[ovirt-devel] sslStompReactor just created once, may cause engine failed to connect to new node
pengyixiang
yxpengi386 at 163.com
Wed Dec 27 01:16:51 UTC 2017
hello
If we add a new node, we generate vdsm certs and scp them to node, then we add it to .truststore in [1], so that our engine can connect to vdsm.
so If .truststore changed, "getSslStompReactor" still use the old .truststore and connect failed. I made a mistake, changed certs is .truststore rather than engine.p12
[1]
openssl genrsa \
-out client/vdsmkey.pem 2048
openssl req \
-new \
-out requests/$1.req \
-key client/vdsmkey.pem \
-subj "${subject}"
openssl ca \
-batch \
-config openssl.conf \
-extfile cacert2.conf \
-extensions v3_ca \
-in requests/$1.req \
-out certs/$1.cer \
-keyfile private/ca.pem \
-subj /O=Linx/CN=$1 \
-utf8 \
-days "3650" \
-startdate "$(date --utc --date "now -1 days" +"%y%m%d%H%M%SZ")"
cp ca.pem client/cacert.pem
cp certs/$1.cer client/vdsmcert.pem
cp install.sh client
keytool -import -noprompt -trustcacerts -alias $1$(date --utc --date "now +1 days" +"%y%m%d%H%M%SZ")$(cat /dev/urandom | head -n 10 | md5sum | head -c 10) -keypass mypass -file certs/$1.cer -keystore .truststore -storepass mypass
At 2017-12-26 16:37:33, "Irit Goihman" <igoihman at redhat.com> wrote:
Hi,
Can you explain your question?
Why engine certs are changed?
Thanks,
Irit
On Mon, Dec 25, 2017 at 3:26 AM, pengyixiang <yxpengi386 at 163.com> wrote:
hello, everyone!
I use ScenarioClient to call vdsm-jsonrpc-client, but I find after my engine connected to one node, I new a node, then the certs(engine.p12) is changed,
but engine can not connected to new node, at last, I find the problem in there [1], and I think rpc's certs to node that is still old, so I try to changed code to [2],
then repeat the test way, it works well, the ovirt's engine doesn't meet the trouble and how did you do? client is created like this [3].
[1] https://github.com/oVirt/vdsm-jsonrpc-java/blob/078233e60c24f8b8525b3bf5fb1c5ab9f1c4e0f4/client/src/main/java/org/ovirt/vdsm/jsonrpc/client/reactors/ReactorFactory.java#L76
[2]
private static Reactor getSslStompReactor(ManagerProvider provider) throws ClientConnectionException {
// if (sslStompReactor != null) {
// return sslStompReactor;
// }
synchronized (ReactorFactory.class) {
// if (sslStompReactor != null) {
// return sslStompReactor;
// }
try {
sslStompReactor = new SSLStompReactor(provider.getSSLContext());
} catch (IOException | GeneralSecurityException e) {
throw new ClientConnectionException(e);
}
}
return sslStompReactor;
}
[3]
public ScenarioClient(String hostname, int port) throws ClientConnectionException {
this.reactor = ReactorFactory.getReactor(ProviderFactory.getProvider(), ReactorType.STOMP);
final ReactorClient client = this.reactor.createClient(hostname, port);
client.setClientPolicy(new DefaultStompConnectionPolicy());
this.worker = ReactorFactory.getWorker(PARALLELISM);
this.jsonClient = this.worker.register(client);
this.jsonClient.setRetryPolicy(new DefaultStompClientPolicy());
}
_______________________________________________
Devel mailing list
Devel at ovirt.org
http://lists.ovirt.org/mailman/listinfo/devel
--
IRIT GOIHMAN
SOFTWARE ENGINEER
EMEA VIRTUALIZATION R&D
Red Hat EMEA
| |
TRIED. TESTED. TRUSTED.
|
@redhatnews Red Hat Red Hat
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/devel/attachments/20171227/a952db4b/attachment.html>
More information about the Devel
mailing list