How does Cosbench use certificates?

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

How does Cosbench use certificates?

brian
Hello-

We are analysing signed-certificates for security on our Swift cluster.
After installing the signed cert on the server, from the client we were unable to run "swift stat", rejected with an SSL error. This was expected since we didn't install the cert on the client; but by utilising "--insecure" option to Swift I was able to "stat" the cluster.

However, I was able to run Cosbench without any problems, and no signed cert.

Is Cosbench using the "--insecure" option to ignore certificate issues?
How else was it able to bypass the signed cert on the server?

Thanks
Reply | Threaded
Open this post in threaded view
|

Re: How does Cosbench use certificates?

ywang19
Administrator
Hi Brian,

Yes, cosbench used some options similar to --insecure to overcome certificate check. Underneath, when cosbench negotiates with proxy server, it asks to use the weakest certificate check which allows self-signed certificate pass.

-yaguang

在 2014年10月9日,1:10,"brian [via COSBench]" <[hidden email]<mailto:[hidden email]>> 写道:

Hello-

We are analysing signed-certificates for security on our Swift cluster.
After installing the signed cert on the server, from the client we were unable to run "swift stat", rejected with an SSL error. This was expected since we didn't install the cert on the client; but by utilising "--insecure" option to Swift I was able to "stat" the cluster.

However, I was able to run Cosbench without any problems, and no signed cert.

Is Cosbench using the "--insecure" option to ignore certificate issues?
How else was it able to bypass the signed cert on the server?

Thanks

________________________________
If you reply to this email, your message will be added to the discussion below:
http://cosbench.1094679.n5.nabble.com/How-does-Cosbench-use-certificates-tp321.html
To start a new topic under cosbench-user, email [hidden email]<mailto:[hidden email]>
To unsubscribe from COSBench, click here<
NAML<
http://cosbench.1094679.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
Reply | Threaded
Open this post in threaded view
|

Re: How does Cosbench use certificates?

Ghislain
Hi,

I want to use the swift connector with keystone v2
My current platform configuration requires to use https to access keystone but with insecure mode
How can I configure cosbench in order to allow this?

Brgds
Reply | Threaded
Open this post in threaded view
|

RE: How does Cosbench use certificates?

ywang19
Administrator

You’d use the https in “auth_url” at below section, internally, insecure mode is enabled.

  <auth type="keystone" config="username=tester;password=testing;tenant_name=test;auth_url=http://127.0.0.1:5000/v2.0;service=swift service;region=regionOne" />

 

 

From: Ghislain [via COSBench] [mailto:ml-node+[hidden email]]
Sent: Thursday, November 26, 2015 9:58 PM
To: Wang, Yaguang
Subject: Re: How does Cosbench use certificates?

 

Hi,

I want to use the swift connector with keystone v2
My current platform configuration requires to use https to access keystone but with insecure mode
How can I configure cosbench in order to allow this?

Brgds


If you reply to this email, your message will be added to the discussion below:

http://cosbench.1094679.n5.nabble.com/How-does-Cosbench-use-certificates-tp321p426.html

To start a new topic under cosbench-user, email [hidden email]
To unsubscribe from COSBench, click here.
NAML

Reply | Threaded
Open this post in threaded view
|

RE: How does Cosbench use certificates?

Ghislain
Hi,
thx for the reply

I unsuccessfully used

   <auth type ="keystone"
config="username=surname.name@mydomain.com;password=mypassword;tenant_name=mytenant;url=http://mykeystoneserverIP:5000/v2.0;service=swift" />

and

   <auth type ="keystone"
config="username=surname.name@mydomain.com;password=mypassword;tenant_name=mytenant;url=https://mykeystoneserverIP:5000/v2.0;service=swift" />

What works is for example:
swift --insecure --os-auth-url https://mykeystoneserverIP:5000/v2.0 --os-tenant-name mytenant --os-username surname.name@mydomain.com --os-password mypassword list mycontainer

I just want to set --insecure somewhere...

Brgds


Reply | Threaded
Open this post in threaded view
|

RE: How does Cosbench use certificates?

ywang19
Administrator

What’s the error log? I see you don’t use “region” parameter, if you are not using the default “regionOne” as region name, it’s expected to add.

 

 

From: Ghislain [via COSBench] [mailto:ml-node+[hidden email]]
Sent: Friday, November 27, 2015 7:06 PM
To: Wang, Yaguang
Subject: RE: How does Cosbench use certificates?

 

Hi,
thx for the reply

I unsuccessfully used

   <auth type ="keystone"
config="username=[hidden email];password=mypassword;tenant_name=mytenant;url=http://mykeystoneserverIP:5000/v2.0;service=swift" />

and

   <auth type ="keystone"
config="username=[hidden email];password=mypassword;tenant_name=mytenant;url=https://mykeystoneserverIP:5000/v2.0;service=swift" />

What works is for example:
swift --insecure --os-auth-url https://mykeystoneserverIP:5000/v2.0 --os-tenant-name mytenant --os-username [hidden email] --os-password mypassword list mycontainer

I just want to set --insecure somewhere...

Brgds




If you reply to this email, your message will be added to the discussion below:

http://cosbench.1094679.n5.nabble.com/How-does-Cosbench-use-certificates-tp321p428.html

To start a new topic under cosbench-user, email [hidden email]
To unsubscribe from COSBench, click here.
NAML

Reply | Threaded
Open this post in threaded view
|

RE: How does Cosbench use certificates?

Ghislain
Hi,
I set the region parameter (I didn't find it in the documentation) to region=RegionOne
I still cannot connect  to keystone
here is the log
================================================== stage: s1-init ==================================================
---------------------------------- mission: MC6D9AC2A04, driver: driver1 ----------------------------------
2015-12-04 15:27:18,004 [INFO] [Log4jLogManager] - will append log to file /opt/application/0.4.1.0/log/mission/MC6D9AC2A04.log
2015-12-04 15:27:18,017 [ERROR] [AuthAgent] - unable to login
com.intel.cosbench.api.auth.AuthException: com.intel.cosbench.client.keystone.KeystoneServerException: error receiving response from the keystone
        at com.intel.cosbench.api.keystone.KeystoneAuth.login(KeystoneAuth.java:110)
        at com.intel.cosbench.driver.agent.AuthAgent.tryLogin(AuthAgent.java:125)
        at com.intel.cosbench.driver.agent.AuthAgent.login(AuthAgent.java:89)
        at com.intel.cosbench.driver.agent.AuthAgent.execute(AuthAgent.java:52)
        at com.intel.cosbench.driver.agent.AbstractAgent.call(AbstractAgent.java:44)
        at com.intel.cosbench.driver.agent.AbstractAgent.call(AbstractAgent.java:1)
        at java.util.concurrent.FutureTask.run(FutureTask.java:262)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:745)
Caused by: com.intel.cosbench.client.keystone.KeystoneServerException: error receiving response from the keystone
        at com.intel.cosbench.client.keystone.handler.HttpAuthHandler.POST(HttpAuthHandler.java:65)
        at com.intel.cosbench.client.keystone.KeystoneClient.login(KeystoneClient.java:99)
        at com.intel.cosbench.api.keystone.KeystoneAuth.login(KeystoneAuth.java:102)
        ... 9 more
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
        at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:421)
        at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
        at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:397)
        at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)
        at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:150)
        at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)
        at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:575)
        at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:425)
        at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820)
        at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:754)
        at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:732)
        at com.intel.cosbench.client.keystone.handler.HttpAuthHandler.POST(HttpAuthHandler.java:56)
        ... 11 more
2015-12-04 15:27:18,019 [ERROR] [AuthAgent] - fail to login with 1 attempt(s)
================================================== stage: s2-prepare ==================================================

Brgds
Reply | Threaded
Open this post in threaded view
|

RE: How does Cosbench use certificates?

Ghislain
Hi,

I installed the certificates on my server but I still have SSL error messages:
2016-01-04 13:01:08,016 [INFO] [Log4jLogManager] - will append log to file /opt/application/0.4.1.0/log/mission/M2CBA177E3.log
2016-01-04 13:01:08,036 [INFO] [NoneStorage] - performing PUT at /test1
2016-01-04 13:01:12,305 [ERROR] [AbstractOperator] - worker 1 fail to perform operation test1
com.intel.cosbench.api.storage.StorageException: com.amazonaws.AmazonClientException: Unable to execute HTTP request: peer not authenticated
        at com.intel.cosbench.api.S3Stor.S3Storage.createContainer(S3Storage.java:111)
        at com.intel.cosbench.driver.operator.Preparer.doInit(Preparer.java:113)
        at com.intel.cosbench.driver.operator.Preparer.operate(Preparer.java:87)
        at com.intel.cosbench.driver.operator.AbstractOperator.operate(AbstractOperator.java:76)
        at com.intel.cosbench.driver.operator.Initializer.operate(Initializer.java:1)
        at com.intel.cosbench.driver.agent.WorkAgent.performOperation(WorkAgent.java:197)
        at com.intel.cosbench.driver.agent.WorkAgent.doWork(WorkAgent.java:177)
        at com.intel.cosbench.driver.agent.WorkAgent.execute(WorkAgent.java:134)
        at com.intel.cosbench.driver.agent.AbstractAgent.call(AbstractAgent.java:44)
        at com.intel.cosbench.driver.agent.AbstractAgent.call(AbstractAgent.java:1)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)
Caused by: com.amazonaws.AmazonClientException: Unable to execute HTTP request: peer not authenticated
        at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:354)
        at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:190)
        at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:2974)
        at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:2945)
        at com.amazonaws.services.s3.AmazonS3Client.listObjects(AmazonS3Client.java:478)
        at com.amazonaws.services.s3.AmazonS3Client.doesBucketExist(AmazonS3Client.java:811)
        at com.intel.cosbench.api.S3Stor.S3Storage.createContainer(S3Storage.java:106)
        ... 13 more
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
        at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:431)
        at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
        at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:390)
        at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)
        at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149)
        at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)
        at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:561)
        at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:415)
        at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820)
        at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:754)
        at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:732)
        at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:306)

 
here is the result of java -version
openjdk version "1.8.0_72-internal"
OpenJDK Runtime Environment (build 1.8.0_72-internal-b05)
OpenJDK 64-Bit Server VM (build 25.72-b05, mixed mode)


here is my short test xml file
<workload name="s3-ceph-prod init" description="s3-ceph-prod init">

  <storage type="s3" config="accesskey=56de5c8a62ed4874948aa686f7af32a1;secretkey=56266004d87a40c686f96573f2b28287;endpoint=<a href="https://openwatt-prod.itn.ftgroup:8080&quot;">https://openwatt-prod.itn.ftgroup:8080" />
 
  <workflow>

    <workstage name="init">
      <work type="init" workers="1" config="cprefix=test;containers=r(1,2)" />
    </workstage>
  </workflow>

</workload>


Best regards
Reply | Threaded
Open this post in threaded view
|

RE: How does Cosbench use certificates?

Ghislain

here is the xml file without any editing format
s3_I.xml


brgds
Reply | Threaded
Open this post in threaded view
|

RE: How does Cosbench use certificates?

Ghislain
Hi,

I installed the certificates in the java keystore and used path_style_access parameter and now it's OK.

Brgds
Reply | Threaded
Open this post in threaded view
|

RE: How does Cosbench use certificates?

ywang19
Administrator
Glad to hear your ssl issue is resolved