Versions Compared

Old Version 1

changes.mady.by.user Bruce Schuchardt

Saved on

compared with

New Version 2

changes.mady.by.user Bruce Schuchardt

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Note for people used to GemFire: GemFire cluster members periodically contacted the locator to renew discovery information.  This is not the case with Geode where, since the implementation of a new group membership service (see GEODE-77) the locator is only used at startup.



Basic Settings:

 

Except for the first two settings these are all of the same character as the current cluster-ssl settings.  The only difference here is that they apply to all SSL connections.

...

SSL is either enabled for all components or for specific components.  Specifying that SSL is enabled for a component applies to the server-socket side and the client-socket side.  That is, if you have a locator with SSL enabled then any process that is going to communicate with that locator must have SSL enabled for the locator component.  There are some examples further down in this document showing how to do this.

 

SSLssl-enabled-components=[all, cluster, server, gateway, locator, http, jmx]

...

Using component names like this is extensible so we will have minimal configuration changes if we add a new component.

 

ssl-require-authentication-components=[all, cluster, server, gateway, locator, http, jmx] (default "all")


sslSSL-certificate-alias=[empty,string] (default - use first cert in keystore)

 

SSLssl-certificate-password=[empty,string]

 

SSLssl-protocols=space separated list (default "any")

 

SSLssl-cipher-suites=space separated list (default "any")

 

SSL-require-authentication=[true,false] (default true)

 

SSLssl-keystore=path

 

SSLssl-keystore-password=string

 

SSLssl-truststore=path

 

SSL-truststore-password=string




Alias overrides:

 

These allow you to configure different certificates for each component.  They override SSLssl-certificate-alias and SSLssl-certificate-password for the component.

 

SSLssl-<component name>-certificate-alias=string

SSLssl-<component name>-certificate-password=string





Example: secure communications throughout

 

Each process needs to set these properties:

 

SSLssl-enabled-components=all

 

SSLssl-keystore=secure/keystore.dat

SSLssl-keystore-password=changeit

SSLssl-truststore=secure/truststore.dat

SSLssl-truststore-password=changeit

...

If the key store has multiple certificates you may want to specify the alias of the one you wish to use for each process.  For instance,

 

SSLssl-certificate-alias=Hiroki

SSLssl-certificate-password=changeit





Example: non-secure cluster communications, secure client/server

 

server:

 

SSLssl-enabled-components=server,locator  NOTE: cluster SSL not enabled

SSLssl-server-certificate-alias=server

 

SSLssl-keystore=secure/keystore.dat

SSLssl-keystore-password=changeit

SSLssl-truststore=secure/truststore.dat

SSLssl-truststore-password=changeit

 

locator:

 

SSLssl-enabled-components=locator         NOTE: cluster SSL not enabled

SSLssl-locator-certificate-alias=locator

 

SSLssl-keystore=secure/keystore.dat

SSLssl-keystore-password=changeit

SSLssl-truststore=secure/truststore.dat

SSLssl-truststore-password=changeit

 

client:

 

SSLssl-enabled-components=server,locator

 

SSLssl-keystore=secret/keystore.dat

SSLssl-keystore-password=changeit

SSLssl-truststore=secret/truststore.dat

SSLssl-truststore-password=changeit

...

Since the client did not specify a certificate alias SSL will use the default certificate in its key store.


Issues:

 

  1. Should each component have an option to enable/disable SSLssl-require-authentication?  Most HTTP services, for instance, don't require client authentication.
    Resolution: new settings added.