how to start gremlin server with ssl enabled
634 views
Skip to first unread message
Kevin Wang
Oct 20, 2016, 7:19:01 AM10/20/16
to Aurelius
im very new to gremlin server, i was trying to use gremlin server with REST api and ssl enabled, and here is the gremlin-server.yaml i have modified
host: 9.30.54.48
port: 8182
threadPoolWorker: 1
gremlinPool: 8
scriptEvaluationTimeout: 30000
serializedResponseTimeout: 30000
channelizer: org.apache.tinkerpop.gremlin.server.channel.HttpChannelizer
graphs: {
graph: conf/titan-hbase-solr.properties}
plugins:
- aurelius.titan
scriptEngines: {
gremlin-groovy: {
imports: [java.lang.Math],
staticImports: [java.lang.Math.PI],
scripts: [scripts/empty-sample.groovy]},
nashorn: {
imports: [java.lang.Math],
staticImports: [java.lang.Math.PI]}}
serializers:
- { className: org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV1d0, config: { useMapperFromGraph: graph }}
- { className: org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV1d0, config: { serializeResultToString: true }}
- { className: org.apache.tinkerpop.gremlin.driver.ser.GraphSONMessageSerializerGremlinV1d0, config: { useMapperFromGraph: graph }}
- { className: org.apache.tinkerpop.gremlin.driver.ser.GraphSONMessageSerializerV1d0, config: { useMapperFromGraph: graph }}
processors:
- { className: org.apache.tinkerpop.gremlin.server.op.session.SessionOpProcessor, config: { sessionTimeout: 28800000 }}
metrics: {
consoleReporter: {enabled: true, interval: 180000},
csvReporter: {enabled: true, interval: 180000, fileName: /tmp/gremlin-server-metrics.csv},
jmxReporter: {enabled: true},
slf4jReporter: {enabled: true, interval: 180000},
gangliaReporter: {enabled: false, interval: 180000, addressingMode: MULTICAST},
graphiteReporter: {enabled: false, interval: 180000}}
threadPoolBoss: 1
maxInitialLineLength: 4096
maxHeaderSize: 8192
maxChunkSize: 8192
maxContentLength: 65536
maxAccumulationBufferComponents: 1024
resultIterationBatchSize: 64
writeBufferHighWaterMark: 32768
writeBufferHighWaterMark: 65536
ssl: {
enabled: true}
when ssl enabled is false, the server works perfectly, but after i set ssl enabled to true, when i try command like
curl -XPOST -Hcontent-type:application/json -d '{"gremlin":"100-1"}' 9.30.54.48:8182
it will only return
curl: (52) Empty reply from server
any help will be much appreciated!!!
Jason Plurad
Oct 20, 2016, 9:42:17 AM10/20/16
to Aurelius
Hi Kevin,
What versions of Titan and TinkerPop are you using?
I think the SSL support may have become available after TP 3.0.1 since I couldn't find the documentation in that version.
Checkout the TP 3.0.2 security docs here:
http://tinkerpop.apache.org/docs/3.0.2-incubating/#_security
Notice the example curl statement uses the https url. The insecure option is required unless you have a valid certificate available.
-- Jason
What versions of Titan and TinkerPop are you using?
I think the SSL support may have become available after TP 3.0.1 since I couldn't find the documentation in that version.
Checkout the TP 3.0.2 security docs here:
http://tinkerpop.apache.org/docs/3.0.2-incubating/#_security
Notice the example curl statement uses the https url. The insecure option is required unless you have a valid certificate available.
-- Jason
Kevin Wang
Oct 24, 2016, 11:10:40 PM10/24/16
to Aurelius
Im using titan 1.0 and tinkerpop 3.0.2
when I tried the insecure option, i still get the following message
curl: (52) Empty reply from server
Kevin Wang
Oct 25, 2016, 2:35:28 AM10/25/16
to Aurelius
Dear Jason,
when I ran the command, i actually encounter the following error
37794 [gremlin-server-worker-1] ERROR org.apache.tinkerpop.gremlin.server.handler.HttpGremlinEndpointHandler - Error processing HTTP Request
io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 504f5354202f20485454502f312e310d0a417574686f72697a6174696f6e3a204261736963206333526c6347686c626a707759584e7a643239795a413d3d0d0a557365722d4167656e743a206375726c2f372e31392e3720287838365f36342d7265646861742d6c696e75782d676e7529206c69626375726c2f372e31392e37204e53532f332e313820426173696320454343207a6c69622f312e322e33206c696269646e2f312e3138206c6962737368322f312e342e320d0a486f73743a20392e33302e3136362e3131333a383138320d0a4163636570743a202a2f2a0d0a436f6e74656e742d4c656e6774683a2031390d0a436f6e74656e742d547970653a206170706c69636174696f6e2f782d7777772d666f726d2d75726c656e636f6465640d0a0d0a7b226772656d6c696e223a223130302d31227d
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:971)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:327)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:230)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:308)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:294)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:846)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:131)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:511)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:468)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:382)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:354)
at io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:111)
at java.lang.Thread.run(Thread.java:745)
37798 [gremlin-server-worker-1] WARN io.netty.channel.DefaultChannelPipeline - An exception was thrown by a user handler's exceptionCaught() method while handling the following exception:
io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 504f5354202f20485454502f312e310d0a417574686f72697a6174696f6e3a204261736963206333526c6347686c626a707759584e7a643239795a413d3d0d0a557365722d4167656e743a206375726c2f372e31392e3720287838365f36342d7265646861742d6c696e75782d676e7529206c69626375726c2f372e31392e37204e53532f332e313820426173696320454343207a6c69622f312e322e33206c696269646e2f312e3138206c6962737368322f312e342e320d0a486f73743a20392e33302e3136362e3131333a383138320d0a4163636570743a202a2f2a0d0a436f6e74656e742d4c656e6774683a2031390d0a436f6e74656e742d547970653a206170706c69636174696f6e2f782d7777772d666f726d2d75726c656e636f6465640d0a0d0a7b226772656d6c696e223a223130302d31227d
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:971)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:327)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:230)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:308)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:294)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:846)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:131)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:511)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:468)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:382)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:354)
at io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:111)
at java.lang.Thread.run(Thread.java:745)
On Thursday, October 20, 2016 at 9:42:17 PM UTC+8, Jason Plurad wrote:
Kevin Wang
Oct 25, 2016, 4:39:35 AM10/25/16
to Aurelius
I have found the issue, if i use https instead of http, the issues is resolved, but then I got the following issue, I don know why i am still unauthorized
[root@bear1 ~]# curl -XPOST -v --insecure -u stephen:password -d '{"gremlin":"100-1"}' https://9.30.166.113:8182
* About to connect() to 9.30.166.113 port 8182 (#0)
* Trying 9.30.166.113... connected
* Connected to 9.30.166.113 (9.30.166.113) port 8182 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* subject: CN=example.com
* start date: Oct 26 08:27:28 2015 GMT
* expire date: Dec 31 23:59:59 9999 GMT
* common name: example.com
* issuer: CN=example.com
* Server auth using Basic with user 'stephen'
> POST / HTTP/1.1
> Authorization: Basic c3RlcGhlbjpwYXNzd29yZA==
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.18 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: 9.30.166.113:8182
> Accept: */*
> Content-Length: 19
> Content-Type: application/x-www-form-urlencoded
>
< HTTP/1.1 401 Unauthorized
* no chunk, no close, no size. Assume close to signal end
<
* Closing connection #0
Jason Plurad
Oct 25, 2016, 10:14:34 AM10/25/16
to Aurelius
Hi Kevin,
Please review the link I supplied previously http://tinkerpop.apache.org/docs/3.0.2-incubating/#_security
Did you add an authentication definition in the gremlin-server.yaml?
Note that you'd have to make sure that the credentials.kryo exists as this is the persisted credential data (stephen:password). You can find a copy of that file in the gremlin-server 3.0.2 zip.
-- Jason
Please review the link I supplied previously http://tinkerpop.apache.org/docs/3.0.2-incubating/#_security
Did you add an authentication definition in the gremlin-server.yaml?
authentication: {
className: org.apache.tinkerpop.gremlin.server.auth.SimpleAuthenticator,
config: {
credentialsDb: conf/tinkergraph-empty.properties,
credentialsDbLocation: data/credentials.kryo}}
Note that you'd have to make sure that the credentials.kryo exists as this is the persisted credential data (stephen:password). You can find a copy of that file in the gremlin-server 3.0.2 zip.
-- Jason
seanbram...@gmail.com
Oct 26, 2016, 12:59:53 PM10/26/16
to Aurelius
Does this work for the aws titan dynamo plugin as well?
Jason Plurad
Oct 26, 2016, 7:16:02 PM10/26/16
to Aurelius
I'd think it would
work. Try it out and let us know.
-- Jason
-- Jason
Kevin Wang
Oct 27, 2016, 11:40:39 PM10/27/16
to Aurelius
Dear Jason,
Thank you for your kindly help, I finally made the server work, just one more question, if I want to create my own credentials.kryo with a new username and password, how can I make such a file?
Stephen Mallette
Oct 28, 2016, 6:59:55 AM10/28/16
to Aurelius
Use the Credentials Graph DSL: http://tinkerpop.apache.org/docs/current/reference/#_credentials_graph_dsl
--
You received this message because you are subscribed to the Google Groups "Aurelius" group.
To unsubscribe from this group and stop receiving emails from it, send an email to aureliusgraphs+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/aureliusgraphs/63056e92-84a9-4ba7-8ad9-5bc282580f44%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Kevin Wang
Oct 30, 2016, 10:04:10 PM10/30/16
to Aurelius
please forgive me for asking a silly question, follow the doc, i can create a credential graph, but how do you save the graph to local as a file? I tried to google it, but cant find anything relevant.
To unsubscribe from this group and stop receiving emails from it, send an email to aureliusgraph...@googlegroups.com.
Stephen Mallette
Oct 31, 2016, 7:39:24 AM10/31/16
to Aurelius
To unsubscribe from this group and stop receiving emails from it, send an email to aureliusgraphs+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/aureliusgraphs/60cae1f0-cad4-465b-a528-a38e6d387869%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages