想要的:有关将启用客户端节点加密的Cassandra集群添加到DataStax OpsCenter 5.1.0的说明
[英]Wanted: Instructions for adding client-node encryption enabled Cassandra cluster to DataStax OpsCenter 5.1.0
问题描述
I have a Cassandra cluster with client-node encryption enabled. 
我有一个启用了客户端节点加密的Cassandra集群。 I am trying to add this cluster to an instance of OpsCenter 5.1.0, but it is not able to connect to the cluster. 我试图将此群集添加到OpsCenter 5.1.0实例,但是它无法连接到该群集。 The log file seems to complain about not being able to verify the SSL certificate: 日志文件似乎抱怨无法验证SSL证书:
`
INFO: Starting factory opscenterd.ThriftService.NoReconnectCassandraClientFactory instance at 0x7f2ce05c8638>
2015-06-10 15:09:46+0000 [] WARN: Unable to verify ssl certificate.
2015-06-10 15:09:46+0000 [] Unhandled Error
Traceback (most recent call last):
File "/opt/opscenter-5.1.0/lib/py-debian/2.7/amd64/twisted/python/log.py", line 84, in callWithLogger
return callWithContext({"system": lp}, func, *args, **kw)
File "/opt/opscenter-5.1.0/lib/py-debian/2.7/amd64/twisted/python/log.py", line 69, in callWithContext
return context.call({ILogContext: newCtx}, func, *args, **kw)
File "/opt/opscenter-5.1.0/lib/py-debian/2.7/amd64/twisted/python/context.py", line 59, in callWithContext
return self.currentContext().callWithContext(ctx, func, *args, **kw)
File "/opt/opscenter-5.1.0/lib/py-debian/2.7/amd64/twisted/python/context.py", line 37, in callWithContext
return func(*args,**kw)
--- exception caught here ---
File "/opt/opscenter-5.1.0/lib/py-debian/2.7/amd64/twisted/internet/epollreactor.py", line 217, in _doReadOrWrite
why = selectable.doRead()
File "/opt/opscenter-5.1.0/lib/py-debian/2.7/amd64/twisted/internet/tcp.py", line 137, in doRead
return Connection.doRead(self)
File "/opt/opscenter-5.1.0/lib/py-debian/2.7/amd64/twisted/internet/tcp.py", line 452, in doRead
data = self.socket.recv(self.bufferSize)
File "build/lib/python2.7/site-packages/opscenterd/SslUtils.py", line 12, in ssl_simple_verifyCB
opscenterd.Utils.SSLVerifyException: SSL certificate invalid
My question is: what are the step-by-step instructions for being able to add a client-node encrypted cluster to opscenter? 我的问题是:能够将客户端节点加密群集添加到opscenter的分步说明是什么? Which .pem and .keystore files are needed exactly, how do I get hold of them? 确切需要哪些.pem和.keystore文件,如何保存它们?
The DataStax documentation on that topic is not detailed enough and therefore not really helpful. 关于该主题的DataStax文档不够详细,因此并没有真正的帮助。 I assume some people out there must have managed to set this up successfully and I am sure that a detailed explanation / instructions would be appreciated by many. 我认为有些人一定已经成功地完成了此设置,并且我相信许多人会赞赏详细的解释/说明。
1 个解决方案
解决方案1
5 2016-04-15 08:42:28
One thing to note here, although the docs do mention generating a key per node, in practice this isn't very scalable. 这里要注意的一件事是,尽管文档中确实提到了每个节点生成一个密钥,但实际上这并不是非常可扩展的。 In most systems it is common to create the one keystore with the required keys and certificate(s) and then use this across all the nodes in your cluster and your client applications as needed. 在大多数系统中,通常使用所需的密钥和证书来创建一个密钥库,然后根据需要在集群中的所有节点和客户端应用程序中使用该密钥库。 You export the certificate from this keystore and use this for OpsCenter. 您可以从此密钥库中导出证书,并将其用于OpsCenter。 OpsCenter is (as far as SSL is concerned) a SSL client like any other client. 与其他客户端一样,OpsCenter是SSL客户端(就SSL而言)。
So you have to export your key from your java keystore, convert it to .pem format and use that for the opscenterd process. 因此,您必须从Java密钥库中导出密钥,将其转换为.pem格式,并将其用于opscenterd流程。 The agents are java based so they can use the java keystore. 代理基于Java,因此它们可以使用Java密钥库。 The DS docs are there but its a bit fragmented so its a question of looking in the right places :-) DS文档在那里,但是有点零散,所以它是在正确的位置查找的问题:-)
I'm going to use the OpsCenter latest docs here as a reference. 我将在此处使用OpsCenter最新文档作为参考。 I'm assuming you are only using SSL between OpsCenter and Cassandra and OpsCenter Agents and Cassandra 我假设您仅在OpsCenter和Cassandra之间以及OpsCenter代理和Cassandra之间使用SSL
Prepping the server certificates: 准备服务器证书:
https://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureSSLCertificates_t.html https://docs.datastax.com/zh-CN/cassandra/2.1/cassandra/security/secureSSLCertificates_t.html
Configuring client to node SSL: 配置客户端到节点SSL:
https://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureSSLClientToNode_t.html https://docs.datastax.com/zh-CN/cassandra/2.1/cassandra/security/secureSSLClientToNode_t.html
using cqlsh with SSL (optional): 使用带有SSL的cqlsh(可选):
https://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureCqlshSSL_t.html https://docs.datastax.com/zh-CN/cassandra/2.1/cassandra/security/secureCqlshSSL_t.html
To convert the key to a pem format see step 7 here: 要将密钥转换为pem格式,请参见此处的步骤7:
https://docs.datastax.com/en/latest-opsc/opsc/online_help/opscAddingCluster_t.html https://docs.datastax.com/zh_CN/latest-opsc/opsc/online_help/opscAddingCluster_t.html
Examples 例子
Note all these examples assume 1-way SSL. 请注意,所有这些示例均采用1路SSL。 You generated a key in a file called /etc/dse/keystore and the certificate in a file called /etc/dse/truststore 您在名为/etc/dse/keystore的文件中生成了密钥,并在名为/etc/dse/truststore的文件中生成了证书。
To be honest I've never really had a lot of luck in adding SSL enabled clusters directly in the OpsCenter UI. 老实说,我从来没有真正有幸直接在OpsCenter UI中添加启用SSL的群集。 I've always found creating the cluster.conf file and agent address.yaml files by hand far quicker and easier. 我总是发现手动创建cluster.conf文件和代理address.yaml文件更加快捷,容易。
Note the SSL files like truststore, key.pem etc need to be on all the local machines that need them. 请注意,像truststore,key.pem等这样的SSL文件必须位于所有需要它们的本地计算机上。
Example agent /var/lib/datastax-agent/conf/address.yaml file (note the use_ssl is for the opscenter <> agents SSL which we're not using here) 代理/var/lib/datastax-agent/conf/address.yaml文件示例(请注意use_ssl用于opscenter <>代理SSL,我们在这里不使用)
stomp_interface: 192.168.56.29
use_ssl: 0
# ssl_keystore settings if using ssl
ssl_keystore: /etc/dse/truststore
ssl_keystore_password: datastax
Example opscenter /etc/opscenter/clusters/<cluster_name>.conf file 示例opscenter / /etc/opscenter/clusters/<cluster_name>.conf opscenter / /etc/opscenter/clusters/<cluster_name>.conf集群/etc/opscenter/clusters/<cluster_name>.conf文件
[jmx]
username =
password =
port = 7199
[kerberos_client_principals]
[kerberos]
[agents]
ssl_keystore = /etc/dse/truststore
ssl_keystore_password = datastax
[kerberos_hostnames]
[kerberos_services]
[cassandra]
ssl_ca_certs = /etc/dse/key.pem
ssl_validate = False
seed_hosts = 192.168.56.22
Other tips etc 其他提示等
I always find if Im troubleshooting SSL connections in DSE / Cassandra. 我总是会发现我是否在DSE / Cassandra中对SSL连接进行故障排除。 I'll strip out all the SSL and get the cluster working nomrmally first, then I'll configure SSL one step at a time, like turning on node to node SSL, then client to node, then OpsCenter and so on. 我将剥离所有SSL并首先使群集正常运行,然后一次配置SSL,例如打开节点到节点SSL,然后打开客户端到节点,然后打开OpsCenter,等等。 Debugging all the SSL errors is not for the feint hearted! 调试所有的SSL错误不是为了胆小!
Links 链接
Other doc links you might find useful: 您可能会发现有用的其他文档链接:
https://docs.datastax.com/en/opscenter/5.2/opsc/configure/opscConnectionConfig_r.html https://docs.datastax.com/zh-CN/opscenter/5.2/opsc/configure/opscConnectionConfig_r.html
https://docs.datastax.com/en/opscenter/5.2/opsc/configure/agentAddressConfiguration.html https://docs.datastax.com/zh-CN/opscenter/5.2/opsc/configure/agentAddressConfiguration.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.