Skip to content
Permalink
Browse files
Generate a self-signed certificate for SSL (#90)
Co-authored-by: Murtuza Boxwala <mboxwala@pivotal.io>
Co-authored-by: Kamilla Aslami <kaslami@pivotal.io>
  • Loading branch information
2 people authored and pivotal-jbarrett committed Jul 22, 2019
1 parent fcfb373 commit dd05f32e9dfbe31b5a0794d56c615fe0d1ed7437
Showing 7 changed files with 80 additions and 23 deletions.
@@ -3,3 +3,4 @@ out
.gradle
build/
output*/
temp-self-signed.jks
@@ -53,6 +53,7 @@ Options:
-Phosts : Hosts used by benchmarks on the order of client,locator,server,server (-Phosts=localhost,localhost,localhost,localhost)
-PoutputDir : Results output directory (-PoutputDir=/tmp/results)
-PtestJVM : Path to an alternative JVM for running the client, locator, and servers. If not specified JAVA_HOME will be used. Note all compilation tasks will still use JAVA_HOME.
-PwithSsl : Flag to run geode with SSL. A self-signed certificate will be generated at runtime.
--tests : Specific benchmarks to run (--tests=PartitionedPutBenchmark)
-d : Debug
-i : Info
@@ -28,10 +28,6 @@
import static org.apache.geode.distributed.ConfigurationProperties.REMOVE_UNRESPONSIVE_CLIENT;
import static org.apache.geode.distributed.ConfigurationProperties.SERIALIZABLE_OBJECT_FILTER;
import static org.apache.geode.distributed.ConfigurationProperties.SSL_ENABLED_COMPONENTS;
import static org.apache.geode.distributed.ConfigurationProperties.SSL_KEYSTORE;
import static org.apache.geode.distributed.ConfigurationProperties.SSL_KEYSTORE_PASSWORD;
import static org.apache.geode.distributed.ConfigurationProperties.SSL_TRUSTSTORE;
import static org.apache.geode.distributed.ConfigurationProperties.SSL_TRUSTSTORE_PASSWORD;
import static org.apache.geode.distributed.ConfigurationProperties.STATISTIC_SAMPLING_ENABLED;
import static org.apache.geode.distributed.ConfigurationProperties.USE_CLUSTER_CONFIGURATION;
import static org.apache.geode.security.SecurableCommunicationChannels.ALL;
@@ -81,12 +77,6 @@ public static Properties clientProperties() {

public static Properties withSsl(Properties properties) {
properties.setProperty(SSL_ENABLED_COMPONENTS, ALL);

properties.setProperty(SSL_KEYSTORE, "/home/geode/selfsigned.jks");
properties.setProperty(SSL_KEYSTORE_PASSWORD, "123456");
properties.setProperty(SSL_TRUSTSTORE, "/home/geode/selfsigned.jks");
properties.setProperty(SSL_TRUSTSTORE_PASSWORD, "123456");

return properties;
}
}
@@ -55,6 +55,12 @@ dependencies {
testCompile(group: 'org.assertj', name: 'assertj-core', version: project.'assertj-core.version')
}

compileJava {
options.fork = true
options.forkOptions.executable = 'javac'
options.compilerArgs << '-XDignore.symbol.file'
}

test{
useJUnitPlatform()
}
@@ -17,6 +17,11 @@

package org.apache.geode.perftest.jvms;

import static org.apache.geode.distributed.ConfigurationProperties.SSL_KEYSTORE;
import static org.apache.geode.distributed.ConfigurationProperties.SSL_KEYSTORE_PASSWORD;
import static org.apache.geode.distributed.ConfigurationProperties.SSL_TRUSTSTORE;
import static org.apache.geode.distributed.ConfigurationProperties.SSL_TRUSTSTORE_PASSWORD;

import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.ArrayList;
@@ -85,6 +90,15 @@ String[] buildCommand(String rmiHost, int rmiPort, JVMMapping jvmConfig) {
command.add("-D" + RemoteJVMFactory.RMI_PORT_PROPERTY + "=" + rmiPort);
command.add("-D" + RemoteJVMFactory.JVM_ID + "=" + jvmConfig.getId());
command.add("-D" + RemoteJVMFactory.OUTPUT_DIR + "=" + jvmConfig.getOutputDir());

if (Boolean.getBoolean("withSsl")) {
command
.add("-Dgemfire." + SSL_KEYSTORE + "=" + jvmConfig.getLibDir() + "/temp-self-signed.jks");
command.add("-Dgemfire." + SSL_KEYSTORE_PASSWORD + "=123456");
command.add(
"-Dgemfire." + SSL_TRUSTSTORE + "=" + jvmConfig.getLibDir() + "/temp-self-signed.jks");
command.add("-Dgemfire." + SSL_TRUSTSTORE_PASSWORD + "=123456");
}
command.add("-Xloggc:" + jvmConfig.getOutputDir() + "/gc.log");
command.addAll(replaceTokens(jvmConfig.getJvmArgs(), jvmConfig));
command.add(ChildJVM.class.getName());
@@ -17,7 +17,22 @@

package org.apache.geode.perftest.jvms;

import static java.util.concurrent.TimeUnit.DAYS;

import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
@@ -28,6 +43,8 @@

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import sun.security.tools.keytool.CertAndKeyGen;
import sun.security.x509.X500Name;

import org.apache.geode.perftest.infrastructure.Infrastructure;
import org.apache.geode.perftest.infrastructure.InfrastructureFactory;
@@ -98,6 +115,8 @@ public RemoteJVMs launch(Map<String, Integer> roles,
controllerFactory.createController(new SharedContext(mapping), numWorkers);

classPathCopier.copyToNodes(infra, node -> getLibDir(mapping, node));
File keyStore = createKeystore();
infra.copyToNodes(Arrays.asList(keyStore), node -> getLibDir(mapping, node), false);

CompletableFuture<Void> processesExited = jvmLauncher.launchProcesses(infra, RMI_PORT, mapping);

@@ -108,14 +127,51 @@ public RemoteJVMs launch(Map<String, Integer> roles,
return new RemoteJVMs(infra, mapping, controller, processesExited);
}

private String getLibDir(List<JVMMapping> mapping, Infrastructure.Node node) {
private JVMMapping getJvmMapping(List<JVMMapping> mapping, Infrastructure.Node node) {
return mapping.stream()
.filter(entry -> entry.getNode().equals(node))
.findFirst()
.orElseThrow(() -> new IllegalStateException("Could not find lib dir for node " + node))
.orElseThrow(() -> new IllegalStateException("Could not find node dir " + node));
}

private String getLibDir(List<JVMMapping> mapping, Infrastructure.Node node) {
return getJvmMapping(mapping, node)
.getLibDir();
}

private String getOutputDir(List<JVMMapping> mapping, Infrastructure.Node node) {
return getJvmMapping(mapping, node)
.getOutputDir();
}

private File createKeystore()
throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException,
NoSuchProviderException, InvalidKeyException, SignatureException {

CertAndKeyGen keyGen = new CertAndKeyGen("RSA", "SHA1WithRSA", null);
keyGen.generate(1024);

char[] password = "123456".toCharArray();
PrivateKey privateKey = keyGen.getPrivateKey();

// Generate self signed certificate
X509Certificate[] chain = new X509Certificate[1];
chain[0] = keyGen.getSelfCertificate(new X500Name("CN=ROOT"), DAYS.toSeconds(365));

logger.info("Certificate : {}", chain[0]);

KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(null, null);
ks.setKeyEntry("default", privateKey, password, chain);

File jksFile = new File("temp-self-signed.jks");
FileOutputStream fos = new FileOutputStream(jksFile);
ks.store(fos, password);
fos.close();

return jksFile;
}

public InfrastructureFactory getInfrastructureFactory() {
return infrastructureFactory;
}
@@ -179,17 +179,6 @@ monitor the test.
```

# Running with SSL enabled

## Prerequisites
* You must have fulfilled the prerequisites at the beginning of this doc
* Generate a self-signed SSL certificate using the keytool command:
* `keytool -genkey -keyalg RSA -alias tomcat -keystore selfsigned.jks -validity 365 -keysize 2048`
* The keystore password must be `123456`
* Copy the generated certificate to the AWS VMs using the following command:
* `./copy_to_cluster.sh -tag <clusterTag> -- <path to selfsigned.jks> /home/geode/selfsigned.jks`
* The destination path must be `/home/geode/selfsigned.jks`

## Running in AWS
To run benchmarks with SSL enabled, run the test using the `run_tests.sh` script, with the additional CLI option `-PwithSsl`:
```
./run_tests.sh --tag <clusterTag> [other CLI options] -- -PwithSsl

0 comments on commit dd05f32

Please sign in to comment.