gremlin server error when specified SSL.keyPassword

[Hui Cao]

Hi guys,

I am pretty new here, I recently ran into some issues regarding gremlin server and SSL

1. do we need to config trustCertChainFile when I start my gremlin server only for Restful purpose

2. when I generate non-passphrase key/cent using command 

openssl req -nodes -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days XXX

gremlin server started correctly, and I can do curl with "curl -cacert cert.pem"

however, if I generate the key/cent using passphrase,

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days XXX

gremlin would give following error

javax.net.ssl.SSLException: failed to initialize the server-side SSL context

at io.netty.handler.ssl.JdkSslServerContext.<init>(JdkSslServerContext.java:222)

at io.netty.handler.ssl.JdkSslServerContext.<init>(JdkSslServerContext.java:161)

at io.netty.handler.ssl.SslContext.newServerContextInternal(SslContext.java:399)

at io.netty.handler.ssl.SslContextBuilder.build(SslContextBuilder.java:219)

at org.apache.tinkerpop.gremlin.server.AbstractChannelizer.createSSLContext(AbstractChannelizer.java:232)

at org.apache.tinkerpop.gremlin.server.AbstractChannelizer.init(AbstractChannelizer.java:114)

at org.apache.tinkerpop.gremlin.server.channel.HttpChannelizer.init(HttpChannelizer.java:49)

at org.apache.tinkerpop.gremlin.server.GremlinServer.start(GremlinServer.java:181)

at org.apache.tinkerpop.gremlin.server.GremlinServer.main(GremlinServer.java:346)

Caused by: java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = 48)

at sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:253)

at sun.security.util.DerInputStream.getOID(DerInputStream.java:281)

at com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267)

at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293)

at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:132)

at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114)

at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:372)

at javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:95)

at io.netty.handler.ssl.SslContext.generateKeySpec(SslContext.java:866)

at io.netty.handler.ssl.SslContext.buildKeyStore(SslContext.java:894)

at io.netty.handler.ssl.JdkSslContext.buildKeyManagerFactory(JdkSslContext.java:313)

at io.netty.handler.ssl.JdkSslContext.buildKeyManagerFactory(JdkSslContext.java:291)

at io.netty.handler.ssl.JdkSslServerContext.<init>(JdkSslServerContext.java:205)

... 8 more

And for the reference the gremlin-server.yaml file for starting is as followed

host: hciop1.fyre.ibm.com

port: 8182

threadPoolWorker: 1

gremlinPool: 8

scriptEvaluationTimeout: 30000

serializedResponseTimeout: 30000

channelizer: org.apache.tinkerpop.gremlin.server.channel.HttpChannelizer

graphs: {

  graph: conf/titan-hbase-solr.properties}

plugins:

  - aurelius.titan

scriptEngines: {

  gremlin-groovy: {

    imports: [java.lang.Math],

    staticImports: [java.lang.Math.PI],

    scripts: [scripts/empty-sample.groovy]},

  nashorn: {

      imports: [java.lang.Math],

      staticImports: [java.lang.Math.PI]}}

serializers:

  - { className: org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV1d0, config: { useMapperFromGraph: graph }}

  - { className: org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV1d0, config: { serializeResultToString: true }}

  - { className: org.apache.tinkerpop.gremlin.driver.ser.GraphSONMessageSerializerGremlinV1d0, config: { useMapperFromGraph: graph }}

  - { className: org.apache.tinkerpop.gremlin.driver.ser.GraphSONMessageSerializerV1d0, config: { useMapperFromGraph: graph }}

processors:

  - { className: org.apache.tinkerpop.gremlin.server.op.session.SessionOpProcessor, config: { sessionTimeout: 28800000 }}

metrics: {

  consoleReporter: {enabled: true, interval: 180000},

  csvReporter: {enabled: true, interval: 180000, fileName: /tmp/gremlin-server-metrics.csv},

  jmxReporter: {enabled: true},

  slf4jReporter: {enabled: true, interval: 180000},

  gangliaReporter: {enabled: false, interval: 180000, addressingMode: MULTICAST},

  graphiteReporter: {enabled: false, interval: 180000}}

threadPoolBoss: 1

maxInitialLineLength: 4096

maxHeaderSize: 8192

maxChunkSize: 8192

maxContentLength: 65536

maxAccumulationBufferComponents: 1024

resultIterationBatchSize: 64

writeBufferHighWaterMark: 32768

writeBufferHighWaterMark: 65536

ssl: {

  enabled: true, keyCertChainFile: /home/titan/cert.pem, keyFile: /home/titan/key.pem, keyPassword: password

}

Thanks in advance for your help

Hugo

[Jason Plurad]

The Gremlin Server configuration docs state that:

ssl.keyFile

The PKCS#8 private key file in PEM format.

Your key file needs to be converted to PKCS#8 format, then use the pk8.pem and its password in your gremlin-server.yaml.

openssl pkcs8 -topk8 -inform pem -in key.pem -outform pem -out pk8.pem

-- Jason

[Hui Cao]

Thank you Jason for the tip it is working for me now,.

sorry that I have to ask the other question, I am pretty new to the security part, and it seems to be pretty hard for me to find the answer on google

Would you mind also tell me how to use the trustCertChainFile?

if I can setup a trustCertChainFile with REST config, then how do I do that?

[Robert Dale]

trustCertChainFile is moot - client cert authentication is not supported.

There are really only two valid configurations for gremlin server SSL:

1. self-signed generated by gremlin server:

ssl: {

  enabled: true

}

2. providing your own certificates (self-signed or CA-signed)

ssl: {

  enabled: true,

  keyFile: www.example.com.key.pem,

  keyPassword: changeit,  # if key is encrypted, otherwise this can be omitted

  keyCertChainFile: www.example.com.cert.pem

}

keyCertChainFile must have the public, signed certificate.  It may also have the partial or whole certificate chain (bundle) appended to the public cert.

Robert Dale

--
You received this message because you are subscribed to the Google Groups "Gremlin-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gremlin-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gremlin-users/b4eb540d-ea91-4b48-9093-385b4b44284b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Hui Cao]

Thanks Robert, please correct me if I'm wrong, 

per my understanding, gremlin server now only support one way SSL configuration, right?

Hugo

Robert Dale

To unsubscribe from this group and stop receiving emails from it, send an email to gremlin-user...@googlegroups.com.

[Robert Dale]

The client can authenticate the server.  The server can not authenticate the client (via SSL; server supports other authentication mechanisms).  Encryption is bi-directional.

Robert Dale

To unsubscribe from this group and stop receiving emails from it, send an email to gremlin-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gremlin-users/2a1ada04-5201-495b-a2d9-bf48e3d2d241%40googlegroups.com.

[Stephen Mallette]

I'll admit that I got a bit lost in the "SSL stuff" getting this all implemented. If anyone wants to take a stab at getting the client to authenticate via SSL (assuming that makes sense as something to do) that would be cool

To view this discussion on the web visit https://groups.google.com/d/msgid/gremlin-users/CABed_4oGd%3DhpS3WVK_DGH6ZDoZQvcW6LSUD6jL%3DdoB%3Dicn2Atg%40mail.gmail.com.

[Hui Cao]

Hi Robert

Thanks for all your kindly replies. but I am still a little confused and curious about the trustCertChainFile, 

when you said trustCertChainFile is moot, do you mean it is not implemented? Or it is not an ready-for-use feature? Or it is useful only for specific use case?

In addition, if it is not a supported feature, why is it listed in the documentation? do we plan on implement this feature in the future?

Thanks again

Hugo


On Monday, January 9, 2017 at 10:11:12 PM UTC+8, Robert Dale wrote:

Robert Dale

To unsubscribe from this group and stop receiving emails from it, send an email to gremlin-user...@googlegroups.com.

[Stephen Mallette]

As Robert said, It's implemented on the server, but not the driver, so trying to use it on the server really isn't going to do anything. I sorta got lost implementing SSL when I originally got that functionality in place. I don't think I realized that I didn't have it implemented fully. If someone knows how to add that functionality to the driver so that would get us full support that would be most appreciated.

To unsubscribe from this group and stop receiving emails from it, send an email to gremlin-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gremlin-users/27f9fb8b-0bb3-4787-a82f-337098a141db%40googlegroups.com.

[Robert Dale]

I created issue https://issues.apache.org/jira/browse/TINKERPOP-1602

If no one else gets to it, I can probably do it next week.

Robert Dale

To view this discussion on the web visit https://groups.google.com/d/msgid/gremlin-users/CAA-H43_iWAY72o%2BnTPKApQ_JAV_wdM2YzKuz7LW2wG6AT2aghg%40mail.gmail.com.

[Robert Dale]

Hui, the change was small enough I went ahead and made it.  It would be great if you could help test.

https://github.com/apache/tinkerpop/pull/536

Robert Dale

[Hui Cao]

Hi Robert, 

Sorry for the late response, it was the Chinese New Year here in China for the last half month, and I didn't get the time to login.

Yes, I would be happy to test your work, do you mind tell me how do I create the trustCertChainFile?

And under what condition to test whether it is working? Should I put it on a remote gremlin console outside the cluster to use it? Or should I start with this file on the gremlin server node?

Sorry for the long questions

Let me know

Hui

Robert Dale

Robert Dale

To view this discussion on the web visit https://groups.google.com/d/msgid/gremlin-users/27f9fb8b-0bb3-4787-a82f-337098a141db%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Gremlin-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to gremlin-user...@googlegroups.com.

[Robert Dale]

Here's an example using self-signed certs on both the server and the client.  First we'll create the server certs and configure the server. Then we'll create the client certs.  Note that I'm using psuedo-relative filenames.  You should make sure you use correct filenames.

1. Create the self-signed server cert

openssl req -newkey rsa:2048 -nodes -keyout server.key -x509 -days 365 -out  server.crt

2. Convert the private key to pkcs8 format. Set password to 'changeit'

openssl pkcs8 -topk8 -inform pem -in server.key -outform pem -out server.pk8

3. Configure the server

In conf/gremlin-server-secure.yaml, make sure you have one section like:

ssl: {

    enabled: true,

    keyFile: server.pk8,

    keyPassword: changeit,

    keyCertChainFile: server.crt,

    trustCertChainFile: server-trusted.crt

}

The 'server-trusted.crt' file doesn't exist yet. It will be created during client setup.  You could do something similarly for HTTP/REST service.

4. Create the self-signed client cert.

openssl req -newkey rsa:2048 -nodes -keyout client.key -x509 -days 365 -out  client.crt

5. Convert the private key to pkcs8 format. Set password to 'changeit'

openssl pkcs8 -topk8 -inform pem -in client.key -outform pem -out client.pk8

6. Now we can copy the client's public cert to the server's trust store.

cat client.crt >> server-trusted.crt

7. The client will also need to trust the server.

cat server.crt >> client-trusted.crt

8. Configure the client

In conf/remote-secure.yaml, you will want to have one section like:

connectionPool: {

  enableSsl: true,

  keyFile: client.pk8,

  keyCertChainFile: client.crt,

  keyPassword: changeit,

  trustCertChainFile: client-trusted.crt

  }

8b. Make sure gremlin console is using that file

conf/remote-graph.properties:

gremlin.remote.driver.clusterFile=conf/remote-secure.yaml

9. Start the server

./bin/gremlin-server.sh conf/gremlin-server-secure.yaml

10. Start the client

./bin/gremlin.sh

         \,,,/

         (o o)

-----oOOo-(3)-oOOo-----

plugin activated: tinkerpop.server

plugin activated: tinkerpop.utilities

plugin activated: tinkerpop.tinkergraph

gremlin> graph = EmptyGraph.instance()

==>emptygraph[empty]

gremlin> g = graph.traversal().withRemote('conf/remote-graph.properties')

==>graphtraversalsource[emptygraph[empty], standard]

gremlin> g.V()

gremlin>

Robert Dale

To unsubscribe from this group and stop receiving emails from it, send an email to gremlin-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gremlin-users/8621004e-289b-484d-a14c-b1a01a2ad33d%40googlegroups.com.

[Hui Cao]

Hi Robert, 

The configuration works perfectly, thanks a lot for all the helps

So by following this thread along, I have conclude following points:

For general users to use ssl in Gremlin server

In most of the times: 

1. use 2 openssl commands to generate a password-protected key cert file and a keyChainFile for server

2. put password and the files location in the server yaml configuration and start gremlin server

3. copy keyChainFile to user to use "curl -cacert /path/to/keyChainFile" to use restful/websocket function

This would be a valid setup for the most of the times. Users can setup a client cert for an advanced usage.

Let me know if I have the correct understanding.

My current work is somewhat depends on this feature of gremlin-server so I would appreciate if hearing from you soon.

Thanks

Hui

Robert Dale

[Robbie Runka]

Hey Robert,

Thank you for the detailed instructions. I followed the steps and upon starting my gremlin server I got the following final lines in my server log:

10714 [main] INFO  org.apache.tinkerpop.gremlin.server.AbstractChannelizer  - Configured application/vnd.gremlin-v1.0+gryo with org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV1d0

10715 [main] INFO  org.apache.tinkerpop.gremlin.server.AbstractChannelizer  - Configured application/vnd.gremlin-v1.0+gryo-stringd with org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV1d0

10752 [main] INFO  org.apache.tinkerpop.gremlin.server.AbstractChannelizer  - Configured application/vnd.gremlin-v1.0+json with org.apache.tinkerpop.gremlin.driver.ser.GraphSONMessageSerializerGremlinV1d0

10757 [main] INFO  org.apache.tinkerpop.gremlin.server.AbstractChannelizer  - Configured application/json with org.apache.tinkerpop.gremlin.driver.ser.GraphSONMessageSerializerV1d0

10757 [main] WARN  org.apache.tinkerpop.gremlin.server.AbstractChannelizer  - Could not find configured serializer class - org.apache.tinkerpop.gremlin.driver.ser.GraphSONMessageSerializerV3d0 - it will not be available

When I normally get the following when SSL is disabled:

10348 [main] INFO  org.apache.tinkerpop.gremlin.server.AbstractChannelizer  - Configured application/vnd.gremlin-v1.0+gryo with org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV1d0

10348 [main] INFO  org.apache.tinkerpop.gremlin.server.AbstractChannelizer  - Configured application/vnd.gremlin-v1.0+gryo-stringd with org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV1d0

10389 [main] INFO  org.apache.tinkerpop.gremlin.server.AbstractChannelizer  - Configured application/vnd.gremlin-v1.0+json with org.apache.tinkerpop.gremlin.driver.ser.GraphSONMessageSerializerGremlinV1d0

10391 [main] INFO  org.apache.tinkerpop.gremlin.server.AbstractChannelizer  - Configured application/json with org.apache.tinkerpop.gremlin.driver.ser.GraphSONMessageSerializerV1d0

10391 [main] WARN  org.apache.tinkerpop.gremlin.server.AbstractChannelizer  - Could not find configured serializer class - org.apache.tinkerpop.gremlin.driver.ser.GraphSONMessageSerializerV3d0 - it will not be available

10507 [gremlin-server-boss-1] INFO  org.apache.tinkerpop.gremlin.server.GremlinServer  - Gremlin Server configured with worker thread pool of 1, gremlin pool of 8 and boss thread pool of 1.

10507 [gremlin-server-boss-1] INFO  org.apache.tinkerpop.gremlin.server.GremlinServer  - Channel started at port 8182.

Any idea why I am not getting a channel started at port 8182 when in  SSL mode? Any input would be greatly appreciated, I've struggled with this beast for a while.

Regards,

Robbie

Robert Dale

[Robert Dale]

what does your gremlin-server.yaml file look like before and after?

Robert Dale

To unsubscribe from this group and stop receiving emails from it, send an email to gremlin-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gremlin-users/9cf04115-fadb-43cb-a268-5a301a9da723%40googlegroups.com.

[Robert Dale]

what's the server version?

Robert Dale

On Thu, Jul 27, 2017 at 3:12 PM, Robbie Runka <robbie...@gmail.com> wrote:

in the After section of my post where I have "enabled: false" I mean to put "enabled: true," 

On Thursday, July 27, 2017 at 1:10:41 PM UTC-6, Robbie Runka wrote:

Before:

host: [removed]

port: 8182

threadPoolWorker: 1

gremlinPool: 8

scriptEvaluationTimeout: 30000

serializedResponseTimeout: 30000

channelizer: org.apache.tinkerpop.gremlin.server.channel.HttpChannelizer

graphs: {

  graph: conf/gremlin-server/dynamodb.properties}

plugins:

  - aurelius.titan

scriptEngines: {

  gremlin-groovy: {

    imports: [java.lang.Math],

    staticImports: [java.lang.Math.PI],

    scripts: [scripts/empty-sample.groovy]},

  nashorn: {

      imports: [java.lang.Math],

      staticImports: [java.lang.Math.PI]}}

serializers:

  - { className: org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV1d0, config: { useMapperFromGraph: graph }}

  - { className: org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV1d0, config: { serializeResultToString: true }}

  - { className: org.apache.tinkerpop.gremlin.driver.ser.GraphSONMessageSerializerGremlinV1d0, config: { useMapperFromGraph: graph }}

  - { className: org.apache.tinkerpop.gremlin.driver.ser.GraphSONMessageSerializerV1d0, config: { useMapperFromGraph: graph }}

  - { className: org.apache.tinkerpop.gremlin.driver.ser.GraphSONMessageSerializerV3d0, config: { ioRegistries: [org.apache.tinkerpop.gremlin.tinkergraph.structure.TinkerIoRegistryV1d0] }}         # application/json

processors:

  - { className: org.apache.tinkerpop.gremlin.server.op.session.SessionOpProcessor, config: { sessionTimeout: 28800000 }}

metrics: {

  consoleReporter: {enabled: false, interval: 180000},

  csvReporter: {enabled: false, interval: 180000, fileName: /tmp/gremlin-server-metrics.csv},

  jmxReporter: {enabled: false},

  slf4jReporter: {enabled: false, interval: 180000},

  gangliaReporter: {enabled: false, interval: 180000, addressingMode: MULTICAST},

  graphiteReporter: {enabled: false, interval: 180000}}

threadPoolBoss: 1

maxInitialLineLength: 4096

maxHeaderSize: 8192

maxChunkSize: 8192

maxContentLength: 65536

maxAccumulationBufferComponents: 1024

resultIterationBatchSize: 64

writeBufferHighWaterMark: 32768

writeBufferHighWaterMark: 65536

ssl: {

  enabled: false

}

After:

host: [removed]

port: 8182

threadPoolWorker: 1

gremlinPool: 8

scriptEvaluationTimeout: 30000

serializedResponseTimeout: 30000

channelizer: org.apache.tinkerpop.gremlin.server.channel.HttpChannelizer

graphs: {

  graph: conf/gremlin-server/dynamodb.properties}

plugins:

  - aurelius.titan

scriptEngines: {

  gremlin-groovy: {

    imports: [java.lang.Math],

    staticImports: [java.lang.Math.PI],

    scripts: [scripts/empty-sample.groovy]},

  nashorn: {

      imports: [java.lang.Math],

      staticImports: [java.lang.Math.PI]}}

serializers:

  - { className: org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV1d0, config: { useMapperFromGraph: graph }}

  - { className: org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV1d0, config: { serializeResultToString: true }}

  - { className: org.apache.tinkerpop.gremlin.driver.ser.GraphSONMessageSerializerGremlinV1d0, config: { useMapperFromGraph: graph }}

  - { className: org.apache.tinkerpop.gremlin.driver.ser.GraphSONMessageSerializerV1d0, config: { useMapperFromGraph: graph }}

  - { className: org.apache.tinkerpop.gremlin.driver.ser.GraphSONMessageSerializerV3d0, config: { ioRegistries: [org.apache.tinkerpop.gremlin.tinkergraph.structure.TinkerIoRegistryV1d0] }}         # application/json

processors:

  - { className: org.apache.tinkerpop.gremlin.server.op.session.SessionOpProcessor, config: { sessionTimeout: 28800000 }}

metrics: {

  consoleReporter: {enabled: false, interval: 180000},

  csvReporter: {enabled: false, interval: 180000, fileName: /tmp/gremlin-server-metrics.csv},

  jmxReporter: {enabled: false},

  slf4jReporter: {enabled: false, interval: 180000},

  gangliaReporter: {enabled: false, interval: 180000, addressingMode: MULTICAST},

  graphiteReporter: {enabled: false, interval: 180000}}

threadPoolBoss: 1

maxInitialLineLength: 4096

maxHeaderSize: 8192

maxChunkSize: 8192

maxContentLength: 65536

maxAccumulationBufferComponents: 1024

resultIterationBatchSize: 64

writeBufferHighWaterMark: 32768

writeBufferHighWaterMark: 65536

ssl: {

  enabled: false

  keyFile: robbie_server.pk8,

  keyCertChainFile: robbie_server.crt,

  trustCertChainFile: server-trusted.crt,

  keyPassword: changeit

}

Robert Dale

To view this discussion on the web visit https://groups.google.com/d/msgid/gremlin-users/9cf04115-fadb-43cb-a268-5a301a9da723%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Gremlin-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gremlin-users+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/gremlin-users/c6c8f014-c053-4149-8c15-d7f0c2a7dfd9%40googlegroups.com.

[Robbie Runka]

Before:

host: [removed]

port: 8182

threadPoolWorker: 1

gremlinPool: 8

scriptEvaluationTimeout: 30000

serializedResponseTimeout: 30000

channelizer: org.apache.tinkerpop.gremlin.server.channel.HttpChannelizer

graphs: {

  graph: conf/gremlin-server/dynamodb.properties}

plugins:

  - aurelius.titan

scriptEngines: {

  gremlin-groovy: {

    imports: [java.lang.Math],

    staticImports: [java.lang.Math.PI],

    scripts: [scripts/empty-sample.groovy]},

  nashorn: {

      imports: [java.lang.Math],

      staticImports: [java.lang.Math.PI]}}

serializers:

  - { className: org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV1d0, config: { useMapperFromGraph: graph }}

  - { className: org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV1d0, config: { serializeResultToString: true }}

  - { className: org.apache.tinkerpop.gremlin.driver.ser.GraphSONMessageSerializerGremlinV1d0, config: { useMapperFromGraph: graph }}

  - { className: org.apache.tinkerpop.gremlin.driver.ser.GraphSONMessageSerializerV1d0, config: { useMapperFromGraph: graph }}

  - { className: org.apache.tinkerpop.gremlin.driver.ser.GraphSONMessageSerializerV3d0, config: { ioRegistries: [org.apache.tinkerpop.gremlin.tinkergraph.structure.TinkerIoRegistryV1d0] }}         # application/json

processors:

  - { className: org.apache.tinkerpop.gremlin.server.op.session.SessionOpProcessor, config: { sessionTimeout: 28800000 }}

metrics: {

  consoleReporter: {enabled: false, interval: 180000},

  csvReporter: {enabled: false, interval: 180000, fileName: /tmp/gremlin-server-metrics.csv},

  jmxReporter: {enabled: false},

  slf4jReporter: {enabled: false, interval: 180000},

  gangliaReporter: {enabled: false, interval: 180000, addressingMode: MULTICAST},

  graphiteReporter: {enabled: false, interval: 180000}}

threadPoolBoss: 1

maxInitialLineLength: 4096

maxHeaderSize: 8192

maxChunkSize: 8192

maxContentLength: 65536

maxAccumulationBufferComponents: 1024

resultIterationBatchSize: 64

writeBufferHighWaterMark: 32768

writeBufferHighWaterMark: 65536

ssl: {

  enabled: false

}

 

After:

host: [removed]

port: 8182

threadPoolWorker: 1

gremlinPool: 8

scriptEvaluationTimeout: 30000

serializedResponseTimeout: 30000

channelizer: org.apache.tinkerpop.gremlin.server.channel.HttpChannelizer

graphs: {

  graph: conf/gremlin-server/dynamodb.properties}

plugins:

  - aurelius.titan

scriptEngines: {

  gremlin-groovy: {

    imports: [java.lang.Math],

    staticImports: [java.lang.Math.PI],

    scripts: [scripts/empty-sample.groovy]},

  nashorn: {

      imports: [java.lang.Math],

      staticImports: [java.lang.Math.PI]}}

serializers:

  - { className: org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV1d0, config: { useMapperFromGraph: graph }}

  - { className: org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV1d0, config: { serializeResultToString: true }}

  - { className: org.apache.tinkerpop.gremlin.driver.ser.GraphSONMessageSerializerGremlinV1d0, config: { useMapperFromGraph: graph }}

  - { className: org.apache.tinkerpop.gremlin.driver.ser.GraphSONMessageSerializerV1d0, config: { useMapperFromGraph: graph }}

  - { className: org.apache.tinkerpop.gremlin.driver.ser.GraphSONMessageSerializerV3d0, config: { ioRegistries: [org.apache.tinkerpop.gremlin.tinkergraph.structure.TinkerIoRegistryV1d0] }}         # application/json

processors:

  - { className: org.apache.tinkerpop.gremlin.server.op.session.SessionOpProcessor, config: { sessionTimeout: 28800000 }}

metrics: {

  consoleReporter: {enabled: false, interval: 180000},

  csvReporter: {enabled: false, interval: 180000, fileName: /tmp/gremlin-server-metrics.csv},

  jmxReporter: {enabled: false},

  slf4jReporter: {enabled: false, interval: 180000},

  gangliaReporter: {enabled: false, interval: 180000, addressingMode: MULTICAST},

  graphiteReporter: {enabled: false, interval: 180000}}

threadPoolBoss: 1

maxInitialLineLength: 4096

maxHeaderSize: 8192

maxChunkSize: 8192

maxContentLength: 65536

maxAccumulationBufferComponents: 1024

resultIterationBatchSize: 64

writeBufferHighWaterMark: 32768

writeBufferHighWaterMark: 65536

ssl: {

  enabled: true,

  keyFile: jamaro_server.pk8,

  keyCertChainFile: jamaro_server.crt,

  trustCertChainFile: server-trusted.crt,

  keyPassword: changeit

}

[Robbie Runka]

I installed from the following link:

https://s3.amazonaws.com/dynamodb-titan-us-east-1/dynamodb-titan100-storage-backend-1.0.0-hadoop1.zip

On Thursday, July 27, 2017 at 1:13:05 PM UTC-6, Robert Dale wrote:

what's the server version?

[Robert Dale]

Does it include gremlin console?   ./bin/gremlin.sh -v

Or, `find | grep gremlin.*jar`

Robert Dale

--
You received this message because you are subscribed to the Google Groups "Gremlin-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gremlin-users+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/gremlin-users/4a10ca7b-2385-47de-9c91-e67da92a5d2f%40googlegroups.com.

[Robbie Runka]

Yes it does. The result of that command is 

SLF4J: Class path contains multiple SLF4J bindings.

SLF4J: Found binding in [jar:file:/usr/local/packages/dynamodb-titan100-storage-backend-1.0.0-hadoop1/lib/slf4j-log4j12-1.7.5.jar!/org/slf4j/impl/StaticLoggerBinder.class]

SLF4J: Found binding in [jar:file:/usr/local/packages/dynamodb-titan100-storage-backend-1.0.0-hadoop1/lib/logback-classic-1.1.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]

SLF4J: Found binding in [jar:file:/usr/local/packages/dynamodb-titan100-storage-backend-1.0.0-hadoop1/ext/dynamodb-titan100-storage-backend/slf4j-log4j12-1.7.5.jar!/org/slf4j/impl/StaticLoggerBinder.class]

SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.

SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory]

gremlin 3.0.1-incubating

The only thing is I am not using the gremlin console for interaction. I am starting the server and interacting via HttpChannelizer and the RESTful API. Everything runs fine when the SSL is disabled.

[Robert Dale]

What if you run it with just:

ssl: {

  enabled: true

}

Robert Dale

--
You received this message because you are subscribed to the Google Groups "Gremlin-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gremlin-users+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/gremlin-users/6c855497-8e69-41d1-a282-35c51b1921a6%40googlegroups.com.

[Robbie Runka]

10556 [main] INFO  org.apache.tinkerpop.gremlin.server.AbstractChannelizer  - Configured application/vnd.gremlin-v1.0+gryo with org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV1d0

10561 [main] INFO  org.apache.tinkerpop.gremlin.server.AbstractChannelizer  - Configured application/vnd.gremlin-v1.0+gryo-stringd with org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV1d0

10592 [main] INFO  org.apache.tinkerpop.gremlin.server.AbstractChannelizer  - Configured application/vnd.gremlin-v1.0+json with org.apache.tinkerpop.gremlin.driver.ser.GraphSONMessageSerializerGremlinV1d0

10602 [main] INFO  org.apache.tinkerpop.gremlin.server.AbstractChannelizer  - Configured application/json with org.apache.tinkerpop.gremlin.driver.ser.GraphSONMessageSerializerV1d0

10602 [main] WARN  org.apache.tinkerpop.gremlin.server.AbstractChannelizer  - Could not find configured serializer class - org.apache.tinkerpop.gremlin.driver.ser.GraphSONMessageSerializerV3d0 - it will not be available

10603 [main] WARN  org.apache.tinkerpop.gremlin.server.AbstractChannelizer  - Enabling SSL with self-signed certificate (NOT SUITABLE FOR PRODUCTION)

Okay now it looks like I'm getting somewhere! Thank you Robert. I'll test it out in a couple hours when I get home but thank you very much. It still doesn't say anything about listening on Port 8182 though, do you know if yours does? 

Regards,

Robbie

[Robbie Runka]

Hey Robert,

Thank you for your assistance today. I think what I need to do is update my version of gremlin-server to the latest on github and then go from there. 

Regards,

Robbie

On Thursday, July 27, 2017 at 2:03:55 PM UTC-6, Robert Dale wrote:

What if you run it with just:

ssl: {

  enabled: true

}

Robert Dale

On Thu, Jul 27, 2017 at 3:33 PM, Robbie Runka <robbie...@gmail.com> wrote:

Yes it does. The result of that command is 

SLF4J: Class path contains multiple SLF4J bindings.

SLF4J: Found binding in [jar:file:/usr/local/packages/dynamodb-titan100-storage-backend-1.0.0-hadoop1/lib/slf4j-log4j12-1.7.5.jar!/org/slf4j/impl/StaticLoggerBinder.class]

SLF4J: Found binding in [jar:file:/usr/local/packages/dynamodb-titan100-storage-backend-1.0.0-hadoop1/lib/logback-classic-1.1.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]

SLF4J: Found binding in [jar:file:/usr/local/packages/dynamodb-titan100-storage-backend-1.0.0-hadoop1/ext/dynamodb-titan100-storage-backend/slf4j-log4j12-1.7.5.jar!/org/slf4j/impl/StaticLoggerBinder.class]

SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.

SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory]

gremlin 3.0.1-incubating

The only thing is I am not using the gremlin console for interaction. I am starting the server and interacting via HttpChannelizer and the RESTful API. Everything runs fine when the SSL is disabled.

On Thursday, July 27, 2017 at 1:25:24 PM UTC-6, Robert Dale wrote:

Does it include gremlin console?   ./bin/gremlin.sh -v

Or, `find | grep gremlin.*jar`

Robert Dale

--
You received this message because you are subscribed to the Google Groups "Gremlin-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to gremlin-user...@googlegroups.com.

[Robbie Runka]

Hey Robert,

Please excuse my ignorance on the matter but I am trying to authenticate my AWS API Gateway as a client with the gremlin-server. I saw up above that you committed a revision that would allow this however I can't seem to implement this because "needClientAuth" gives me the following error:

296  [main] ERROR org.apache.tinkerpop.gremlin.server.GremlinServer  - Configuration file at /usr/local/packages/dynamodb-janusgraph-storage-backend-1.1.1/conf/gremlin-server/gremlin-server.yaml could not be found or parsed properly. [null; Can't construct a java object for tag:yaml.org,2002:org.apache.tinkerpop.gremlin.server.Settings; exception=Cannot create property=ssl for JavaBean=org.apache.tinkerpop.gremlin.server.Settings@33723e30; Cannot create property=needClientAuth for JavaBean=org.apache.tinkerpop.gremlin.server.Settings$SslSettings@43bd930a; Unable to find property 'needClientAuth' on class: org.apache.tinkerpop.gremlin.server.Settings$SslSettings;  in 'reader', line 18, column 1:

I obtained my server code etc from https://github.com/awslabs/dynamodb-janusgraph-storage-backend/archive/master.zip

Does it seem likely that I just need to update my gremlin-server folder to the latest in github?

Thanks again for any advice.

Regards,

Robbie

[Robbie Runka]

Hey Robert,

I discovered that the AWS cloud formation script for the graph database on dynamodb installs the gremlin-server using the following 

#download the server products

mvn test -q -Pdownload-janusgraph-server-zip > /dev/null 2>&1

If I want to update the gremlin-server it installs to match the latest in github how might I go about doing this? 

If I can't get the SSL to work on the gremlin server would a viable alternative be to just authenticate on port 443 and then redirect the incoming request to a server running at localhost:8182 on my machine? Or I could perhaps connect via a php page? I'm really at a loss here.

Regards,

Robbie

[Robert Dale]

The gremlin-server version is tied to a specific janusgraph version.  For just SSL and basic auth, you should be able to use janusgraph 0.1.1.  I believe you would need to upgrade to latest janusgraph 0.2-SNAPSHOT (master) to use needClientAuth. 

Robert Dale

--

You received this message because you are subscribed to the Google Groups "Gremlin-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to gremlin-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gremlin-users/c4e4c081-4eec-414a-8bce-2f5f6a413807%40googlegroups.com.