Support Policy      Security Notices
  1. DataStax Support
  2. DataStax Enterprise
  3. Security

Importing existing CA and public/private key into JKS for Internodes encryption

Follow

Summary
This article discusses how to import an internal CA and public/private key pair generated using OpenSSL

Applies to

  • DataStax Enterprise (DSE) 5.0
  • DSE 6.0

Symptoms
After configuring node to node (internodes) encryption, the following error occur:

ERROR [ACCEPT-/<IP>]:19:59,143 MessagingService.java:1077 - SSL handshake error for inbound connection from 4419b69a[SSL_NULL_WITH_NULL_NULL: Socket[addr=/<IP>,port=<port>,localport=7001]]  
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown 
... 
ERROR [MessagingService-Outgoing-/<IP>-Gossip]:19:59,655 OutboundTcpConnection.java:606 - SSL handshake error for outbound connection to 3b522b8f[SSL_NULL_WITH_NULL_NULL: Socket[addr=/<IP>,port=7001,localport=<port>]] 
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found

Cause
The certificates are not recognised due to a misconfiguration of the keystore

Solution
Prerequisites:

  • Provided an internal CA root certificate, a private and a public key rootCA.cer, privatekey.pem, publickey.cer (Optional: IntermediateCA.cer)
  • Run the following command to confirm the certificates are PEM files (ASCII) and not DER files (binary certificates format):
    head privatekey.pem publickey.cer rootCA.cer intermediateCA.cer

What to do in that scenario:

  • Backup/rename the existing keystore
  • Create new keystore and remove the key that’s generated with it:
keytool -genkey -keyalg RSA -alias dse -keystore keystore.jks 
keytool -delete -alias dse -keystore keystore.jks

  • import the rootCA in the keystore created above:
    keytool -import -keystore keystore.jks -trustcacerts -alias rootca -file rootCA.cer

  • Repeat the operation above with intermediate CA certificates if necessary:
    keytool -import -keystore keystore.jks -trustcacerts -alias intermediateca -file intermediateCA.cer

  • Merge the certificate and private key - Warning: this implies they are PEM files as per the prerequisites, not DER files (binary format):

  • cat publickey.cer privatekey.pem > keypair.pem

  • Import the set into your keystore:
    keytool -importcert -alias dse -file keypair.pem -keystore keystore.jks

  • Check the keystore content:
    keytool -list -v -keystore keystore.jks > ~/CertsList.txt

  • From here, follow the standard documentation to leverage the certificates:
    https://docs.datastax.com/en/dse/5.1/dse-admin/datastax_enterprise/security/secInternodeSsl.html

Romain Anselin
Created: 2018-10-08 14:48:16 UTC
Last Update: 2018-11-16 13:33:18 UTC

Related articles

Comments

0 comments

Please sign in to leave a comment.