LATEST VERSION: 8.2.7 - CHANGELOG
Pivotal GemFire® v8.2

Configuring SSL

Configuring SSL

You configure SSL for mutual authentication between members and to protect your data during distribution. You can use SSL alone or in conjunction with the other GemFire security options.

Overview

GemFire uses SSL connections from the Java Secure Sockets Extension (JSSE) package. You use GemFire configuration properties to enable or disable SSL, to identify SSL ciphers and protocols, and to provide the location and credentials for key and trust stores. For example, the following properties configure the basic SSL settings for peer-to-peer connections between GemFire members in a cluster:
Property Description
cluster-ssl-enabled Boolean to enable or disable SSL for peer-to-peer connections in the cluster.
cluster-ssl-ciphers A space-separated list of the valid SSL ciphers for peer-to-peer connections. A setting of 'any' uses any ciphers that are enabled by default in the configured JSSE provider.
cluster-ssl-protocols A space-separated list of the valid SSL protocols for peer-to-peer connections in the cluster. A setting of 'any' uses any protocol that is enabled by default in the configured JSSE provider.
cluster-ssl-require-authentication Boolean indicating whether to require authentication for member communication.
cluster-ssl-keystore Identifies the keystore to user for peer-to-peer connections.
cluster-ssl-keystore-type Identifies the type of keystore used for peer-to-peer connections.
cluster-ssl-keystore-password Identifies the keystore password for peer-to-peer connections.
cluster-ssl-truststore Identifies the truststore file for peer-to-peer connections.
cluster-ssl-keystore-password Identifies the truststore password for peer-to-peer connections.

If you configure the above peer-to-peer SSL properties, then by default GemFire uses the same SSL property values for all stream-socket communication. This includes communication between cache servers and clients and between the JMX manager and JMX clients.

You can independently configure SSL for client/server connections, JMX connections, or HTTP connections by including the appropriate prefix for the connection type you want to configure. For example, the property used to configure the SSL protocols for client/server communication is server-ssl-protocols. The property used to configure SSL protocols for the JMX manager is jmx-manager-ssl-protocols.

The following table lists the SSL configuration property names used to configure SSL for peer-to-peer, client/server, JMX manager, and HTTP Service connections. Remember that if you do not define a client/server, JMX, or HTTP property, then GemFire uses the property value defined for peer-to-peer communication (cluster-ssl*) or the default peer-to-peer property value if unspecified.

The HTTP Service connection properties configure SSL connections for all HTTP-based services hosted on the configured server. This can include the Developer REST API service, the Management REST API service (used for remote cluster management) and the Pulse monitoring tool.

Table 1. SSL Configuration Property Names by Connection Type
Peer-to-Peer Connection Property

(provides default value for all other connection types)

Client/Server Connection Property JMX Manager Connection Property HTTP Service Connection Property
cluster-ssl-enabled server-ssl-enabled jmx-manager-ssl-enabled http-service-ssl-enabled
cluster-ssl-ciphers server-ssl-ciphers jmx-manager-ssl-ciphers http-service-ssl-ciphers
cluster-ssl-protocols server-ssl-protocols jmx-manager-ssl-protocols http-service-protocols
cluster-ssl-require-authentication server-ssl-require-authentication jmx-manager-ssl-require-authentication http-service-require-authentication
cluster-ssl-keystore-type server-ssl-keystore-type jmx-manager-ssl-keystore-type http-service-keystore-type
cluster-ssl-keystore server-ssl-keystore jmx-manager-ssl-keystore http-service-keystore
cluster-ssl-keystore-password server-ssl-keystore-password jmx-manager-ssl-keystore-password http-service-keystore-password
cluster-ssl-truststore server-ssl-truststore jmx-manager-ssl-truststore http-service-truststore
cluster-ssl-keystore-password server-ssl-keystore-password jmx-manager-ssl-keystore-password http-service-keystore-password

Procedure

  1. Make sure your Java installation includes the JSSE API and familiarize yourself with its use. For information, see the Oracle JSSE website http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136007.html.
  2. Configure your security provider:
    1. Specify the SSL provider in the lib/security/java.security file under your JRE home directory. Indicate the providers you are using for your certificate, protocol, and cipher suites. Your Java installation should include information on how to modify this file for this. The security file is usually self-documenting.
    2. Specify provider-required configuration settings. These are usually keystore and truststore configuration parameters, such as the keystore and truststore properties described above. Your provider documentation should describe specific configuration requirements. You can add these configurations in a separate, restricted-access gfsecurity.properties file. Remember to override any peer-to-peer properties that you do not want to apply to client/server, JMX, or HTTP connections. For example, if you want to use a dedicated keystore for client/server connections (using another, separate keystore for all other connection types), then specify both cluster-ssl-keystore and server-ssl-keystore.
  3. Configure SSL as needed for each connection type:
    1. Use locators for member discovery within the distributed systems and for client discovery of servers. See Configuring Peer-to-Peer Discovery and Configuring a Client/Server System.
    2. Configure SSL properties as necessary for different connection types, using the properties listed in Table 1 and described further in gemfire.properties and gfsecurity.properties (GemFire Properties). For example, to enable SSL for communication between clients and servers you would configure properties in the gemfire.properties file similar to:
      server-ssl-enabled=true
      server-ssl-protocols=any
      server-ssl-require-authentication=true
      server-ssl-ciphers=SSL_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_SHA
      server-ssl-keystore-type=jks
      server-ssl-keystore=/path/to/trusted.keystore
      server-ssl-keystore-password=password
      server-ssl-truststore=/path/to/trusted.keystore
      server-ssl-truststore-password=password
    3. Keep in mind that if you define any peer-to-peer SSL properties (properties that begin with cluster-ssl-) then those property values act as defaults for any corresponding SSL connection properties that you do not configure. Configure the SSL property for the each connection type (server-ssl-, jmx-manager-ssl-, and/or http-service) if the peer-to-peer value is not applicable to that connection.