Versions Compared

Old Version 2

changes.mady.by.user Bruce Schuchardt

Saved on

compared with

New Version Current

changes.mady.by.user Dave Barnes

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: changed 'http' component to 'web'

...

  1. there is a single set of configuration options for SSL keystore, truststore, protocols and cipher-suites

  2. a new "locator" component be added to the mix of cluster, server, http web and gateway components for SSL configuration

  3. SSL can be enabled for all components or for selected components

  4. Each component can be assigned an alias for certificate lookup in the key store.  If an alias is not assigned to a component it will use the default certificate in the key store.

...

ssl-enabled-components=[all, cluster, server, gateway, locator, httpweb, jmx]

all = any component being used will have SSL enabled

cluster = p2p communications

server = communication between client and server

...

locator = communication between locators

http = hypertext transport protocol web = web-based communication

jmx = java management extension communications

...

ssl-require-authentication-components=[all, cluster, server, gateway, locator, http, jmx=[true,false] (default "true")  – all component except web will be goverend by this setting

ssl-web-require-authentication=[true,false] (default "allfalse") – the web service (REST) can disable/enable mutual SSL authentication, due to the nature of how users use the web.

ssl-certificatedefault-alias=[empty,string] (default - use first cert in keystore)

 

ssl-certificate-password=[empty,string]

...

ssl-protocols=space comma separated list (default "any")

...

ssl-cipher-suitesciphers=space comma separated list (default "any")

...

ssl-keystore=path

...

ssl-keystore-password=string

...

ssl-truststore=path

 

SSLssl-truststore-password=string

Alias overrides:

 

These Alias overrides allow you to configure different certificates for each component.  They override ssl-certificatedefault-alias and ssl-certificate-password for the specified component.

 

ssl-<component name>-certificate-alias=string  e.g ssl-<component name>-certificate-password=string-server-alias, ssl-jmx-alias

Example: secure communications throughout

...

ssl-enabled-components=all 

ssl-keystore=secure/keystore.dat

...

If the key store has multiple certificates you may want to specify the alias of the one you wish to use for each process.  For instance,

 

ssl-certificatedefault-alias=Hiroki

ssl-certificate-password=changeit

Example: non-secure cluster communications, secure client/server

 

server: 

ssl-enabled-components=server,locator  NOTE: cluster SSL not enabled

ssl-server-certificate-alias=server

...

ssl-keystore=secure/keystore.dat

...

ssl-truststore-password=changeit

 

locator: 

ssl-enabled-components=locator         NOTE: cluster SSL not enabled

ssl-locator-certificate-alias=locator

...

ssl-keystore=secure/keystore.dat

...

ssl-truststore-password=changeit

 

client: 

ssl-enabled-components=server,locator

...

ssl-keystore=secret/keystore.dat

...

The client's trust store must trust both locator and server certificates.

 

Since the client did not specify a certificate alias SSL will use the default certificate in its key store.

...

  1. Should each component have an option to enable/disable ssl-require-authentication? All components except web should generally NOT disable mutual authentication. This would promote non-authenticated servers/clients connecting to the system. This is a security hole that we need the user to be aware of if they want to disable mutual authentication.

  2. Most web  Most HTTP services, for instance, don't require client authentication.
       Resolution: new settings setting added.... ssl-web-require-authentication