Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MongoDB clients needs SSL CA info as a jks trust store, AWS DocumentDB provides pem #1314

Closed
cy opened this issue Jun 4, 2019 · 10 comments
Closed

Comments

@cy
Copy link

cy commented Jun 4, 2019

I'm trying to run YCSB on AWS DocumentDB (MongoDB compatible); this is the mongo connection uri AWS provides:

mongodb://<username>:<insertYourPassword>@docdb-cluster-string.us-east-1.docdb.amazonaws.com:27017/?ssl=true&ssl_ca_certs=rds-combined-ca-bundle.pem&replicaSet=rs0

When I pass this connection string to YCSB's mongodb.url option like:

./bin/ycsb load mongodb-async -s -P workloads/workloada -p mongodb.url='mongodb://<username>:<password>@docdb-cluster-string.us-east-1.docdb.amazonaws.com:27017/?ssl=true&ssl_ca_certs=rds-combined-ca-bundle.pem&replicaSet=rs0/ycsb?w=1'

I get this error:

Loading workload...
Starting test.
2019-06-04 16:07:10:856 0 sec: 0 operations; est completion in 0 second
16:07:11.075 [Thread-3] WARN  c.a.mongodb.MongoClientConfiguration - Using the JVM default SSL Socket Factory. This may allow man-in-the-middle attacks. See http://www.alla
nbank.com/mongodb-async-driver/userguide/tls.html
16:07:11.095 [Thread-3] INFO  c.a.mongodb.MongoClientConfiguration - Unknown property 'ssl_ca_certs' and value 'rds-combined-ca-bundle.pem'.
16:07:11.096 [Thread-3] INFO  c.a.mongodb.MongoClientConfiguration - Not validating the replica set name is 'rs0/ycsb'.

How am I able to pass an ssl ca cert to ycsb's mongo connection?

@cy
Copy link
Author

cy commented Jun 5, 2019

I figured it out, ala this comment metabase/metabase#3877 (comment)

For anyone else who runs into this issue:

  1. Convert the rds-combined-ca-bundle.pem file into a jks trust store:
keytool -import -alias cacert -storepass changeit -keystore cacerts.jks -file rds-combined-ca-bundle.pem
  1. ycsb has an .sh file takes java options in a JAVA_OPTS env var (
    # JAVA_OPTS (Optional) Java runtime options used when any command
    )

so set

export JAVA_OPTS='-Djavax.net.ssl.trustStore=cacerts.jks -Djavax.net.ssl.trustStorePassword=changeit'
  1. Run yscb with the shell script:
./bin/ycsb.sh load mongodb -s -P workloads/workloada -p mongodb.url='mongodb://<user>:<password>@<clustername>.us-east-1.docdb.amazonaws.com:27017/?ssl=true&replicaSet=rs0'

@cy cy closed this as completed Jun 5, 2019
@busbey
Copy link
Collaborator

busbey commented Jun 5, 2019

awesome work! I'll try to point this out as a known issue in the next release.

@busbey busbey changed the title MongoDB: Unknown property 'ssl_ca_certs' [mongodb-async] Async MongoDB client needs SSL CA info as a jks trust store Jun 5, 2019
@busbey busbey mentioned this issue Jun 5, 2019
@cy
Copy link
Author

cy commented Jun 5, 2019

Cool - it's not just the async client though, I get the same issue with the sync client. I think it's for any mongo that requires a trust cert.

@busbey busbey changed the title [mongodb-async] Async MongoDB client needs SSL CA info as a jks trust store MongoDB clients needs SSL CA info as a jks trust store, AWS DocumentDB provides pem Jun 7, 2019
@busbey
Copy link
Collaborator

busbey commented Jun 7, 2019

thanks for the clarification!

@wttat
Copy link

wttat commented Jun 30, 2020

Cool - it's not just the async client though, I get the same issue with the sync client. I think it's for any mongo that requires a trust cert.

what's you ycsb version back then.

I have tried

keytool -import -alias cacert -storepass changeit -keystore cacerts.jks -file rds-combined-ca-bundle.pem

export JAVA_OPTS='-Djavax.net.ssl.trustStore=cacerts.jks -Djavax.net.ssl.trustStorePassword=changeit'

./bin/ycsb.sh load mongodb -s -P workloads/workloada -p mongodb.url='mongodb://user:[email protected]:27017/?ssl=true&replicaSet=rs0&w=majority'

then it shows errors:
image
and I also tried the ture path like
export JAVA_OPTS='-Djavax.net.ssl.trustStore=/home/ec2-user/ddb/ycsb-0.17.0/cacerts.jks -Djavax.net.ssl.trustStorePassword=changeit'
which do not work as well

@rafbel
Copy link

rafbel commented Aug 28, 2020

I am still having this issue. Were you able to fix it @wttat ?

@wttat
Copy link

wttat commented Aug 28, 2020

I am still having this issue. Were you able to fix it @wttat ?

sorry, I give it up after tried lots of solution. I set the DocumentDB's ssl to false and directly connected to it without any CA info.

@rafbel
Copy link

rafbel commented Aug 28, 2020

Ok, so I got it to work. For anyone that is facing this issue, go to Client.java and add these lines:

System.setProperty("javax.net.ssl.trustStore", "TRUSTSTORE");
System.setProperty("javax.net.ssl.trustStorePassword", "YOUR_PASSWORD");

Change those values to your truststore and password. For some reason, YCSB overwrites the JAVA_OPTS values.

@donsunnyjay
Copy link

Hello @rafbel
I'm currently facing this issue on my end. If you still remember can you confirm the location of the Client.java file?
Thanks!

@dangelovich-basis
Copy link

Got this working by ignoring the cert validation - couldn't get that to work, but it also wouldn't work unless I gave it the extra JAVA_OPTS either/

bin/setenv.sh:
JAVA_OPTS='-Djavax.net.ssl.trustStore=/opt/mongodb/certs/cacerts.jks -Djavax.net.ssl.trustStorePassword=changeit'

With TLS:
bin/ycsb.sh run mongodb -s -P workloads/workloada -p mongodb.url='mongodb://localhost:27017/?tls=true&mongodb.database=ycsb&mongodb.writeConcern=acknowledged&tlsInsecure=true'

Withoput TLS:
bin/ycsb run mongodb -s -P workloads/workloada -p mongodb.url='mongodb://localhost:27017/mongodb.database=ycsb&mongodb.writeConcern=acknowledged'

In terms of benchmark results, the difference should be negligible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants