Can somebody help me to sort out the SSL connection to zookeeper,my questions is How to configure
CLIENT_JVMFLAGS in zkCli.cmd file in windows.
Ref :https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide
Set CLIENT JVMFLAGS at terminal by exporting exact as mentioned in that website(Before starting zkCli). (Don't get confused about zkCli, which is "zk command line" not "zkclient")
Client VM Args:
-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
-Dzookeeper.client.secure=true
-Dzookeeper.ssl.keyStore.location=C:/OpenSSL/bin/1KeyStore.jks
-Dzookeeper.ssl.keyStore.password=yourpass
-Dzookeeper.ssl.trustStore.location=C:/OpenSSL/bin/1truststore.jks
-Dzookeeper.ssl.trustStore.password=yourpass"
For more, Follow these steps to make connection and everything you need:
https://issues.apache.org/jira/browse/ZOOKEEPER-2125
Add this to the zkEnv.sh
export SERVER_JVMFLAGS="
-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
-Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks
-Dzookeeper.ssl.keyStore.password=testpass
-Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks
-Dzookeeper.ssl.trustStore.password=testpass"
Also you might need to add more Heap.
Follow this page:
ZooKeeper SSL User Guide
Related
I'm trying to install kuberentes with rkt on my real (not virtual) coreos servers at home using the scripts at https://github.com/coreos/coreos-kubernetes/tree/master/multi-node/generic and I have some questions.
my etcd2 is using tls keys, I can't see anywhere in the script where I can define where the certificates are located.
can I supply a domain instead of IP for ADVERTISE_IP and CONTROLLER_ENDPOINT ?
when I tried to install kubernetes manually I needed start the rkt service api. it doesn't state in the documents that it needed here, does it mean that I don't need it if I use these scripts? or is it just something that's missing in the documents?
thanks!
update
Rob thank you so much for your response. I wasn't clear enough regarding etcd2. I already have etcd2 tls installed and properly configured on my coreos servers. so I configured my etcd servers in the controller-install.sh file:
export ETCD_ENDPOINTS="https://coreos-2.tux-in.com:2379,https://coreos-3.tux-in.com:2379"
but when I run the controller-install.sh script, it returns and repeat the following output:
Waiting for etcd...
Trying: https://coreos-2.tux-in.com:2379
Trying: https://coreos-3.tux-in.com:2379
Trying: https://coreos-2.tux-in.com:2379
Trying: https://coreos-3.tux-in.com:2379
...
so I was guessing it's because i didn't define etcd related tls certificates in the controller script and that is why it stuck in that faze.
on my macbook pro laptop I have the following alias configured:
alias myetcdctl="~/apps/etcd-v3.0.8-darwin-amd64/etcdctl --endpoint=https://coreos-2.tux-in.com:2379 --ca-file=/Users/ufk/Projects/coreos/tux-in/etcd/certs/certs-names/ca.pem --cert-file=/Users/ufk/Projects/coreos/tux-in/etcd/certs/certs-names/etcd1.pem --key-file=/Users/ufk/Projects/coreos/tux-in/etcd/certs/certs-names/etcd1-key.pem --timeout=10s"
so when I run myetcdctl member list I get:
8832ce6a269a7dac: name=ccff826d5f564c67abf35467306f80a0 peerURLs=https://coreos-3.tux-in.com:2380 clientURLs=https://coreos-3.tux-in.com:2379 isLeader=true
a2c0ac9708ef90fc: name=dc38bc8f20e64940b260d3f7b260430d peerURLs=https://coreos-2.tux-in.com:2380 clientURLs=https://coreos-2.tux-in.com:2379 isLeader=false
so I'm guessing that I don't really have a problem there.
any ideas?
thanks!
my etcd2 is using tls keys, I can't see anywhere in the script where I can define where the certificates are located.
These scripts don't start an etcd server. You will need to set one up manually and will be able to use TLS and as many nodes as you would like. This isn't clear in the current form of the document, I will attempt a PR to fix.
can I supply a domain instead of IP for ADVERTISE_IP and CONTROLLER_ENDPOINT ?
Only CONTROLLER_ENDPOINT be a domain name.
when I tried to install kubernetes manually I needed start the rkt service api. it doesn't state in the documents that it needed here, does it mean that I don't need it if I use these scripts? or is it just something that's missing in the documents?
These scripts include/start the rkt API service. As you can see below, it also has a Restart parameter set (source):
[Unit]
Before=kubelet.service
[Service]
ExecStart=/usr/bin/rkt api-service
Restart=always
RestartSec=10
[Install]
RequiredBy=kubelet.service
This error is driving me nuts...
Situation:
I am trying to create a REST api and use a api-gateway proxy to access it. Proxy URL is HTTPS.
The deployment goes through fine. No errors reported in the logs. Worker assigned.
However when I try to access through browser get the "Uh-oh spaghettios! There's nothing here.".
Have tried all the usual things like making the https port dynamic using ${https.port} and using 0.0.0.0 instead of localhost in the http-listener config. But that does not help. Has this something to got to do with the proxy version ?
Any help or pointers will be great!
Make sure you follow Steps 2 from below link
Getting Started with Connectors
All,
Got the resolution. The problem was with the certificate chain. The keystore did not contain intermediate certificates. When added to the keystore the connectivity worked fine.
Only if Mulesoft provided correct errors or detailed logging, I would have saved lot of time over this.
Thanks for your inputs.
I found doc that indicates I need to setup a webserver in my collective environment, however, I cannot determine the correct set of steps. Thoughts?
It would help to see what you've already tried, but consider the following:
Create two or more servers on one or more of the hosts and join them to the collective. Make sure your servers are clusterMembers and collectiveMembers. The following post should help with creating servers and joining them to the collective:
How can I setup a cell and collective in Bluemix
Update the controller's /etc/hosts file with the hostnames of all the hosts in the collective.
Download and follow this guide to generate the plugin-cfg.xml file on the controller:
https://developer.ibm.com/wasdev/downloads/#asset/scripts-jython-Generate_Cluster_Plugin
Copy the generated plugin-cfg.xml file to /opt/IBM/WebSphere/HTTPServer/conf
Edit /opt/IBM/WebSphere/HTTPServer/conf/httpd.conf and uncomment these two lines at the bottom of the file:
LoadModule was_ap22_module /opt/IBM/WebSphere/Plugins/bin/64bits/mod_was_ap22_http.so
WebSpherePluginConfig /opt/IBM/WebSphere/Profiles/Liberty/servers/controller/pluginConfig/myLibertyCluster-plugin-cfg.xml
Change the WebSpherePluginConfig value to be /opt/IBM/WebSphere/HTTPServer/conf/plugin-cfg.xml
Stop and start the HTTP server
sudo ./apachectl stop
sudo ./apachectl start
Verify the application can be reached using the webserver <webserverIP>:80/appname
Generate the plugin again if the application is added or removed.
when I am starting WebLogic admin server with local host:port no/console I am getting the following error:
Console/Management requests or requests with <require-admin-traffic> specified to 'true' can only be made through an administration channel.
How to overcome this error?
You can manualy change your config.xml, find the <require-admin-traffic> element and change it's value to false.
This is because the option administration-port-enabled is set to true in config.xml
(available under ../MW_HOME/user_projects/domains/config)
<administration-port-enabled>false</administration-port-enabled>
Perfect. Or you can use the administration port you entered when configuring the server to use the admin server, which will be different from the default one. The default one 7001, the default for the admin server is 9002 and you can only access it via https.
Not downvoting the answer as it is accepted and maybe useful for users which can't recover their admin port, but this is obviously not best practise.
Once you open config.xml under the folder ../config,
change this row from 'true' to 'false':
true
It should then be ok.
Skender Kollcaku
You are most probably trying to use the administration console on the application port. You need the administration port.
Go to your domain directories (ex. /opt/weblogic/domains/mydomain)
Go into sub-directory config
Run grep "administration-port" config.xml
This will give you a port number, like: <administration-port>12345</administration-port>
Use that port to connect to /console/.
ex: https://YOUR-SERVER:12345/console/
This is much preferable to using the application port for the console, like #Peter pointed out.
I have an HAProxy install which was configured by someone who left the company. It runs on Ubuntu 10.04 and it seems to use 3 configuration files in the directory /etc/haproxy
haproxy.cfg
haproxy.http.cfg
haproxy.https.cfg
I don't see the point in using the haproxy.https.cfg file as I believe (in our configuration) it can all be configured from a single haproxy.http.cfg file but when I remove that httpS file it complains bitterly and refuses to run. My question
Is this the standard configuration haproxy uses or if not, I can't find a reference to the "S" file anywhere. Can anyone suggest how HAProxy concludes it should use it?
Thanks
The very answer to your question: your haproxy is simply launched with those three config files ( -f haproxy.cfg -f haproxy.http.cfg -f haproxy.https.cfg, maybe from /etc/init.d/haproxy but mileage varies depending on your distribution ).
If you remove the file, of course it will complain.
This is not particularly standard, but ain't bad either, it helps structuring the conf rather than having a very long file.
The task of the .https version will certainly be to redirect the https traffic towards a service that can handle HTTPS (stunnel or nginx usually), since haproxy cannot terminate ssl connections. (stunnel has to be patched, see on the haproxy page)
If you want you can merge those files into one or two, just find out how haproxy is launched (check for init.d or let us know which distribution) and fix it appropriately.
I believe that it is only /etc/haproxy/haproxy.cfg that is used by default.
This may be of use to you (1.4 configuration reference):
http://haproxy.1wt.eu/download/1.4/doc/configuration.txt