Uploaded image for project: 'JGroups'
  1. JGroups
  2. JGRP-1187

AUTH - X509Token authentication failure

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Duplicate Issue
    • Affects Version/s: 2.9
    • Fix Version/s: 2.10
    • Labels:
      None
    • Environment:

      Windows, tested with Infinispan.

    • Steps to Reproduce:
      Hide

      I run through the following steps for the X509Token:

      1. Run keytool to create the keystore with the following command:
      keytool -genkeypair -dname "cn=Lin Ye, ou=Energy, o=GE, c=US" -alias test -keyalg RSA -keypass password -keystore D:\User\YELI\mykeystore -storepass changeit

      2. Got the following content in my JGroups config file:
      <config>
      <UDP mcast_send_buf_size="32000"
      mcast_port="45566"
      ucast_recv_buf_size="64000"
      loopback="true"
      mcast_recv_buf_size="64000"
      max_bundle_size="60000"
      max_bundle_timeout="30"
      ucast_send_buf_size="32000"
      ip_ttl="32"
      enable_bundling="false"/>
      <PING timeout="2000"
      num_initial_members="3"/>
      <MERGE2 max_interval="10000"
      min_interval="5000"/>
      <FD timeout="2000"
      max_tries="3"
      />
      <VERIFY_SUSPECT timeout="1500"/>
      <pbcast.NAKACK
      use_mcast_xmit="false"
      gc_lag="50"
      retransmit_timeout="600,1200,2400,4800"/>
      <UNICAST timeout="1200,2400,3600"/>
      <pbcast.STABLE stability_delay="1000"
      desired_avg_gossip="20000"
      max_bytes="0"/>
      <FRAG frag_size="8192"/>
      <AUTH auth_class="org.jgroups.auth.X509Token"
      auth_value="test"
      keystore_path="D:\Users\YELI\mykeystore"
      keystore_password="changeit"
      cert_password="password"
      cert_alias="test"
      cipher_type="RSA"/>
      <pbcast.GMS print_local_addr="true"
      join_timeout="3000"
      />
      <pbcast.STREAMING_STATE_TRANSFER />
      <!-- <pbcast.STATE_TRANSFER/> -->
      <pbcast.FLUSH timeout="0"/>
      </config>

      The first instance in a cluster started correctly. (And I noticed if I delete the cert_password entry in AUTH or make the password wrong, I got the "Cannot recover key" exception message for the first instance, so it seems it read the keystore and retrieved the key properly for the first instance when the password is correct.) However, when I started the second instance, I got the following exception:

      3063 [main] WARN org.jgroups.protocols.pbcast.FLUSH - T00514970-61789: waiting
      for UNBLOCK timed out after 2000 ms
      3063 [main] DEBUG org.jgroups.protocols.UDP - closing sockets and stopping thre
      ads
      3063 [main] DEBUG org.jgroups.protocols.UDP - multicast socket closed
      3063 [multicast receiver,omCluster,T00514970-61789] DEBUG org.jgroups.protocols.
      UDP - receiver socket is closed, exception=java.net.SocketException: socket clo
      sed
      3063 [multicast receiver,omCluster,T00514970-61789] DEBUG org.jgroups.protocols.
      UDP - multicast receiver thread terminated
      3079 [unicast receiver,omCluster,T00514970-61789] DEBUG org.jgroups.protocols.UD
      P - receiver socket is closed, exception=java.net.SocketException: socket close
      d
      3079 [unicast receiver,omCluster,T00514970-61789] DEBUG org.jgroups.protocols.UD
      P - unicast receiver thread terminated
      org.infinispan.CacheException: Unable to invoke method public abstract void org.
      infinispan.remoting.transport.Transport.start() on object
      at org.infinispan.util.ReflectionUtil.invokeAccessibly(ReflectionUtil.ja
      va:173)
      at org.infinispan.factories.AbstractComponentRegistry$PrioritizedMethod.
      invoke(AbstractComponentRegistry.java:852)
      at org.infinispan.factories.AbstractComponentRegistry.internalStart(Abst
      ractComponentRegistry.java:672)
      at org.infinispan.factories.AbstractComponentRegistry.start(AbstractComp
      onentRegistry.java:574)
      at org.infinispan.factories.GlobalComponentRegistry.start(GlobalComponen
      tRegistry.java:131)
      at org.infinispan.factories.ComponentRegistry.start(ComponentRegistry.ja
      va:135)
      at org.infinispan.CacheDelegate.start(CacheDelegate.java:311)
      at org.infinispan.manager.DefaultCacheManager.createCache(DefaultCacheMa
      nager.java:507)
      at org.infinispan.manager.DefaultCacheManager.getCache(DefaultCacheManag
      er.java:473)
      at ge.energy.smartgrid.applications.omtest.controllers.InfinispanCacheCo
      ntroller.connect(InfinispanCacheController.java:50)
      at ge.energy.smartgrid.applications.omtest.controllers.InfinispanCacheCo
      ntroller.connect(InfinispanCacheController.java:38)
      at ge.energy.smartgrid.applications.omtest.drivers.ReadUpdateTestDriver.
      startUp(ReadUpdateTestDriver.java:76)
      at ge.energy.smartgrid.applications.omtest.LaunchSlave.main(LaunchSlave.
      java:16)
      Caused by: java.lang.reflect.InvocationTargetException
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
      at java.lang.reflect.Method.invoke(Unknown Source)
      at org.infinispan.util.ReflectionUtil.invokeAccessibly(ReflectionUtil.ja
      va:170)
      ... 12 more
      Caused by: org.infinispan.CacheException: Unable to start JGroups Channel
      at org.infinispan.remoting.transport.jgroups.JGroupsTransport.startJGrou
      psChannelIfNeeded(JGroupsTransport.java:168)
      at org.infinispan.remoting.transport.jgroups.JGroupsTransport.start(JGro
      upsTransport.java:155)
      ... 17 more
      Caused by: org.jgroups.ChannelException: connect() failed
      at org.jgroups.JChannel.connect(JChannel.java:422)
      at org.jgroups.JChannel.connect(JChannel.java:380)
      at org.infinispan.remoting.transport.jgroups.JGroupsTransport.startJGrou
      psChannelIfNeeded(JGroupsTransport.java:166)
      ... 18 more
      Caused by: java.lang.SecurityException: Authentication failed
      at org.jgroups.protocols.pbcast.ClientGmsImpl.joinInternal(ClientGmsImpl
      .java:152)
      at org.jgroups.protocols.pbcast.ClientGmsImpl.join(ClientGmsImpl.java:38
      )
      at org.jgroups.protocols.pbcast.GMS.down(GMS.java:924)
      at org.jgroups.protocols.pbcast.STREAMING_STATE_TRANSFER.down(STREAMING_
      STATE_TRANSFER.java:331)
      at org.jgroups.protocols.pbcast.FLUSH.handleConnect(FLUSH.java:309)
      at org.jgroups.protocols.pbcast.FLUSH.down(FLUSH.java:270)
      at org.jgroups.stack.ProtocolStack.down(ProtocolStack.java:836)
      at org.jgroups.JChannel.downcall(JChannel.java:1652)
      at org.jgroups.JChannel.connect(JChannel.java:417)
      ... 20 more

      Show
      I run through the following steps for the X509Token: 1. Run keytool to create the keystore with the following command: keytool -genkeypair -dname "cn=Lin Ye, ou=Energy, o=GE, c=US" -alias test -keyalg RSA -keypass password -keystore D:\User\YELI\mykeystore -storepass changeit 2. Got the following content in my JGroups config file: <config> <UDP mcast_send_buf_size="32000" mcast_port="45566" ucast_recv_buf_size="64000" loopback="true" mcast_recv_buf_size="64000" max_bundle_size="60000" max_bundle_timeout="30" ucast_send_buf_size="32000" ip_ttl="32" enable_bundling="false"/> <PING timeout="2000" num_initial_members="3"/> <MERGE2 max_interval="10000" min_interval="5000"/> <FD timeout="2000" max_tries="3" /> <VERIFY_SUSPECT timeout="1500"/> <pbcast.NAKACK use_mcast_xmit="false" gc_lag="50" retransmit_timeout="600,1200,2400,4800"/> <UNICAST timeout="1200,2400,3600"/> <pbcast.STABLE stability_delay="1000" desired_avg_gossip="20000" max_bytes="0"/> <FRAG frag_size="8192"/> <AUTH auth_class="org.jgroups.auth.X509Token" auth_value="test" keystore_path="D:\Users\YELI\mykeystore" keystore_password="changeit" cert_password="password" cert_alias="test" cipher_type="RSA"/> <pbcast.GMS print_local_addr="true" join_timeout="3000" /> <pbcast.STREAMING_STATE_TRANSFER /> <!-- <pbcast.STATE_TRANSFER/> --> <pbcast.FLUSH timeout="0"/> </config> The first instance in a cluster started correctly. (And I noticed if I delete the cert_password entry in AUTH or make the password wrong, I got the "Cannot recover key" exception message for the first instance, so it seems it read the keystore and retrieved the key properly for the first instance when the password is correct.) However, when I started the second instance, I got the following exception: 3063 [main] WARN org.jgroups.protocols.pbcast.FLUSH - T00514970-61789: waiting for UNBLOCK timed out after 2000 ms 3063 [main] DEBUG org.jgroups.protocols.UDP - closing sockets and stopping thre ads 3063 [main] DEBUG org.jgroups.protocols.UDP - multicast socket closed 3063 [multicast receiver,omCluster,T00514970-61789] DEBUG org.jgroups.protocols. UDP - receiver socket is closed, exception=java.net.SocketException: socket clo sed 3063 [multicast receiver,omCluster,T00514970-61789] DEBUG org.jgroups.protocols. UDP - multicast receiver thread terminated 3079 [unicast receiver,omCluster,T00514970-61789] DEBUG org.jgroups.protocols.UD P - receiver socket is closed, exception=java.net.SocketException: socket close d 3079 [unicast receiver,omCluster,T00514970-61789] DEBUG org.jgroups.protocols.UD P - unicast receiver thread terminated org.infinispan.CacheException: Unable to invoke method public abstract void org. infinispan.remoting.transport.Transport.start() on object at org.infinispan.util.ReflectionUtil.invokeAccessibly(ReflectionUtil.ja va:173) at org.infinispan.factories.AbstractComponentRegistry$PrioritizedMethod. invoke(AbstractComponentRegistry.java:852) at org.infinispan.factories.AbstractComponentRegistry.internalStart(Abst ractComponentRegistry.java:672) at org.infinispan.factories.AbstractComponentRegistry.start(AbstractComp onentRegistry.java:574) at org.infinispan.factories.GlobalComponentRegistry.start(GlobalComponen tRegistry.java:131) at org.infinispan.factories.ComponentRegistry.start(ComponentRegistry.ja va:135) at org.infinispan.CacheDelegate.start(CacheDelegate.java:311) at org.infinispan.manager.DefaultCacheManager.createCache(DefaultCacheMa nager.java:507) at org.infinispan.manager.DefaultCacheManager.getCache(DefaultCacheManag er.java:473) at ge.energy.smartgrid.applications.omtest.controllers.InfinispanCacheCo ntroller.connect(InfinispanCacheController.java:50) at ge.energy.smartgrid.applications.omtest.controllers.InfinispanCacheCo ntroller.connect(InfinispanCacheController.java:38) at ge.energy.smartgrid.applications.omtest.drivers.ReadUpdateTestDriver. startUp(ReadUpdateTestDriver.java:76) at ge.energy.smartgrid.applications.omtest.LaunchSlave.main(LaunchSlave. java:16) Caused by: java.lang.reflect.InvocationTargetException at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.infinispan.util.ReflectionUtil.invokeAccessibly(ReflectionUtil.ja va:170) ... 12 more Caused by: org.infinispan.CacheException: Unable to start JGroups Channel at org.infinispan.remoting.transport.jgroups.JGroupsTransport.startJGrou psChannelIfNeeded(JGroupsTransport.java:168) at org.infinispan.remoting.transport.jgroups.JGroupsTransport.start(JGro upsTransport.java:155) ... 17 more Caused by: org.jgroups.ChannelException: connect() failed at org.jgroups.JChannel.connect(JChannel.java:422) at org.jgroups.JChannel.connect(JChannel.java:380) at org.infinispan.remoting.transport.jgroups.JGroupsTransport.startJGrou psChannelIfNeeded(JGroupsTransport.java:166) ... 18 more Caused by: java.lang.SecurityException: Authentication failed at org.jgroups.protocols.pbcast.ClientGmsImpl.joinInternal(ClientGmsImpl .java:152) at org.jgroups.protocols.pbcast.ClientGmsImpl.join(ClientGmsImpl.java:38 ) at org.jgroups.protocols.pbcast.GMS.down(GMS.java:924) at org.jgroups.protocols.pbcast.STREAMING_STATE_TRANSFER.down(STREAMING_ STATE_TRANSFER.java:331) at org.jgroups.protocols.pbcast.FLUSH.handleConnect(FLUSH.java:309) at org.jgroups.protocols.pbcast.FLUSH.down(FLUSH.java:270) at org.jgroups.stack.ProtocolStack.down(ProtocolStack.java:836) at org.jgroups.JChannel.downcall(JChannel.java:1652) at org.jgroups.JChannel.connect(JChannel.java:417) ... 20 more

      Description

      I did a test on X509Token AUTH with Infinispan, and got "Authentication failed" error.

      Not sure if it's a bug or I did something wrong.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  belaban Bela Ban
                  Reporter:
                  yelin66 Lin Ye
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  0 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: