SYMPTOM
Enabling TLS/SSL security causes the engine to fail to connect with an error as follows:
2017-08-01 10:03:43,107 ERROR [atscale-akka.actor.default-dispatcher-23] {} com.atscale.engine.security.SecurityManager - Error getting public key from auth server javax.net.ssl.SSLHandshakeException: General SSLEngine problem at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1478) at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813) at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) at akka.stream.impl.io.TLSActor.akka$stream$impl$io$TLSActor$$doUnwrap(TLSActor.scala:368) at akka.stream.impl.io.TLSActor.akka$stream$impl$io$TLSActor$$doInbound(TLSActor.scala:291) at akka.stream.impl.io.TLSActor$$anonfun$1.apply$mcV$sp(TLSActor.scala:226) at akka.stream.impl.Pump$class.pump(Transfer.scala:200) at akka.stream.impl.io.TLSActor.pump(TLSActor.scala:49) at akka.stream.impl.BatchingInputBuffer.enqueueInputElement(ActorProcessor.scala:92) at akka.stream.impl.BatchingInputBuffer$$anonfun$upstreamRunning$1.applyOrElse(ActorProcessor.scala:143) at scala.runtime.AbstractPartialFunction.apply(AbstractPartialFunction.scala:36) at akka.stream.impl.SubReceive.apply(Transfer.scala:17) at akka.stream.impl.FanIn$InputBunch$$anonfun$subreceive$1.applyOrElse(FanIn.scala:235) at scala.runtime.AbstractPartialFunction.apply(AbstractPartialFunction.scala:36) at akka.stream.impl.SubReceive.apply(Transfer.scala:17) at akka.stream.impl.SubReceive.apply(Transfer.scala:13) at scala.PartialFunction$class.applyOrElse(PartialFunction.scala:123) at akka.stream.impl.SubReceive.applyOrElse(Transfer.scala:13) at scala.PartialFunction$OrElse.applyOrElse(PartialFunction.scala:170) at akka.actor.Actor$class.aroundReceive(Actor.scala:513) at akka.stream.impl.io.TLSActor.aroundReceive(TLSActor.scala:49) at akka.actor.ActorCell.receiveMessage(ActorCell.scala:519) at akka.actor.ActorCell.invoke(ActorCell.scala:488) at akka.dispatch.Mailbox.processMailbox(Mailbox.scala:257) at akka.dispatch.Mailbox.run(Mailbox.scala:224) at akka.dispatch.Mailbox.exec(Mailbox.scala:234) at akka.dispatch.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260) at akka.dispatch.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339) at akka.dispatch.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979) at akka.dispatch.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107) Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) at sun.security.ssl.Handshaker$1.run(Handshaker.java:966) at sun.security.ssl.Handshaker$1.run(Handshaker.java:963) at java.security.AccessController.doPrivileged(Native Method) at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416) at akka.stream.impl.io.TLSActor.runDelegatedTasks(TLSActor.scala:403) at akka.stream.impl.io.TLSActor.akka$stream$impl$io$TLSActor$$doUnwrap(TLSActor.scala:372) ... 26 common frames omitted Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address <xx.xxx.xxx.xxx> found at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:167) at sun.security.util.HostnameChecker.match(HostnameChecker.java:93) at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455) at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
RESOLUTION:
When the installer is run, AtScale asks for the node IP or DNS of the node. If the certificate is generated against the FQDN, it expects to find that name in the configuration. There are two ways to resolve this. One is to re-run the installer and specify the FQDN for the external address OR to generate a certificate to include that ip value as a subject alternative name value.