Seeing the error "Certificate is not recognized" when using SSL
search cancel

Seeing the error "Certificate is not recognized" when using SSL

book

Article ID: 294252

calendar_today

Updated On:

Products

VMware Tanzu Gemfire

Issue/Introduction

Symptoms:
You see the error "Certificate is not recognized" when configuring SSL. This article explains how to configure SSL.

Environment


Resolution

Prerequisites

When trying to enable SSL communication from a Gemfire Client to Gemfire Locators or Servers, the following exception is thrown: "Certificate is not recognized".

Note: We assume that the following steps were followed to set up SSL:

  1. Create a new a public and private key pair for the client;
  2. Export the self-signed certificate.
  3. Import the new self-signed certificate into the client side JRE key store at: /Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/lib/security/cacerts;
  4. Import the same certificate to gemfire8.keystore, which is being used by GemFire locator and server; and,
  5. When the client attempts to make a connection to the GemFire distributed system, the Fatal Exception that certificate is not recognized is thrown.

Additionally, we assume the following properties are configured:

gemfire-server.properties:

mcast-port=0
locators=localhost[10334]
log-level=config
cache-xml-file=../config/server-cache.xml
statistic-sampling-enabled=true
statistic-sample-rate=1000
statistic-archive-file=myStatisticsArchiveFile.gfs
enable-time-statistics=false
jmx-manager-ssl-enabled=false
cluster-ssl-enabled=true
cluster-ssl-require-authentication=false

gfsecurity.properties:

cluster-ssl-keystore=/Users/gemfire/Documents/gemfire/security/gemfire8.keystore
cluster-ssl-keystore-password=password
cluster-ssl-truststore=/Users/gemfire/Documents/gemfire/security/gemfire8.keystore
cluster-ssl-truststore-password=password

locator.properties:

mcast-port=0
log-level=config
locators=localhost[10334]
cluster-ssl-enabled=true
server-ssl-require-authentication=false

gemfire-client.properties:

mcast-port=0
log-level=config
log-file=gemClient.log
ssl-enabled=true

Resolution

The Java client uses the same GemFire properties as are used on the server side, so you should point the client to the key stores with the gfsecurity.properties file.

Do not use the "ssl-*" properties. They deprecated in favor of the "cluster-ssl-*" properties.

Since the locator is not a cache server, the "server-ssl-*" properties will never be used. However, you should set "cluster-ssl-require-authentication=false", so that your locator will not require authentication for clients connecting to it.

Once these changes are made, you should be able to create the ClientCache using:

ClientCache cache = new ClientCacheFactory().set("name", "GemClient")
 .set("log-level", "info")
 .set("cluster-ssl-enabled", "true")
 .set("cache-xml-file","gemfire/config/clientCache.xml").create();


Powered by Wolken Software