...
there is a single set of configuration options for SSL keystore, truststore, protocols and cipher-suites
a new "locator" component be added to the mix of cluster, server, http web and gateway components for SSL configuration
SSL can be enabled for all components or for selected components
Each component can be assigned an alias for certificate lookup in the key store. If an alias is not assigned to a component it will use the default certificate in the key store.
...
Note for people used to GemFire: GemFire cluster members periodically contacted the locator to renew discovery information. This is not the case with Geode where, since the implementation of a new group membership service (see GEODE-77) the locator is only used at startup.
Basic Settings:
Except for the first two settings these are all of the same character as the current cluster-ssl settings. The only difference here is that they apply to all SSL connections.
...
SSL is either enabled for all components or for specific components. Specifying that SSL is enabled for a component applies to the server-socket side and the client-socket side. That is, if you have a locator with SSL enabled then any process that is going to communicate with that locator must have SSL enabled for the locator component. There are some examples further down in this document showing how to do this.
SSLssl-enabled-components=[all, cluster, server, gateway, locator, httpweb, jmx]
all = any component being used will have SSL enabled
cluster = p2p communications
server = communication between client and server
...
locator = communication between locators
http = hypertext transport protocol web = web-based communication
jmx = java management extension communications
Using component names like this is extensible so we will have minimal configuration changes if we add a new component.
ssl-require-authentication=[true,false] (default "true") – all component except web will be goverend by this setting
ssl-web-require-authentication=[true,false] (default "false") – the web service (REST) can disable/enable mutual SSL authentication, due to the nature of how users use the web.
ssl-default-certificate-alias=[empty,string] (default - use first cert in keystore)
SSL-certificate-password=[empty,string]
SSL-protocols=space ssl-protocols=comma separated list (default "any")
SSL-cipher-suites=space ssl-ciphers=comma separated list (default "any")
SSL-require-authentication=[true,false] (default true)
SSL-ssl-keystore=path
SSLssl-keystore-password=string
SSLssl-truststore=path
SSLssl-truststore-password=string
Alias overrides:
These Alias overrides allow you to configure different certificates for each component. They override SSLssl-certificatedefault-alias and SSL-certificate-password for the specified component.
SSLssl-<component name>-certificate-alias=string SSL-<component name>-certificate-password=string e.g ssl-server-alias, ssl-jmx-alias
Example: secure communications throughout
Each process needs to set these properties:
SSLssl-enabled-components=all
SSLssl-keystore=secure/keystore.dat
SSLssl-keystore-password=changeit
SSLssl-truststore=secure/truststore.dat
SSLssl-truststore-password=changeit
...
If the key store has multiple certificates you may want to specify the alias of the one you wish to use for each process. For instance,
SSLssl-certificatedefault-alias=Hiroki
SSL-certificate-password=changeit
Example: non-secure cluster communications, secure client/server
server:
SSLssl-enabled-components=server,locator NOTE: cluster SSL not enabled
SSLssl-server-certificate-alias=server
SSLssl-keystore=secure/keystore.dat
SSLssl-keystore-password=changeit
SSLssl-truststore=secure/truststore.dat
SSLssl-truststore-password=changeit
locator:
SSLssl-enabled-components=locator NOTE: cluster SSL not enabled
SSLssl-locator-certificate-alias=locator
SSLssl-keystore=secure/keystore.dat
SSLssl-keystore-password=changeit
SSLssl-truststore=secure/truststore.dat
SSLssl-truststore-password=changeit
client:
SSLssl-enabled-components=server,locator
SSLssl-keystore=secret/keystore.dat
SSLssl-keystore-password=changeit
SSLssl-truststore=secret/truststore.dat
SSLssl-truststore-password=changeit
...
The client's trust store must trust both locator and server certificates.
Since the client did not specify a certificate alias SSL will use the default certificate in its key store.
Issues:
Should each component have an option to enable/disable SSLssl-require-authentication? All components except web should generally NOT disable mutual authentication. This would promote non-authenticated servers/clients connecting to the system. This is a security hole that we need the user to be aware of if they want to disable mutual authentication.
Most web Most HTTP services, for instance, don't require client authentication. Resolution: new setting added.... ssl-web-require-authentication