...
The follow configuration should be introduced:
...
Code Block |
---|
"rest": { |
...
"dualProtocol": false, |
...
"httpToHttpsRedirection": false, |
...
"ssl": { |
...
...
"enabled": false, |
...
...
"port": 10400, |
...
...
"portRange": 100, |
...
...
"keyStore": { |
...
...
"type": "PKCS12", |
...
...
"path": "must not be empty", |
...
...
"password": "may be empty" |
...
...
} } } |
...
Netty provides support for configuration security connections, via SSLContextBuilder for server and client sides.
Client
Code Block |
---|
SslContextBuilder sslBuilder = SslContextBuilder |
...
.forClient() |
...
.keyManager(getKeyManagerFactory()) |
...
.trustManager(getTrustManagerFactory()); |
Server
...
Code Block |
---|
SslContextBuilder builder = SslContextBuilder.forServer(certChainInput, keyInput) |
...
.ciphers(getCiphers(), getCiphersFilter()) |
...
.sessionTimeout(serverSslConfig.getSessionTimeout()) |
...
.sslProvider(sslProvider) |
...
.trustManager(trustedCerts.toArray(new X509Certificate[0])) |
...
.clientAuth(serverSslConfig.getClientAuth()); |
Netty SSL configuration: https://github.com/devsunny/netty-ssl-example/blob/master/src/main/java/com/asksunny/ssl/SecureSocketSslContextFactory.java
...
The follow configuration should be introduced:
...
Code Block |
---|
"clientConnector": { |
...
"ssl": { |
...
...
"enabled": false, |
...
...
"clientAuth": "none", |
...
...
"keyStore": { |
...
...
"type": "PKCS12", |
...
...
"path": "must not be empty", |
...
...
"password": "may be empty" |
...
...
}, |
...
...
"trustStore": { |
...
...
"type": "PKCS12", |
...
...
"path": "must not be empty", |
...
...
"password": "may be empty" |
...
...
} } } |
If a user has enabled SSL for clientConnector, they have to set corresponding properties in ConnectionProperties as well.
Follow the existing approach from Ignite 2.x:
...
In the CLI we use OkHTTP to communicate with Ignite. To enable SSL we have to create an SSLSocketFactory and pass it to the OkHttpClient builder.
...
Code Block |
---|
X509TrustManager trustManager; |
...
SSLSocketFactory sslSocketFactory; |
...
try {
...
try { trustManager = trustManagerForCertificates(trustedCertificatesInputStream()); |
...
SSLContext sslContext = SSLContext.getInstance("TLS"); |
...
sslContext.init(null, new TrustManager[] { trustManager }, null); |
...
sslSocketFactory = sslContext.getSocketFactory(); |
...
} catch (GeneralSecurityException e) |
...
{ throw new RuntimeException(e); |
...
}
...
} client = new OkHttpClient.Builder() |
...
.sslSocketFactory(sslSocketFactory, trustManager) |
...
.build(); |
Users can enable SSL on the CLI side via ‘cli config set’ command.
Code Block |
---|
cli.trust-store.type= |
...
****** cli.trust-store.path= |
...
****** cli.trust-store.password=****** |
Security configuration of CLI should be stored in a separate config file with special permission settings to protect it from unauthorized read\write operations. This configuration file should match profiles from a common configuration file.
...
Node network based on Netty also and configuration will be the same as described in Ignite Client part. The only difference will be in the AI3 configuration part.
Code Block |
---|
...
"network": { |
...
"ssl": { |
...
...
"enabled": false, |
...
...
"clientAuth": "none", |
...
...
"keyStore": { |
...
...
"type": "PKCS12", |
...
...
"path": "must not be empty", |
...
...
"password": "may be empty" |
...
...
}, |
...
...
"trustStore": { |
...
...
"type": "PKCS12", |
...
...
"path": "must not be empty", |
...
...
"password": "may be empty" |
...
...
} } } |
...