[ovirt-devel] sslStompReactor just created once, may cause engine failed to connect to new node

[pengyixiang]

hello
    I think If our engine want to talk to vdsm, we need generate certs for host in engine, so [1] is our shell script for genrating certs, see at the red codes,
we need these steps: a) generate vdsmkey  b) generate request  c) issue certs for vdsm  d) import and store vdsmCerts to .truststore;  then our engine can
talk to vdsm by ssl.  but if we do not reload sslContext in [2], the old .truststore is still used, so we still cannot talk to the new vdsm.



[1]
#!/bin/bash


CA_DAYS="3650"
KEYTOOL="keytool"
password="mypass"
PKIDIR="/etc/linxVirt/linx-pki"
subject="/C=CN/O=Linx/CN=engine.16988"


function genEngineCerts() {
    cd "${PKIDIR}"
    rm -rf client/
    rm -rf private/
    rm -rf keys/
    rm -rf requests/
    rm -rf certs/
    rm .truststore


    mkdir client/
    mkdir private/
    mkdir keys/
    mkdir requests/
    mkdir certs/
    
    rm database.txt*
    #openssl
    echo 1000 > "${PKIDIR}/serial.txt" || die "Cannot write to serial.txt"
    
    touch "${PKIDIR}/database.txt" "${PKIDIR}/.rnd" || die "Cannot write to database.txt"
    
    #生成CA根证书
    touch "${PKIDIR}/private/ca.pem"
    chmod o-rwx "${PKIDIR}/private/ca.pem" || die "Cannot set CA permissions"
    openssl genrsa \
        -out "${PKIDIR}/private/ca.pem" \
        2048 \
        || die "Cannot generate CA key"
    openssl req \
        -batch \
        -config "${PKIDIR}/cacert.conf" \
        -new \
        -key "${PKIDIR}/private/ca.pem" \
        -out "${PKIDIR}/requests/ca.csr" \
        -subj "${subject}" \
        || die "Cannot generate CA request"
    
    (
        cd "${PKIDIR}"
        openssl ca \
            -batch \
            -config openssl.conf \
            -extfile cacert.conf \
            -extensions v3_ca \
            -in requests/ca.csr \
            -out ca.pem \
            -keyfile private/ca.pem \
            -selfsign \
            -subj "${subject}" \
            -utf8 \
            -days "${CA_DAYS}" \
            -startdate "$(date --utc --date "now -1 days" +"%y%m%d%H%M%SZ")"
    ) || die "Cannot enroll CA certificate"
    
    # 签发engine证书
    openssl genrsa \
        -out keys/engine_id_rsa 2048
    
    openssl req \
        -new \
        -out requests/engine.req \
        -key keys/engine_id_rsa \
        -subj "${subject}"
    
    openssl ca \
            -batch \
            -config openssl.conf \
            -extfile cacert2.conf \
            -extensions v3_ca \
            -in requests/engine.req \
            -out certs/engine.cer \
            -keyfile private/ca.pem \
            -subj "${subject}" \
            -utf8 \
            -days "3650" \
            -startdate "$(date --utc --date "now -1 days" +"%y%m%d%H%M%SZ")"
    
    openssl pkcs12 \
        -export \
        -in certs/engine.cer \
        -inkey keys/engine_id_rsa \
        -passin pass:mypass \
        -password pass:mypass \
        -out keys/engine.p12
}




function genVdsmCerts() {
    cd "${PKIDIR}"


    #issue certs for vdsm
    openssl genrsa \
        -out client/vdsmkey.pem 2048


    openssl req \
        -new \
        -out requests/$1.req \
        -key client/vdsmkey.pem \
        -subj "${subject}"
    
    openssl ca \
            -batch \
            -config openssl.conf \
            -extfile cacert2.conf \
            -extensions v3_ca \
            -in requests/$1.req \
            -out certs/$1.cer \
            -keyfile private/ca.pem \
            -subj /O=Linx/CN=$1 \
            -utf8 \
            -days "3650" \
            -startdate "$(date --utc --date "now -1 days" +"%y%m%d%H%M%SZ")"
    
    cp ca.pem client/cacert.pem
    cp certs/$1.cer client/vdsmcert.pem
    cp install.sh client
        
    #生成engine信任证书集
    keytool -import -noprompt -trustcacerts -alias $1$(date --utc --date "now +1 days" +"%y%m%d%H%M%SZ")$(cat /dev/urandom | head -n 10 | md5sum | head -c 10) -keypass mypass -file certs/$1.cer -keystore .truststore -storepass mypass
}


case $1 in
    "engine")
        genEngineCerts
        echo "generate engine certs succeed!...."
        ;;


    "vdsm")
        if [ $# -ne 2 ]; then
            echo "Usage:"
            echo "$0 engine   generate base certs in engine"
            echo "$0 vdsm vdsmIp    issue certs for vdsm"
        else
            genVdsmCerts $2
            echo "generate vdsm certs succeed!...."
        fi
        ;;


    *)
        echo "Usage:"
        echo "$0 engine     generate base certs in engine"
        echo "$0 vdsm vdsmIp    issue certs for vdsm"
        ;;


esac




[2] https://github.com/oVirt/vdsm-jsonrpc-java/blob/078233e60c24f8b8525b3bf5fb1c5ab9f1c4e0f4/client/src/main/java/org/ovirt/vdsm/jsonrpc/client/reactors/ReactorFactory.java#L85 

At 2018-01-02 20:53:45, "Piotr Kliczewski" <piotr.kliczewski at gmail.com> wrote:

Hello,


One instance of a reactor was done by design. Can you please provide steps how do you use the code and why do you need to change .truststore? 


Thanks,
Piotr


On Wed, Dec 27, 2017 at 2:16 AM, pengyixiang <yxpengi386 at 163.com> wrote:

hello
    If we add a new node, we generate vdsm certs and scp them to node, then we add it to .truststore in [1], so that our engine can connect to vdsm.
so If .truststore changed, "getSslStompReactor" still use the old .truststore and connect failed. I made a mistake, changed certs is .truststore rather than engine.p12





[1]

    openssl genrsa \
        -out client/vdsmkey.pem 2048

    openssl req \
        -new \
        -out requests/$1.req \
        -key client/vdsmkey.pem \
        -subj "${subject}"

    openssl ca \
            -batch \
            -config openssl.conf \
            -extfile cacert2.conf \
            -extensions v3_ca \
            -in requests/$1.req \
            -out certs/$1.cer \
            -keyfile private/ca.pem \
            -subj /O=Linx/CN=$1 \
            -utf8 \
            -days "3650" \
            -startdate "$(date --utc --date "now -1 days" +"%y%m%d%H%M%SZ")"

    cp ca.pem client/cacert.pem
    cp certs/$1.cer client/vdsmcert.pem
    cp install.sh client

    keytool -import -noprompt -trustcacerts -alias $1$(date --utc --date "now +1 days" +"%y%m%d%H%M%SZ")$(cat /dev/urandom | head -n 10 | md5sum | head -c 10) -keypass mypass -file certs/$1.cer -keystore .truststore -storepass mypass








At 2017-12-26 16:37:33, "Irit Goihman" <igoihman at redhat.com> wrote:

Hi,
Can you explain your question?
Why engine certs are changed?


Thanks,
Irit


On Mon, Dec 25, 2017 at 3:26 AM, pengyixiang <yxpengi386 at 163.com> wrote:

hello, everyone!
     I use ScenarioClient to call vdsm-jsonrpc-client, but I find after my engine connected to one node, I new a node, then the certs(engine.p12) is changed,

but engine can not connected to new node, at last, I find the problem in there [1],  and I think rpc's certs to node that is still old, so I try to changed code to [2],
then repeat the test way, it works well, the ovirt's engine doesn't meet the trouble and how did you do? client is created like this [3].









[1]   https://github.com/oVirt/vdsm-jsonrpc-java/blob/078233e60c24f8b8525b3bf5fb1c5ab9f1c4e0f4/client/src/main/java/org/ovirt/vdsm/jsonrpc/client/reactors/ReactorFactory.java#L76



[2]  

private static Reactor getSslStompReactor(ManagerProvider provider) throws ClientConnectionException {
//        if (sslStompReactor != null) {
//            return sslStompReactor;
//        }
synchronized (ReactorFactory.class) {
//            if (sslStompReactor != null) {
//                return sslStompReactor;
//            }
try {
sslStompReactor = new SSLStompReactor(provider.getSSLContext());
            } catch (IOException | GeneralSecurityException e) {
throw new ClientConnectionException(e);
            }
        }
return sslStompReactor;
    }

[3] 
public ScenarioClient(String hostname, int port) throws ClientConnectionException {
this.reactor = ReactorFactory.getReactor(ProviderFactory.getProvider(), ReactorType.STOMP);
final ReactorClient client = this.reactor.createClient(hostname, port);
    client.setClientPolicy(new DefaultStompConnectionPolicy());
this.worker = ReactorFactory.getWorker(PARALLELISM);
this.jsonClient = this.worker.register(client);
this.jsonClient.setRetryPolicy(new DefaultStompClientPolicy());
}




 


_______________________________________________
Devel mailing list
Devel at ovirt.org
http://lists.ovirt.org/mailman/listinfo/devel






--


IRIT GOIHMAN

SOFTWARE ENGINEER

EMEA VIRTUALIZATION R&D

Red Hat EMEA

| |
TRIED. TESTED. TRUSTED.
|
@redhatnews   Red Hat   Red Hat




 


_______________________________________________
Devel mailing list
Devel at ovirt.org
http://lists.ovirt.org/mailman/listinfo/devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/devel/attachments/20180103/9a6331e4/attachment-0001.html>