You configure SSL for mutual authentication between members and to protect your data during distribution. You can use SSL alone or in conjunction with the other GemFire security options.
|cluster-ssl-enabled||Boolean to enable or disable SSL for peer-to-peer connections in the cluster.|
|cluster-ssl-ciphers||A space-separated list of the valid SSL ciphers for peer-to-peer connections. A setting of 'any' uses any ciphers that are enabled by default in the configured JSSE provider.|
|cluster-ssl-protocols||A space-separated list of the valid SSL protocols for peer-to-peer connections in the cluster. A setting of 'any' uses any protocol that is enabled by default in the configured JSSE provider.|
|cluster-ssl-require-authentication||Boolean indicating whether to require authentication for member communication.|
|cluster-ssl-keystore||Identifies the keystore to user for peer-to-peer connections.|
|cluster-ssl-keystore-type||Identifies the type of keystore used for peer-to-peer connections.|
|cluster-ssl-keystore-password||Identifies the keystore password for peer-to-peer connections.|
|cluster-ssl-truststore||Identifies the truststore file for peer-to-peer connections.|
|cluster-ssl-keystore-password||Identifies the truststore password for peer-to-peer connections.|
If you configure the above peer-to-peer SSL properties, then by default GemFire uses the same SSL property values for all stream-socket communication. This includes communication between cache servers and clients and between the JMX manager and JMX clients.
You can independently configure SSL for client/server connections, JMX connections, or HTTP connections by including the appropriate prefix for the connection type you want to configure. For example, the property used to configure the SSL protocols for client/server communication is server-ssl-protocols. The property used to configure SSL protocols for the JMX manager is jmx-manager-ssl-protocols.
The following table lists the SSL configuration property names used to configure SSL for peer-to-peer, client/server, JMX manager, and HTTP Service connections. Remember that if you do not define a client/server, JMX, or HTTP property, then GemFire uses the property value defined for peer-to-peer communication (cluster-ssl*) or the default peer-to-peer property value if unspecified.
The HTTP Service connection properties configure SSL connections for all HTTP-based services hosted on the configured server. This can include the Developer REST API service, the Management REST API service (used for remote cluster management) and the Pulse monitoring tool.
|Peer-to-Peer Connection Property
(provides default value for all other connection types)
|Client/Server Connection Property||JMX Manager Connection Property||HTTP Service Connection Property|
- Make sure your Java installation includes the JSSE API and familiarize yourself with its use. For information, see the Oracle JSSE website http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136007.html.
- Configure your security provider:
- Specify the SSL provider in the lib/security/java.security file under your JRE home directory. Indicate the providers you are using for your certificate, protocol, and cipher suites. Your Java installation should include information on how to modify this file for this. The security file is usually self-documenting.
- Specify provider-required configuration settings. These are usually keystore and truststore configuration parameters, such as the keystore and truststore properties described above. Your provider documentation should describe specific configuration requirements. You can add these configurations in a separate, restricted-access gfsecurity.properties file. Remember to override any peer-to-peer properties that you do not want to apply to client/server, JMX, or HTTP connections. For example, if you want to use a dedicated keystore for client/server connections (using another, separate keystore for all other connection types), then specify both cluster-ssl-keystore and server-ssl-keystore.
- Configure SSL as needed for each
- Use locators for member discovery within the distributed systems and for client discovery of servers. See Configuring Peer-to-Peer Discovery and Configuring a Client/Server System.
- Configure SSL properties as
necessary for different connection types, using the properties
listed in Table 1 and described further in gemfire.properties and gfsecurity.properties (GemFire Properties).
For example, to enable SSL for communication between clients and
servers you would configure properties in the
gemfire.properties file similar to:
server-ssl-enabled=true server-ssl-protocols=any server-ssl-require-authentication=true server-ssl-ciphers=SSL_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_SHA server-ssl-keystore-type=jks server-ssl-keystore=/path/to/trusted.keystore server-ssl-keystore-password=password server-ssl-truststore=/path/to/trusted.keystore server-ssl-truststore-password=password
- Keep in mind that if you define any peer-to-peer SSL properties (properties that begin with cluster-ssl-) then those property values act as defaults for any corresponding SSL connection properties that you do not configure. Configure the SSL property for the each connection type (server-ssl-, jmx-manager-ssl-, and/or http-service) if the peer-to-peer value is not applicable to that connection.