Neo4j Aura customers are likely to face some SSL handshake errors when connecting to AuraDB from Apache Beam (GCP Dataflow) when using the default Java settings.
org.neo4j.driver.exceptions.SecurityException: Failed to establish secured connection with the server
at org.neo4j.driver.internal.util.Futures.blockingGet(Futures.java:143)
at org.neo4j.driver.internal.util.Futures.blockingGet(Futures.java:113)
at org.neo4j.driver.internal.InternalDriver.verifyConnectivity(InternalDriver.java:159)
...
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:337) at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293) at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:186)
Because AuraDB supports only the safe TLS ciphers there are some issues based on encryption negotiation when using Java and as such you should check the versions of your JDK 8 or 11 to ensure best performance and support for the encryption.
To ensure the connection can meet the SSL handshake you will need to disable the weak security algorithms (SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL) on DataFlow.
To do this you need create a class to implement the JvmInitializer interface and annotate it with
@AutoService(value = JvmInitializer.class)
The whole class might be something like this:
@AutoService(value = JvmInitializer.class)
public class DataFlowJvmStart implements JvmInitializer {
@Override
public void onStartup() {
Security.setProperty(
"jdk.tls.disabledAlgorithms",
"SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL");
}
@Override
public void beforeProcessing(PipelineOptions options) {}
}
Beam API picks up this code and will execute the onStartup() method when the DataFlow JVM starts.
This class needs to be included in the classpath of your Dataflow Beam application or indeed in the large jar file archive you'll likely build to run.
Comments
0 comments
Please sign in to leave a comment.