java:2047)
at java.util.concurrent.ThreadPoolExecutor.reject(ThreadPoolExecutor.java:823)
at java.util.concurrent.ThreadPoolExecutor.execute(ThreadPoolExecutor.java:1369)
at com.google.common.util.concurrent.MoreExecutors$ListeningDecorator.execute(MoreExecutors.java:556)
at com.datastax.driver.core.Connection$10.operationComplete(Connection.java:573)
at com.datastax.driver.core.Connection$10.operationComplete(Connection.java:547)
at io.netty.util.concurrent.DefaultPromise.notifyListener0(DefaultPromise.java:514)
at io.netty.util.concurrent.DefaultPromise.notifyListeners0(DefaultPromise.java:507)
at io.netty.util.concurrent.DefaultPromise.notifyListenersNow(DefaultPromise.java:486)
at io.netty.util.concurrent.DefaultPromise.notifyListeners(DefaultPromise.java:427)
at io.netty.util.concurrent.DefaultPromise.tryFailure(DefaultPromise.java:129)
at io.netty.channel.PendingWriteQueue.safeFail(PendingWriteQueue.java:286)
at io.netty.channel.PendingWriteQueue.removeAndFailAll(PendingWriteQueue.java:132)
at io.netty.handler.ssl.SslHandler.setHandshakeFailure(SslHandler.java:1231)
at io.netty.handler.ssl.SslHandler.setHandshakeFailure(SslHandler.java:1205)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1060)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:900)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:366)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:352)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:345)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1294)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:366)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:352)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:911)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:131)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:572)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:513)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:427)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:399)
at io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:140)
at java.lang.Thread.run(Thread.java:745)
2016-08-19 13:46:26 INFO DefaultListableBeanFactory:444 - Destroying singletons in org.springframework.beans.factory.support.DefaultListableBeanFactory@51cc1210: defining beans [org.springframework.context.support.PropertySourcesPlaceholderConfigurer#0,cassandraCluster,cassandraSession,cassandraMapping,cassandraConverter,cassandraTemplate,smsBehavior,mailSender,preConfiguredMessage,recordingBehavior,user,trustStore]; root of factory hierarchy
2016-08-19 13:46:28 ERROR ContextLoader:331 - Context initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'cassandraSession': Invocation of init method failed; nested exception is com.datastax.driver.core.exceptions.NoHostAvailableException: All host(s) tried for query failed (tried: ******** (com.datastax.driver.core.exceptions.TransportException: [*******] Channel has been closed))
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1512)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:521)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:458)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:296)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:223)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:293)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:194)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:610)
at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:932)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:479)
at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:410)
at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:306)
at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:112)
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4939)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5434)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:633)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:656)
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:535)
at org.apache.catalina.startup.HostConfig.check(HostConfig.java:1461)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at org.apache.tomcat.util.modeler.BaseModelMBean.invoke(BaseModelMBean.java:301)
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:819)
at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:801)
at org.apache.catalina.manager.ManagerServlet.check(ManagerServlet.java:1445)
at org.apache.catalina.manager.ManagerServlet.deploy(ManagerServlet.java:860)
at org.apache.catalina.manager.ManagerServlet.doGet(ManagerServlet.java:357)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:108)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:611)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: com.datastax.driver.core.exceptions.NoHostAvailableException: All host(s) tried for query failed (tried: ************* (com.datastax.driver.core.exceptions.TransportException: [*********] Channel has been closed))
at com.datastax.driver.core.ControlConnection.reconnectInternal(ControlConnection.java:233)
at com.datastax.driver.core.ControlConnection.connect(ControlConnection.java:79)
at com.datastax.driver.core.Cluster$Manager.init(Cluster.java:1424)
at com.datastax.driver.core.Cluster.init(Cluster.java:163)
at com.datastax.driver.core.Cluster.connectAsync(Cluster.java:334)
at com.datastax.driver.core.Cluster.connect(Cluster.java:284)
at org.springframework.cassandra.config.CassandraCqlSessionFactoryBean.connect(CassandraCqlSessionFactoryBean.java:100)
at org.springframework.cassandra.config.CassandraCqlSessionFactoryBean.afterPropertiesSet(CassandraCqlSessionFactoryBean.java:94)
at org.springframework.data.cassandra.config.CassandraSessionFactoryBean.afterPropertiesSet(CassandraSessionFactoryBean.java:60)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1571)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1509)
... 52 more
假设有一个SSLoptionFactoryBean扩展了AbstractFactoryBean
,那么使用它并初始化集群的示例配置类可以是:
@Configuration
@PropertySource(value = {"file:./db.properties"})
public class CassandraConfig extends SpringHttpSessionConfiguration {
@Autowired
private SSLOptions sslOption;
@Bean
@Lazy(false)
public SslOptionFactoryBean sslOptions() throws URISyntaxException, IOException {
Resource trustStore = new FileSystemResource(env.getProperty("db.truststorefilename", ""));
Resource keyStore = new FileSystemResource(env.getProperty("db.keystorefilename", ""));
String trustStorePassword = env.getProperty("db.truststorepassword", "");
String keyStorePassword = env.getProperty("db.keystorepassword", "");
SslOptionFactoryBean option = new SslOptionFactoryBean();
option.setTrustStore(trustStore);
option.setTrustStorePassword(trustStorePassword);
option.setKeyStore(keyStore);
option.setKeyStorePassword(keyStorePassword);
return option;
}
@Bean
public Cluster cluster() throws Exception {
// load node address and port
/* ... */
return Cluster.builder()
.addContactPoint(node)
.withPort(port)
.withSSL(sslOption)
.build();
}
}
共有1个答案
濮阳旭东
使用JVM外部的System-properties设置信任存储(-djavax.net.ssl.truststore=…),或者添加一个对System-properties工厂bean的bean依赖项,以确保在初始化Cassandra客户机之前应用了这些属性。使用ssl-options-ref需要更多的努力。
在初始化Datastax客户端之前,需要应用基于系统属性的SSL配置。事实上,应该尽早应用属性确保没有其他类初始化默认SSL上下文,因为默认SSL上下文被缓存。在任何组件初始化默认SSL上下文后应用javax.net.SSL.truststore将不会应用您的设置。
您可以使用ssl-options-ref提供带有配置的SSL上下文的专用SSL选项,但这需要额外的代码。com.datastax.driver.core.ssloptions不能仅使用属性值配置。还请注意,将Cassandra驱动程序升级到3.0需要不同的SSL上下文初始化,因为驱动程序API发生了更改。
SSLoptionsFactoryBean示例可能如下所示:
public class SslOptionsFactoryBean extends AbstractFactoryBean<SSLOptions> {
private Resource keyStore;
private String keyStorePassword;
private Resource trustStore;
private String trustStorePassword;
@Override
public Class<?> getObjectType() {
return SSLOptions.class;
}
@Override
protected SSLOptions createInstance() throws Exception {
KeyManager[] keyManagers = getKeyStore() != null
? createKeyManagerFactory(getKeyStore(), getKeyStorePassword()).getKeyManagers() : null;
TrustManager[] trustManagers = getTrustStore() != null
? createTrustManagerFactory(getTrustStore(), getTrustStorePassword()).getTrustManagers() : null;
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(keyManagers, trustManagers, null);
return new SSLOptions(sslContext, SSLOptions.DEFAULT_SSL_CIPHER_SUITES);
}
private static KeyManagerFactory createKeyManagerFactory(Resource keystoreFile, String storePassword)
throws GeneralSecurityException, IOException {
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
try (InputStream inputStream = keystoreFile.getInputStream()) {
keyStore.load(inputStream, StringUtils.hasText(storePassword) ? storePassword.toCharArray() : null);
}
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, StringUtils.hasText(storePassword) ? storePassword.toCharArray() : new char[0]);
return keyManagerFactory;
}
private static TrustManagerFactory createTrustManagerFactory(Resource trustFile, String storePassword)
throws GeneralSecurityException, IOException {
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
try (InputStream inputStream = trustFile.getInputStream()) {
trustStore.load(inputStream, StringUtils.hasText(storePassword) ? storePassword.toCharArray() : null);
}
TrustManagerFactory trustManagerFactory = TrustManagerFactory
.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(trustStore);
return trustManagerFactory;
}
public Resource getKeyStore() {
return keyStore;
}
public void setKeyStore(Resource keyStore) {
this.keyStore = keyStore;
}
public String getKeyStorePassword() {
return keyStorePassword;
}
public void setKeyStorePassword(String keyStorePassword) {
this.keyStorePassword = keyStorePassword;
}
public Resource getTrustStore() {
return trustStore;
}
public void setTrustStore(Resource trustStore) {
this.trustStore = trustStore;
}
public String getTrustStorePassword() {
return trustStorePassword;
}
public void setTrustStorePassword(String trustStorePassword) {
this.trustStorePassword = trustStorePassword;
}
}
XML配置部分如下所示:
<bean id="sslOptions" class="x.y.SslOptionsFactoryBean" lazy-init="false">
<property name="trustStore" value="file:truststore.jks"/>
</bean>
<cassandra:cluster contact-points="localhost"
port="9042"
username="user"
password="pass"
ssl-enabled="true"
ssl-options-ref="sslOptions"
/>
注意:SSLOptionsFactoryBean包含用于完整的SSLContext初始化的信任管理器和密钥管理器。
堆栈跟踪显示SSL是用Datastax驱动程序配置的。它还显示握手失败,失败通知事件失败,出现以下情况:
Task com.datastax.driver.core.Connection$10$1@5c21d76e rejected from java.util.concurrent.ThreadPoolExecutor@78eaecc1[Terminated, pool size = 0, active threads = 0, queued tasks = 0, completed tasks = 0]
该消息表示Netty EventLoopGroup在SSL握手(失败)完成期间关闭。spring容器应该运行更长一点以查看握手失败消息。
类似资料:
-
问题内容: 我正在使用node制作电子邮件客户端。我想在收到任何新电子邮件后立即更新浏览器窗口。我已经使用mail- listener2在服务器端获取电子邮件了。我想将数据推送到客户端。我怎么做? 问题答案: 看一下使用 websocket 将数据实时推送到客户端(浏览器)。我建议使用http://socket.io。他们那里有一些非常棒的演示,展示了您将如何做这样的事情。 您的服务器将发送名为的
-
然后我使用: 这似乎无法为那些设置了该属性的客户机提供一个clusergroup。这对客户端节点不起作用吗?
-
问题内容: 我有一个客户端数据存储在localStorage中。出于安全原因,我要加密数据。有什么方法可以使用Angularjs加密/解密客户端数据(而非服务器数据)? 问题答案: 您可以使用cryptojs库对数据进行加密/解密。首先,您应该生成一些密钥以用于加密过程: 然后,您需要存储和声明数据的方法: 这里唯一的问题是秘密密钥存储在客户端,这是这种加密的一种破坏逻辑。
-
当我尝试使用node js创建grpc客户端调用时,我遇到了一个问题。当我在proto文件中使用“google/api/annotations.proto”时,我得到一个错误。如果我删除它,它会工作文件。我可以知道我从我的客户那里错过了什么吗。js公司 错误:无法解析的扩展:“扩展google”。protobuf。中的MethodOptions。谷歌。根目录下的api。resolveAll(src
-
我的Grails应用程序在开发模式下使用h2数据库(Grails应用程序的默认行为)。中的DB连接设置是 我正在尝试使用IntelliJ IDEA的数据库客户端工具为此数据库建立连接。我开始这样创建连接 然后在下面的对话框中,输入JDBC URL 并选择“模式”上的所有可用数据库 “Test Connection”(测试连接)按钮表示成功,但从红色圆圈中可以看到,没有找到任何表格。似乎我已经正确地
-
问题内容: 我正在创建一个在任何情况下都无法管理或修改的服务器上运行的Web应用程序。 在该应用程序中,我需要执行对其他服务器的AJAX调用。这将始终被“相同原产地政策”阻止。 其中server01.test.net是Web服务器,而mail.test.net是第二台服务器。 有没有一种方法可以通过任何方式在客户端启用CORS,因为我无法在服务器上添加“ Access-Control-Allow-