Sunday, June 23, 2024

Cassandra/Datastax SSL 

Datastax:
1) Root Certificate Authority (CA):
openssl req -new -x509 -keyout rootca.key -out rootca.crt -nodes -days 3650
Generating a 2048 bit RSA private key
..............................+++
.....+++
writing new private key to 'rootca.key'
Enter PEM pass phrase: rootca
Verifying - Enter PEM pass phrase: rootca
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Missouri
Locality Name (eg, city) [Default City]:O'Fallon
Organization Name (eg, company) [Default Company Ltd]:bypramod
Organizational Unit Name (eg, section) []:CassandraTeam
Common Name (eg, your name or your server's hostname) []:rootca
Email Address []:

[root@bypramodnode rootca]# ls
rootca.crt  rootca.key

Validation of certificate:
# openssl rsa -in rootca.key -out rootca_decrypted.key
# openssl x509 -in rootca.crt -text
# openssl x509 -in rootca.crt -text -noout
# openssl x509 -in rootca.crt -purpose -noout -text
And to generate just key and signing request, ignore x509 as it means self signed.
# openssl req -new -keyout server_key.pem -out server_request.pem
## The above will only show as request cert.
# openssl x509 -req -in server_request.pem -CA rootca.crt -CAkey rootca.key -CAcreateserial -out server_signed_cert.pem -days 30

(or)
openssl req -new -x509 -keyout rootca.key -out rootca.crt -nodes -days 3650 -passout pass:rootca

(or)
$ keytool -genkeypair -keyalg RSA -alias rootca -keystore root_keystore.jks -keypass rootca -storepass rootca -validity 3650 
##output cert with below command
$ keytool -export -alias rootca -keystore root_keystore.jks -rfc -file rootca.cer -keypass rootca -storepass rootca -noprompt
$ keytool -export -alias "${CLUSTER_NAME}_CLUSTER" -file "$CLUSTER_PUBLIC_CERT" -keystore "$KEY_STORE" -storepass "$PASSWORD" -keypass "$PASSWORD" -noprompt

2) Creating Truststore for all nodes
$ keytool -keystore cassandra_nodes.jks -storetype jks -importcert -file rootca.crt -keypass keystore_password -storepass truststore_password -alias rootca -noprompt
$ keytool -list -keystore cassandra_nodes.jks -storepass truststore_password
(or)
$ keytool -import -alias rootcert -file rootca.cer -keystore cassandra_nodes.jks -keypass keystore_password -storepass truststore_password -noprompt


3) Generating nodes keystore 
$ keytool -genkeypair -keyalg RSA -alias node1 -keystore node1-keystore.jks -storepass truststore_password -keypass keystore_password -validity 730 -keysize 2048 -dname "CN=100.18.17.17, OU=Test Cluster, O=bypramod, C=US"
$ keytool -genkeypair -keyalg RSA -alias node2 -keystore node2-keystore.jks -storepass truststore_password -keypass keystore_password -validity 730 -keysize 2048 -dname "CN=100.168.16.1, OU=Test Cluster, O=bypramod, C=US"
$ keytool -genkeypair -keyalg RSA -alias node3 -keystore node3-keystore.jks -storepass truststore_password -keypass keystore_password -validity 730 -keysize 2048 -dname "CN=100.16.13.22, OU=Test Cluster, O=bypramod, C=US"
###-ext "san=ip:node_ip_address"
verify: $ keytool -list -keystore node1-keystore.jks -storepass truststore_password
### rfc is to print key

4) Generate signing request
$ keytool -keystore node1-keystore.jks -alias node1 -certreq -file node1_request.csr -keypass keystore_password -storepass truststore_password -dname "CN=100.16.137.17, OU=Test Cluster, O=bypramod, C=US"
$ keytool -keystore node2-keystore.jks -alias node2 -certreq -file node2_request.csr -keypass keystore_password -storepass truststore_password -dname "CN=100.168.136.17, OU=Test Cluster, O=bypramod, C=US"
$ keytool -keystore node3-keystore.jks -alias node3 -certreq -file node3_request.csr -keypass keystore_password -storepass truststore_password -dname "CN=100.168.14.22, OU=Test Cluster, O=bypramod, C=US"
Verify: openssl req -in node1_request.csr -noout -text


5) Signing certificate request
$ openssl x509 -req -CA 'rootca.crt' -CAkey 'rootca.key' -in node1_request.csr -out node1_request.crt_signed -days 365 -CAcreateserial -passin pass:rootca
$ openssl x509 -req -CA 'rootca.crt' -CAkey 'rootca.key' -in node2_request.csr -out node2_request.crt_signed -days 365 -CAcreateserial -passin pass:rootca
$ openssl x509 -req -CA 'rootca.crt' -CAkey 'rootca.key' -in node3_request.csr -out node3_request.crt_signed -days 365 -CAcreateserial -passin pass:rootca
### -extfile san_config_file.conf
### subjectAltName=DNS:node_name,IP:node_ip_address in that above conf file.
Verify: 
$ openssl verify -CAfile 'rootca.crt' node1_request.crt_signed
$ openssl verify -CAfile 'rootca.crt' node2_request.crt_signed
$ openssl verify -CAfile 'rootca.crt' node3_request.crt_signed
$ keytool -export -alias node1 -keystore node1-keystore.jks -rfc -file node1_request.crt_signed

6) Import the rootca.crt to nodes keystores before importing signed crt
$ keytool -keystore node1-keystore.jks -alias rootca -importcert -file 'rootca.crt' -keypass keystore_password -storepass truststore_password -noprompt
$ keytool -keystore node2-keystore.jks -alias rootca -importcert -file 'rootca.crt' -keypass keystore_password -storepass truststore_password -noprompt
$ keytool -keystore node3-keystore.jks -alias rootca -importcert -file 'rootca.crt' -keypass keystore_password -storepass truststore_password -noprompt
### -noprompt option is provided, then the user is not prompted for a new destination alias. Existing entries are overwritten with the destination alias name.

Now, import signed crt to nodes keystores.
$ keytool -keystore node1-keystore.jks -alias node1 -importcert -file node1_request.crt_signed -keypass keystore_password -storepass truststore_password -noprompt
$ keytool -keystore node2-keystore.jks -alias node2 -importcert -file node2_request.crt_signed -keypass keystore_password -storepass truststore_password -noprompt
$ keytool -keystore node3-keystore.jks -alias node3 -importcert -file node3_request.crt_signed -keypass keystore_password -storepass truststore_password -noprompt
Verify: keytool -list -keystore node1-keystore.jks -storepass truststore_password


---------
Now run your applications with the appropriate keystores. Because this example assumes that the default X509KeyManager and X509TrustManager are used, you select the keystores using the system properties described in Customizing JSSE.

% java -Djavax.net.ssl.keyStore=/cassandra/certs/node2-keystore.jks -Djavax.net.ssl.keyStorePassword=truststore_password Server

% java -Djavax.net.ssl.trustStore=/cassandra/certs/node2-truststore.jks -Djavax.net.ssl.trustStorePassword=truststore_password Client


7) Change password
$ keytool -storepasswd -keystore /cassandra/certs/node1-keystore.jks
$ keytool -storepasswd -keystore /cassandra/certs/node2-keystore.jks
$ keytool -storepasswd -keystore /cassandra/certs/node3-keystore.jks
keystore_password

8) validating connections
$ openssl s_client -connect 10.107.147.7:7000 (To check the certificate of a selfnode)
$ openssl s_server -accept 7000 -cert /cassandra/certs/cassandra_nodes.jks -key /cassandra/certs/node2-keystore.jks

openssl s_server -accept 7000 -cert /cassandra/certs/cassandra_nodes.jks -key /cassandra/certs/node2-keystore.jks -www -accept 10.157.149.69:7000
keytool -printcert -rfc -sslserver 10.17.14.7 -port 7000
openssl s_server -connect 10.17.14.77:7000 -cert /cassandra/certs/node2-keystore.jks -key /cassandra/certs/node2-keystore.jks -CAfile /cassandra/certs/cassandra_nodes.jks


9) For CQLSH
Generate new client key and cert as similar to generate rootca
openssl req -new -x509 -keyout rootca.key -out rootca.crt -nodes -days 3650
openssl req -newkey rsa:2048 -nodes -keyout client.key -out client_request.csr
[cassandra@bypramodnode certs]$ openssl req -newkey rsa:2048 -nodes -keyout client.key -out client_request.csr
Generating a 2048 bit RSA private key
.......+++
.....................+++
writing new private key to 'client.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Missouri
Locality Name (eg, city) [Default City]:O'Fallon
Organization Name (eg, company) [Default Company Ltd]:CassandraTeam
Organizational Unit Name (eg, section) []:MCC
Common Name (eg, your name or your server's hostname) []:clientkey
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:clientpw
An optional company name []:

10) openssl x509 -req -CA 'rootca.crt' -CAkey 'rootca.key' -in client_request.csr -out client_request.crt_signed -days 365 -CAcreateserial -passin pass:rootca

Note:: When validate is enabled, you must create a Policy Enforcement Manager (PEM) key which is used in the cqlshrc file.

or 
9) keytool -importkeystore -srckeystore node1-keystore.jks -destkeystore client_node1.p12 -deststoretype PKCS12

10) openssl pkcs12 -in client_node1.p12 -nokeys -out client_node1.p12.pem -passin pass:keystore_password

11) openssl pkcs12 -in client_node1.p12 -nodes -nocerts -out client_node1.key.pem -passin pass:keystore_password

or
9) keytool -exportcert -alias node1 -file node1.cer -keystore node1-keystore.jks
10) keytool -importcert -v -trustcacerts -alias node1 -file node1.cer -keystore truststore.node1

11) Create new as used above for signed cert. 
$ keytool -genkeypair -keyalg RSA -alias cqlsh_alias -keystore cqlsh-keystore.jks -storepass keystore_password -keypass keystore_password -validity 730 -keysize 2048 -dname "CN=10.157.147.77, OU=Test Cluster, O=bypramod, C=US" 
keytool -import -v -trustcacerts -alias node1 -file cqlsh_alias.cer -keystore truststore.node0
keytool -importkeystore -srckeystore cqlsh-keystore.jks -destkeystore cqlsh1.p12 -deststoretype PKCS12 -srcstorepass keystore_password -deststorepass keystore_password
keytool -exportcert -alias cqlsh_alias -file cqlsh_alias.cer -keystore cqlsh1-keystore.jks
openssl pkcs12 -in cqlsh1.p12 -nokeys -out cqlsh1.cer.pem -passin pass:keystore_password
openssl pkcs12 -in cqlsh1.p12 -nodes -nocerts -out cqlsh1.key.pem -passin pass:keystore_password

Validate both keys and certs modulus is same by
$ openssl x509 -noout -modulus -in node1.cer.pem
$ openssl rsa -noout -modulus -in node1.key.pem

12) keytool -import -v -trustcacerts -alias rootca -file rootca.crt -keystore generic_truststore
at No comments:
Labels: , ,

Accessing Your Android Phone from Anywhere with AirDroid

AirDroid is a versatile app that lets you access and control your Android phone from any web browser or desktop client. Visit https://www.airdroid.com/ website to get started. Here are some of its key features:

Remote Access and Control:

Screen Mirroring: View and interact with your phone's screen in real-time.

Remote Camera: Access your phone’s camera remotely.

Remote Control: Control your device with your mouse and keyboard.

File Transfer: Easily transfer files between your phone and computer.

Notification Management: Receive and manage your phone’s notifications on your computer.

You can keep your session alive and access your phone anytime for SMS messages, even when you're abroad. For instance, you can leave your phone in India and access it from the USA.

AirDroid simplifies staying connected to your Android phone, no matter where you are.

***

at No comments:
Labels:
Subscribe to: Comments (Atom)