Rolling Back SSL configuration on external ZK

  • By default, communication between RadiantOne FID (client) to ZooKeeper is over a non-SSL
    port. The basic configuration and state information that are stored in ZooKeeper pose a
    generally low security risk.
  • However, if your corporate policies dictate that all internal services
    must connect to each other via SSL/TLS, you can configure this secure connection between
    RadiantOne FID nodes and Zookeeper.
  • The configuration steps for which are elaborated in RLI_HOME/Documentation/VDS/Hardening Guide.
  • Zookeeper is the most sensitive component of RadiantOne  which is hence very obscured to avoid complex troubleshooting arising from improper ZK configuration and ZK SSL config should be performed wit EXTREME CAUTION and contingencies/backups in place.
  • Rolling back SSL config , it should be ensured that all the steps in RLI_HOME/Documentation/VDS/Hardening Guide >>Chapter 1: Securing RadiantOne Configuration and Administration  >> "Configure SSL between RadiantOne FID and ZooKeeper ", MUST BE UNDONE.
  • Specifically the following key-value pairs must be COMMENTED OUT in <ZooKeeperInstall>/rlizookeeperexternal/zookeeper/conf/zoo.cfg file on all the participating external ZK servers.:
#secureClientPort = 2155
#client.portUnification = true
#sslQuorum = true
#portUnification = true
  • A graceful restart of all the services is recommended after this change in the aforementioned zoo.cfg for it to take effect.
  • Failing to do so will cause the Zookeeper ensemble to go into READ-ONLY mode and the following banner will be displayed on the Main Control Panel and vds traffic will NOT BE SERVED as the block-replication for write traffic will be crippled by ZK being flipped to a READ_ONLY state:

  • The ZK logs among many other types of SSL ERRORs/WARNINGS is known to register logging like:
2023-05-30 14:09:27,979 [myid:1] - INFO [0.0.0.0/0.0.0.0:3888:QuorumCnxManager$Listener@936] - Received connection request from /SERVERIP:PORT
2023-05-30 14:09:27,989 [myid:1] - INFO [nioEventLoopGroup-4-18:NettyServerCnxn@272] - Processing isro command from /SERVERIP:PORT
2023-05-30 14:09:27,991 [myid:1] - INFO [0.0.0.0/0.0.0.0:3888:UnifiedServerSocket$UnifiedSocket@273] - Accepted TLS connection from /SERVERIP:PORT - NONE - SSL_NULL_WITH_NULL_NULL
2023-05-30 14:09:27,991 [myid:1] - WARN [0.0.0.0/0.0.0.0:3888:QuorumCnxManager@595] - Exception reading or writing challenge: {}
java.net.SocketException: Socket is closed
at sun.security.ssl.SSLSocketImpl.getInputStream(SSLSocketImpl.java:781)
at org.apache.zookeeper.server.quorum.UnifiedServerSocket$UnifiedInputStream.getRealInputStream(UnifiedServerSocket.java:700)
at org.apache.zookeeper.server.quorum.UnifiedServerSocket$UnifiedInputStream.read(UnifiedServerSocket.java:694)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:246)
at java.io.BufferedInputStream.read1(BufferedInputStream.java:286)
at java.io.BufferedInputStream.read(BufferedInputStream.java:345)
at java.io.DataInputStream.readFully(DataInputStream.java:195)
at java.io.DataInputStream.readLong(DataInputStream.java:416)
at org.apache.zookeeper.server.quorum.QuorumCnxManager.handleConnection(QuorumCnxManager.java:571)
at org.apache.zookeeper.server.quorum.QuorumCnxManager.receiveConnection(QuorumCnxManager.java:522)
at org.apache.zookeeper.server.quorum.QuorumCnxManager$Listener.run(QuorumCnxManager.java:945
Was this article helpful?
1 out of 1 found this helpful

Comments

0 comments

Please sign in to leave a comment.

Articles in this section