(DEPRECATED) Apache Flink User Mailing List archive.

Re: In-transit Data Encryption in EMR

Posted by Vinay Patil on
URL: http://deprecated-apache-flink-user-mailing-list-archive.369.s1.nabble.com/In-transit-Data-Encryption-in-EMR-tp13455p13609.html

Hi Guys,

Can anyone please provide me solution to my queries.

On Jun 8, 2017 11:30 PM, "Vinay Patil" <[hidden email]> wrote:
Hi Guys,

I am able to setup SSL correctly, however the following command  does not work correctly and results in the error I had mailed earlier
flink run -m yarn-cluster -yt deploy-keys/ TestJob.jar

Few Doubts: 
1. Can anyone please explain me how do you test if SSL is working correctly ? Currently I am just relying on the logs.

2. Wild Card is not working with the keytool command, can you please let me know what is the issue with the following command:
keytool -genkeypair -alias ca -keystore: -ext SAN=dns:node1.* 


Regards,
Vinay Patil

On Mon, Jun 5, 2017 at 8:43 PM, vinay patil [via Apache Flink User Mailing List archive.] <[hidden email]> wrote:
Hi Gordon,

The yarn session gets created when I try to run the following command:
yarn-session.sh -n 4 -s 2 -jm 1024 -tm 3000 -d --ship deploy-keys/

However when I try to access the Job Manager UI, it gives me exception as :
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I am able to see the Job Manager UI  when I imported the CA certificate to java truststore on EMR master node :
keytool -keystore /etc/alternatives/jre/lib/security/cacerts -importcert -alias FLINKSSL -file ca.cer


Does this mean that SSL is configured correctly ? I can see in the Job Manager configurations and also in th e logs. Is there any other way to verify ?

Also the keystore and truststore  password should be masked in the logs which is not case.

2017-06-05 14:51:31,135 INFO  org.apache.flink.configuration.GlobalConfiguration            - Loading configuration property: security.ssl.enabled, true
2017-06-05 14:51:31,136 INFO  org.apache.flink.configuration.GlobalConfiguration            - Loading configuration property: security.ssl.keystore, deploy-keys/ca.keystore
2017-06-05 14:51:31,136 INFO  org.apache.flink.configuration.GlobalConfiguration            - Loading configuration property: security.ssl.keystore-password, password
2017-06-05 14:51:31,136 INFO  org.apache.flink.configuration.GlobalConfiguration            - Loading configuration property: security.ssl.key-password, password
2017-06-05 14:51:31,136 INFO  org.apache.flink.configuration.GlobalConfiguration            - Loading configuration property: security.ssl.truststore, deploy-keys/ca.truststore
2017-06-05 14:51:31,136 INFO  org.apache.flink.configuration.GlobalConfiguration            - Loading configuration property: security.ssl.truststore-password, password


Regards,
Vinay Patil


If you reply to this email, your message will be added to the discussion below:
http://apache-flink-user-mailing-list-archive.2336050.n4.nabble.com/In-transit-Data-Encryption-in-EMR-tp13455p13490.html
To start a new topic under Apache Flink User Mailing List archive., email [hidden email]
To unsubscribe from Apache Flink User Mailing List archive., click here.
NAML

Free forum by Nabble Edit this page