Welcome to the new Gigaspaces XAP forum. To recover your account, please follow these instructions.

Ask Your Question

pedro_brigatto's profile - activity

2018-06-05 05:18:18 -0600 received badge  Famous Question (source)
2018-02-27 01:48:40 -0600 received badge  Notable Question (source)
2018-02-27 00:10:03 -0600 received badge  Popular Question (source)
2018-02-26 06:57:57 -0600 answered a question Is XAP affect by AAC's InvokerTransformer vulnerability?

Thank you, Niv! Just one quick clarification ... what do you mean by JPA extension? The reason to the question is becaus

2018-02-23 13:54:34 -0600 asked a question Is XAP affect by AAC's InvokerTransformer vulnerability?

Is XAP affect by AAC's InvokerTransformer vulnerability? Hi guys, Recently, I've been researching about one vulnerabil

2017-09-14 08:32:23 -0600 received badge  Notable Question (source)
2017-09-14 08:32:23 -0600 received badge  Famous Question (source)
2017-09-07 02:44:42 -0600 received badge  Famous Question (source)
2017-08-15 09:49:12 -0600 received badge  Famous Question (source)
2017-07-10 04:42:47 -0600 commented answer Host via JeeServiceDetails says 0.0.0.0

Hi, Dixson! Actually, we've been using 10.2 for a long time and migrated to 10.2 some months ago. I missed that, was u

2017-07-10 04:38:22 -0600 received badge  Popular Question (source)
2017-07-06 13:33:53 -0600 asked a question Host via JeeServiceDetails says 0.0.0.0

Host via JeeServiceDetails says 0.0.0.0 Hey guys, how are you? I have a command to tell the status of all containers i

2017-03-09 13:10:53 -0600 commented answer What is the correct way to shutdown a GSA, etc. started with gs-agent.sh?

Thanks Shay. I'm gonna follow your suggestions. Just one more question: after the undeployment, by calling the shutdown, for how long should I wait to determine something is wrong? I know the clean up is supposed to take some time, but is there a way to determine a reference so that we know something went wrong? Or, once all PUs were already undeployed, the clean up should be very quick ...? What parameter can I use to have any reasonable conclusion about the process?

2017-03-09 12:55:56 -0600 answered a question What is the correct way to shutdown a GSA, etc. started with gs-agent.sh?

Hi Shay,

What about the same operation through the Admin API? I'm invoking the GridServiceAgent shutdown method, but not all the processes are killed. Is it mandatory to first undeploy the application, also via Admin API, and only then invoke the shutdown method? Or is the grid service agent implementation supposed to handle this 'clean up' internally (I'd expect it to happen, in a client standpoint).

Thanks!

2016-12-22 14:17:35 -0600 answered a question How do Certificates and CA work in XAP? How to proceed with it?

Well, filtering the SSL debug messages doesn't help me. Not sure why. But one thing I discovered is that, by not pointing to a keystore (delegating the key generation and exchange completely to XAP), I can make it work. So, the problem is in the either in the keystore or in the certificates. But, since I'm using keytool to generate the private key entries (one per server in the cluster), exporting it to a client certificate (.cer) and importing these .cer files into the keystore of all the other servers (each server has the others' certificates imported into their keystore), what else should I be doing?

Whenever I try to use authentication with the certificates I created, I see those messages already posted in another message:

2016-12-22 12:58:00,082 GSM WARNING [net.jini.discovery.LookupLocatorDiscovery] - Exception in InternalDiscoveryListener.discovered() going to discard the discoveryEvent: net.jini.discovery.DiscoveryEvent[source=net.jini.discovery.LookupLocatorDiscovery@32fcd3ee]; Caused by: java.rmi.ConnectException: Connect Failed to [NIO://10.130.92.202:44745/pid[24473]/627631519796649_2_-847292144520088972_details[class com.sun.jini.reggie.GigaRegistrar]]; nested exception is: java.rmi.ConnectException: Failed to perform communication filter handshake using com.gigaspaces.lrmi.nio.filters.SSLFilterFactory filter; nested exception is: com.gigaspaces.lrmi.nio.filters.IOFilterException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

Thoughts? Has anyone experienced this problem before?

2016-12-21 13:26:17 -0600 answered a question How do Certificates and CA work in XAP? How to proceed with it?

Hey guys,

Well, some progress on it, but not yet working. But let me share some things I learned during my hands-on.

  1. in the property com.gs.lrmi.filter.security.keystore, I had to set the full path to my keystore.jks
  2. both client and server certificates/keys must be saved into the same keystore.jks. I don't like it, personally.

What I have is, so far:

  • each VM in the cluster has its own private key entry
  • each VM in the cluster imports the self-signed (DEV) or CA-signed (DEV) certificate of all the other nodes

Following the 2 steps just above, I'm willing to establish the following scenario: I, server 1, know everybody who talks to me, and everybody knows me as well. TLS mutual authentication, this is what I want to achieve with this.

The properties added to EXT_JAVA_OPTIONS (in setenv.sh) and also as properties of my Java standalone clients that consume spaces/processing units of the solution are:

  • -Dcom.gs.lrmi.filter.factory=com.gigaspaces.lrmi.nio.filters.SSLFilterFactory
  • -Dcom.gs.lrmi.filter.security.protocol=TLSv1.2
  • -Dcom.gs.lrmi.filter.security.keystore=/opt/myapp/keystore.jks
  • -Dcom.gs.lrmi.filter.security.password=cant_tell_you

Right now, when I launch the solution, I'm getting some handshaking exceptions:

2016-12-21 11:44:01,723 GSM WARNING [net.jini.discovery.LookupLocatorDiscovery] - Exception in InternalDiscoveryListener.discovered() going to discard the discoveryEvent: net.jini.discovery.DiscoveryEvent[source=net.jini.discovery.LookupLocatorDiscovery@284cf033]; Caused by: java.rmi.ConnectException: Connect Failed to [NIO://10.130.92.202:45049/pid[11000]/536766251481395_2_-892083509427360108_details[class com.sun.jini.reggie.GigaRegistrar]]; nested exception is: java.rmi.ConnectException: Failed to perform communication filter handshake using com.gigaspaces.lrmi.nio.filters.SSLFilterFactory filter; nested exception is: com.gigaspaces.lrmi.nio.filters.IOFilterException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

Basically, the handshaking is failing when server 1 tries to communicate with the other servers. The only properties I found in the documentation are the ones that I used. So, the question at this point would be: with all that I've described above, what am I missing? Any ideas? Has somebody else faced similar issues when playing with this TLS thingy?

2016-12-15 11:46:13 -0600 received badge  Notable Question (source)
2016-12-15 06:10:23 -0600 received badge  Commentator
2016-12-15 06:10:23 -0600 commented answer How do Certificates and CA work in XAP? How to proceed with it?

Hi Lucas, thank you for your reply!

Actually, I'd say I need a secure transport, first of anything else. However, I'm allowing customers to come with their own certificates, CA-signed, and applying them to the solution.

Regarding the configuration without particular certificates, I have a question ... what if I have a standalone client, consuming some of the spaces in the solution ... this client would be anywhere in the network, any other server. Without keypairs/certificates/CAs configured in both ends, how'd the client be able to consume data from this space on top of TLS? I'm asking because when I set only the SSL filter in my solution, without specifying the keystore, the clients started to fail still in the launching. They were not even launched and I got some messages indicating the spaces couldn't be reached. Removing that property (the SSL filter), they were successfully launched again.

I'm gonna play with TLS1.2, we are on Java 7.

Well, thanks again for your attention. Hope my points above are clear enough, and we can keep talking.

Cheers, Pedro

2016-12-12 16:26:22 -0600 received badge  Popular Question (source)
2016-12-12 08:44:54 -0600 commented answer How do Certificates and CA work in XAP? How to proceed with it?

Hi, jb. Thanks for the reply.

Yes, this is not exactly something specific to XAP. I was just trying to understand whether there's a best practice that you guys use to follow when securing the transport layer of a solution that runs on top of XAP. We, for example, have a bunch of processing units and spaces deployed in 4 nodes, and applications consuming data that can be installed around these nodes. In this kind of scenario, I was thinking that the solution would be generating one certificate per server, installing all these certificates in all nodes (including the ones that have no XAP instance running, only clients) and the keystores of all these nodes mapped in the environment, through the arguments the documentation exposes. Sounds to me like the way to go. In clusters, is this the way you'd suggest me to proceed?

Also, the password to the keystore is exposed as plain text, per what the documentation suggests. Is there any alternative, so that it is obfuscated and becomes protected?

Thanks again for the attention. I really appreciate it. :)

2016-12-05 07:10:34 -0600 asked a question How do Certificates and CA work in XAP? How to proceed with it?

Hey there!

About TSL, area in which I'm starting right now in XAP ...

What if I want to generate my own certificate using keytool, to release as part of the application we develop? From my understanding, I'd have to set the password, the path to the keystore file, as well as the SSL filter as system properties, through EXTJAVAOPTIONS, in setenv.sh.

What I don't understand is what happens backstages and how do I specify and play with Certificate Authorities to validate the certificate. Actually, I'd like to understand the specifics about certificates, certificate authorities and keystores in the XAP universe, and how they relate to each other. My first question in this regard would be: creating a keystore file from the scratch, what concerns and general points I have to have in mind in order to have a certificate from it and, later, a CA validating the certificate? What sort of procedure may I follow in order to make the configuration work? I'm very new to this area in XAP, just read the documentation at http://docs.gigaspaces.com/xap120sec/... and all it talks about give just a basic idea of what we need to do. I'm wondering if there is a bunch of things backstages that I may care about.

Thanks in advance, guys! Have a nice week!

Cheers, Pedro

2016-11-01 03:42:01 -0600 received badge  Enthusiast
2016-10-26 08:25:06 -0600 received badge  Notable Question (source)
2016-10-25 13:29:29 -0600 commented answer Create users/roles for remote XAP (deployed on a RHEL VM)

Hi Meron, thanks for the answer. Actually, your steps are quite clear to me. I have done everything you said. And, in terms of the application itself, it is deployed. I can reach the web apps, use the clients to consume the services the app provides, etc. What I was concerned about, and this was the reason to the post, is that, during deployment, for some of the PUs, I see the authentication exception being thrown, whenever the platform tries to read some metadata from the spaces. See this:

com.gigaspaces.security.AuthenticationException: No authentication details were supplied at org.openspaces.admin.internal.admin.DefaultAdmin.login(DefaultAdmin.java:344) at org.openspaces.admin.internal.space.DefaultSpaceInstance.getIJSpace(DefaultSpaceInstance.java:341) at org.openspaces.admin.internal.space.DefaultSpaceInstance.getPlatformLogicalVersion(DefaultSpaceInstance.java:606)

It doesn't happen to all processing units, just to 2 of them. Then I was wondering about this default admin, and how I could set the authorities to this user in such a way that it is able to read the information it needs from the space. It seems to be something the platform does, and it has no side effect to my application ... I just wanted to make sure it is the case and if it is possible to fix this issue. If, for example the grid service trying to reach one of the spaces to read some metadata is the GSA, I could launch the grid services with security enabled AND a principal, explicitly defined, being this principal one that has permissions to monitor the JVM, deploy, etc etc, just as you described.

Makes sense? Or I am misunderstanding the platform in some way? Do you see my point? The platform seems to be unable to reach some of my spaces, due to the lack of authorization. I just wanted to fix this.

2016-10-25 12:59:31 -0600 commented answer Create users/roles for remote XAP (deployed on a RHEL VM)

Hi jb,

I guess you mentioned this building step just as an example, to have something working, correct? I mean ... we should never care about running an example to have the environment functional ... right? To me, in my application, I should be able to start everything, security enabled, by simply [1] adding the flag to the setenv.sh script, [2] launching the platform through a call, from my own start script, to gs-agent and, lastly, [3] deploying my application using gs.sh and providing credentials, just as you put above (gs.sh -user xap -password pass deploy-application -user myotheruser -password -myotherpwd -secured true).

The question that comes to my mind is: alright, security enabled to the services, but what principal (user) is being employed in launching the platform itself? I'm asking because, following steps 1, 2 and 3 above, I am still getting the same error. I see all services with a padlock icon, everything secured, but I still have the issue that a service (GSA, I suppose) is not able to reach some spaces of my solution (makes sense once whenever the principal it is using doesn't have the authority to do so, or no credentials are informed at all).

Is there a way to, just as we enable security to the grid services in setenv.sh, also inform the credentials to be used by them? That would solve, I suppose, the problem. And that would be the reasonable way to configure it, also ... do you know if we have this in XAP?

Cheers, Pedro

2016-10-25 08:09:45 -0600 commented answer Create users/roles for remote XAP (deployed on a RHEL VM)

Actually, we've been using 10.1 ... for a long time. Right now, we've just started jumping from this old version to 12, but it is still in the beginning. While this doesn't happen, I'm still on 10.1. These commands you've suggested are for 12? I can give it a try as well, but I'm afraid that, if it doesn't work for 10.1, things I've been doing will get blocked until I can use XAP 12 officially. :( By the way, thank you very much for the support!

2016-10-25 07:51:28 -0600 received badge  Popular Question (source)
2016-10-24 21:01:58 -0600 commented answer Create users/roles for remote XAP (deployed on a RHEL VM)

Hi, jb. Thanks for your answer. I've been trying exactly the line you show under 'startSecureSessionGrid.sh'. But the thing is that, once I run it, I get the following:

2016-10-24 19:21:30,291 INFO [com.gigaspaces.start] - Starting ServiceGrid [user=root, command="services=GSA -secured true -user myuser -password mypwd gsa.global.lus 0 gsa.lus 1 gsa.gsc 1"] 2016-10-24 19:21:30,404 SEVERE [com.gigaspaces.start] - Error while booting system - ; Caused by: net.jini.config.ConfigurationException: Override 2: Line 1: expected fully qualified entry name, found '-secured' at net.jini.config.ConfigurationFile.oops(ConfigurationFile.java:2768) at net.jini.config.ConfigurationFile.access$100(ConfigurationFile.java:386) at net.jini.config.ConfigurationFile$Parser.oops(ConfigurationFile.java:1743) at net.jini.config.ConfigurationFile$Parser.syntax(ConfigurationFile.java:1715) at net.jini.config.ConfigurationFile$Parser.parseOverride(ConfigurationFile.java:1425) at net.jini.config.ConfigurationFile$Parser.<init>(ConfigurationFile.java:1247) at net.jini.config.ConfigurationFile.<init>(ConfigurationFile.java:1813) at net.jini.config.ConfigurationProvider.getInstance(ConfigurationProvider.java:256) at net.jini.config.ConfigurationProvider.getInstance(ConfigurationProvider.java:142) at com.gigaspaces.start.SystemConfig.<init>(SystemConfig.java:202) at com.gigaspaces.start.SystemConfig.getInstance(SystemConfig.java:257) at com.gigaspaces.start.SystemBoot.main(SystemBoot.java:318)

When I add the same parameters in the end of the string, the exception goes away, but then I see many connection attempts to LUS refused and nothing is even started.

Any ideas? Have you ever faced this issue before?

2016-10-24 15:29:48 -0600 answered a question Create users/roles for remote XAP (deployed on a RHEL VM)

Shay/guys, I think I understand it more clearly now, but still have no fix to the issue. In my understanding, now, the platform is started by invoking, from a script, the gs-agent.sh. This will start the GSA which, in turn, manages the grid services. I am calling it this way:

${gs.home}/bin/gs-agent.sh gsa.global.lus 0 gsa.lus 1 gsa.gsc 1

GSA is started, then, without any security applied to it. Because of that, I have the impression that, any time GSA wants to retrieve any information from any PU, as it does not have authorization to it, I get an AuthenticationException. Makes sense?

The test I'd like to make now is to invoke gs-agent providing the security credentials. However, I could not make it. I get all the connections to the LUS rejected. I am trying the same statement I used to gs.sh, passing -user, -password, -secured parameters. Doesn't seem to be valid, doesn't seem to be recognized (although gs-agent is just a wrapper to gs.sh).

So my questions would be:

  • How to start GSA securely with a command I can embed into my own script, just as I did with gs.sh?
  • From my script, is it possible to invoke gs.sh in an interactive way, so that the session is shared between commands?
  • If only non-interactive mode is possible from my script, how can I start XAP and deploy the application, with security enabled in both?

Thanks, guys. I'm asking after a long time trying it out. Hope we can come with a solution together!

Best regards, Pedro

2016-10-24 09:31:51 -0600 received badge  Famous Question (source)
2016-10-24 09:31:51 -0600 received badge  Notable Question (source)
2016-10-24 09:31:48 -0600 received badge  Notable Question (source)
2016-10-24 09:31:48 -0600 received badge  Famous Question (source)
2016-10-24 09:31:48 -0600 received badge  Popular Question (source)
2016-10-24 06:32:23 -0600 commented answer Create users/roles for remote XAP (deployed on a RHEL VM)

What I meant by 'non-interactive' mode is that the deployment is happening via a script, where I use gs.sh to deploy a zip. Also, there is a typo in the command line I presented above: it is not 'secure = true', but 'secured = true'. I am using it right, just put it wrong in the message. So, once I'm doing all from a script, I'm not using the API to set anything, such as credentials, in the code level. That's why I got confused when you suggested setting the credentials when constructing the Admin via Admin Factory, because I'm not doing it at all. So, in this case, what should I do?

2016-10-22 18:22:02 -0600 commented answer Create users/roles for remote XAP (deployed on a RHEL VM)

Hum, not sure I got it. In reality, I am deploying a bundle (zip) with all my PUs packaged. I am using a non-interactive approach, from a start script, and the command is: gs.sh -user <myuser> -password <mypwd> deploy-application -user <myuser> -password <mypwd> -secure true <my_zip.zip> I tried both with and without the first '-user/-password' pair, same result always. Because of this approach I'm taking, I am not able to visualize where this 'Admin via AdminFactory' thing can be applied. I know there's a default admin/admin principal used to manage roles/users, but I don't believe this is the user that should go in the first pair, right?

Sorry if the question is so simple, it is just because I am not visualizing the solution at this point. Can you please give some further clarification on this Admin stuff?

Thanks, Shay!

2016-10-22 14:54:34 -0600 commented answer Create users/roles for remote XAP (deployed on a RHEL VM)

Hey Shay, Well, thanks again.You rock.

Actually, while I was waiting for an answer to this question, I've tried exactly what you've suggested: generating the file locally and copying it to the servers. I also added a security.properties file which estipulates the property com.gs.security.fs.file-service.file-path, which value is the location of the .fsm file.

It works. Deployment runs fine. But I'm seeing an exception thrown not to all the PUs I'm deploying, but 2 of them ... here it is:

2016-10-21 09:59:46,946 sample_pu.1 [2] WARNING [org.openspaces.admin.internal.space.DefaultSpace] - Failed to get runtime information; Caused by: com.gigaspaces.security.AuthenticationException: No authentication details were supplied at org.openspaces.admin.internal.admin.DefaultAdmin.login(DefaultAdmin.java:344) at org.openspaces.admin.internal.space.DefaultSpaceInstance.getIJSpace(DefaultSpaceInstance.java:341) at org.openspaces.admin.internal.space.DefaultSpaceInstance.getPlatformLogicalVersion(DefaultSpaceInstance.java:606) at org.openspaces.admin.internal.space.DefaultSpace$ScheduledRuntimeFetcher$1.run(DefaultSpace.java:639) at org.openspaces.admin.internal.admin.DefaultAdmin.scheduleNonBlockingStateChange(DefaultAdmin.java:771) at org.openspaces.admin.internal.space.DefaultSpace$ScheduledRuntimeFetcher.run(DefaultSpace.java:636) at org.openspaces.admin.internal.admin.DefaultAdmin$LoggerRunnable.run(DefaultAdmin.java:2093) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:304) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:178) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745)

It talks about a DefaultAdmin, and the problem is related to the authentication ... but I am deploying a ZIP file passing -user and -password parameters, as well as the -secured true (that wouldn't even be necessary, once I'm informing the credentials).

What would be this issue related to? Any thoughts on that one?

Thanks in advance!

2016-10-22 14:46:54 -0600 commented answer Are security properties documented somehow?

Hi Shay First of all, thank you very much for the support.

So, from my understanding, the only properties XAP comes with are the ones documented in the security session ( http://docs.gigaspaces.com/xap120sec ), but we are also free to set custom properties as well. Correct?

I made this question more because I didn't see any template for security.properties, where all possible properties would come disabled and documented. It'd help me upfront to understand what I can and what I can't do whenever, for example, I want to use the FSM approach (as I am doing now).

Thanks again!

2016-10-22 14:41:47 -0600 received badge  Popular Question (source)
2016-10-22 03:57:49 -0600 asked a question Create users/roles for remote XAP (deployed on a RHEL VM)

Hi, guys

I need to create a user to secure my processing units (authentication + safe communication) deployed in a remote server (a RHEL box). As far as I see - and correct me if I'm wrong - there's no way to create/manage roles/users through gs-webui. So, the tool in case would be gs-ui, but it is a graphical interface. When opening a local gs-ui application, I don't see a way to push configuration to remote servers. I can add locators to it, so I can see and manipulate spaces, processing units, etc, but in this case I am not controlling deployment and this kind of stuff. Only thing I'd need to do is to create this user in that XAP installation.

How would I do it? How can I manage such a thing using gs-ui? Maybe there's another tool?

Cheers, Pedro

2016-10-22 03:57:47 -0600 asked a question Are security properties documented somehow?

Hi, XAP team and users. Hope you all are doing well.

Where do I find documentation that describes the security properties available? I would like to learn more about these security settings in order to build my own security-config.xml and security.properties files but can't find a page where such properties are described.

I see, for example, a 'generic' security.properties mentioned here and there, but have no idea what properties I can set in this file. Since there is no 'security.properties' and no 'security-config.xml' files in the distribution, I'm kinda lost with this configuration. Can you please give me a hand?

Thanks in advance for the support.

Regards, Pedro

2016-10-22 03:57:27 -0600 asked a question Where are the security properties documented?

Hi, XAP team and users. Hope you all are doing well.

Where do I find documentation that describes the security properties available? I would like to learn more about these security settings in order to build my own security-config.xml and security.properties files but can't find a page where such properties are described.

I see, for example, a 'generic' security.properties mentioned here and there, but have no idea what properties I can set in this file. Since there is no 'security.properties' and no 'security-config.xml' files in the distribution, I'm kinda lost with this configuration. Can you please give me a hand?

Thanks in advance for the support.

Regards, Pedro