通过JDBC驱动程序使用SSL连接到Aerospike主机默认使用3000端口。

huangapple go评论59阅读模式
英文:

Connecting to Aerospike host via SSL using the JDBC driver defaults to 3000 port

问题

I am trying to connect to an aerospike host which requires SSL. Connecting via the aql command works fine. However, connecting to the same using the JDBC driver fails.

Running the following command is able to successfully connect to aerospike

aql -h test-host.co.in:tls1:4333 --tls-enable --tls-cafile ~/certificates/aerospike-server-ca.pem

However, when I try to connect using a JDBC connection string using the aerospike JDBC driver, it fails to connect.
This is the JDBC connection string I used

jdbc:aerospike:ssl://test-host.co.in:4333?enableTLS=true&trustStorePath=~/certificates/aerospike-server-ca.pem

It gives an error that it failed to connect to SSL 3000. Is there something wrong with my JDBC string? I tried using this via Datagrip & DBeaver and faced the same error in both software. Why is this defaulting to port 3000 when port 4333 is explicitly specified?

Failed to connect to 1 host(s): SSL 3000

英文:

I am trying to connect to an aerospike host which requires SSL. Connecting via the aql command works fine. However connecting to the same using the JDBC driver fails.

Running the following command is able to successfully connect to aerospike

aql -h test-host.co.in:tls1:4333 --tls-enable --tls-cafile ~/certificates/aerospike-server-ca.pem

However when I try to connect using a JDBC connection string using the aerospike JDBC driver it fails the connect.
This is the jdbc connection string I used

jdbc:aerospike:ssl://test-host.co.in:4333?enableTLS=true&trustStorePath=~/certificates/aerospike-server-ca.pem

It gives an error that it failed to connect to ssl 3000. Is there something wrong in my JDBC string? I tried using this via Datagrip & DBeaver and faced the same error at both softwares. Why is this even defaulting to 3000 port when 4333 port is explicitly specified?

 Failed to connect to [1] host(s): ssl 3000

答案1

得分: 3

以下是翻译好的部分:

"看起来您的配置可能存在一些问题。根据您的AQL行,似乎您的证书名称是“tls1”,因此您需要将其传递给JDBC驱动程序,使用&tlsName=tls1。您提供的trustStorePath无效,我认为您要查找的参数是tlsTruststorePath。您可以在AerospikeTLSPolicyConfig中查看有效值的完整列表。

但我还认为配置期望使用标准的Java信任库而不是.pem证书。您应该能够使用以下命令将您的PEM文件转换为信任库:

keytool -import -alias serverkey -file aerospike-server-ca.pem -keystore truststore

然后,您需要使用&tlsTruststorePassword=<password>传递您创建信任库时选择的密码,其中<password>是您在上面创建信任库时选择的密码。

因此,我建议使用类似以下的JDBC连接字符串:

jdbc:aerospike://test-host.co.in:4333?enableTLS=true&tlsTruststorePath=/home/myuser/certificates/truststore&tlsTruststorePassword=<password>&tlsName=tls1

您需要将myuser更改为您的用户名,或者确保正确输入您创建的信任库的路径。“~”是Shell提供的抽象,Java不识别它,因此对您的信任库使用完全限定路径是最佳选择。

注意:根据您的AQL行,我假设您没有使用mTLS,因此无需向服务器提供客户端证书。"

英文:

It looks like there might be a few things wrong with your configuration. Judging by your AQL line it looks like your certificate has a name of "tls1" so you need to pass this to the JDBC driver with &tlsName=tls1. The trustStorePath you have isn't valid, I believe the parameter you're looking for is tlsTruststorePath. You can see a full list of the valid values at AerospikeTLSPolicyConfig.

However, I also believe that the configuration expects a standard Java truststore and not a .pem certificate. You should be able to convert your PEM file to a truststore using

keytool -import -alias serverkey -file aerospike-server-ca.pem -keystore truststore

You will then need to pass the password of the truststore you created using &tlsTruststorePassword=<password> where <password> is the password you selected when creating the truststore above.

So I would look at using a JDBC connect string similar to:

jdbc:aerospike://test-host.co.in:4333?enableTLS=true&tlsTruststorePath=/home/myuser/certificates/truststore&tlsTruststorePassword=<password>&tlsName=tls1

You will need to change myuser to your user name. Or make sure you put in the correct path to the truststore you created. "~" is an abstraction provided by the shell and Java does not recognise it, so a fully qualified path to your truststore is your best bet.

Note: based on your AQL line, I'm assuming you are NOT doin mTLS and therefore do not need provide client certs to the server.

huangapple
  • 本文由 发表于 2023年5月29日 23:47:47
  • 转载请务必保留本文链接:https://go.coder-hub.com/76358696.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定