VMware Tanzu Greenplum

 View Only

Running gpfdists with SSL enabled

  • 1.  Running gpfdists with SSL enabled

    Posted 19 days ago

    I setup my gpfdist to use SSL certs and am seeing these errors when testing with wget:

    [gpadmin@greenie gpseg-1]$ wget https://dblaxt08.unx.sas.com:8080/dbtab.dat
    --2024-11-14 15:05:08--  https://dblaxt08.unx.sas.com:8080/dbtab.dat
    Resolving dblaxt08.unx.sas.com (dblaxt08.unx.sas.com)... 10.24.8.125
    Connecting to dblaxt08.unx.sas.com (dblaxt08.unx.sas.com)|10.24.8.125|:8080... connected.
    GnuTLS: A TLS fatal alert has been received.
    GnuTLS: received alert [40]: Handshake failed
    Unable to establish SSL connection.

    gpfdist -p 8080 -l /dbi/odbc/tmp/gpfdist_rh7_t08_8080_log.txt -d /dbi/odbc/tmp --ssl /etc/init.d/ssl_certs

    I followed this document: https://docs.vmware.com/en/VMware-Greenplum/7/greenplum-database/admin_guide-external-g-gpfdists-protocol.html 

    Here are my certs that I created:

    [root@dblaxt08 ~]# ls -al /etc/init.d/ssl_certs
    -rw-r--r--  1 root root 1484 Nov  1 13:02 root.crt
    -rw-r--r--  1 root root 1679 Nov  1 13:00 root.key
    -rw-r--r--  1 root root   17 Nov  1 13:06 root.srl
    -rw-r--r--  1 root root 1367 Nov  1 13:06 server.crt
    -rw-r--r--  1 root root 1143 Nov  1 13:05 server.csr
    -rw-------  1 root root 1675 Nov  1 13:03 server.key

    On the segment servers I have created the gpfdists directory with certificates in all of the $PGDATA/gpfdists directories.

    Is my $PGDATA directory correct?  Or which directory should this be?

    Any help or suggestions would be great.

    For example,

    [gpadmin@greenie1 gpfdists]$ ls -al /data2/mirror/gpseg21/gpfdists
    -rw-------  1 gpadmin gpadmin 1383 Nov  4 16:42 client.crt
    -rw-------  1 gpadmin gpadmin 1143 Nov  4 16:42 client.csr
    -rw-------  1 gpadmin gpadmin 1704 Nov  4 16:42 client.key
    -rw-------  1 gpadmin gpadmin 1505 Nov  4 16:42 root.crt
    -rw-------  1 gpadmin gpadmin 1874 Nov  4 16:42 root.key
    -rw-------  1 gpadmin gpadmin   41 Nov  4 16:42 root.srl

    The settings of the verify_gpfdists_cert server configuration parameter (default value true) and the gpfdist --ssl_verify_peer <boolean> option (default value on) control whether SSL certificate authentication is enabled when Greenplum Database communicates with the gpfdist utility to either read data from or write data to an external data source. These settings also determine which of the following certificate files must reside in the $PGDATA/gpfdists directory on each Greenplum Database segment: