Multi-Site (WAN) Deployment Security
Multi-Site (WAN) Deployment Security
In addition to peer and client authentication, Pivotal GemFire can authenticate remote sites.
- Implement membership authentication. Depending on your installation and security requirements, you may use a combination of peer-to-peer, client/server, and multi-site settings.
- Joining members provide credentials to existing members who check the credentials and either reject the joining member or approve it. In terms of multi-site authentication, gateway senders and gateway receivers mutually authenticate each other when they connect.
- If you want to use secure socket layer (SSL) protocol for your peer-to-peer and client/server connections, implement that. You can configure SSL separately for peer-to-peer, client/server, JMX, and WAN gateway connections.
Gateway SSL Configuration
The following table lists the SSL configuration property names used to configure SSL for peer-to-peer and WAN gateway connections. Remember that if you do not define a client/server, JMX, or WAN property, then GemFire uses the property value defined for peer-to-peer communication (cluster-ssl*) or the default peer-to-peer property value if unspecified.
| Peer-to-Peer Connection Property (provides default value for all other connection types) |
WAN Gateway Connection Property |
|---|---|
| cluster-ssl-enabled | gateway-ssl-enabled |
| cluster-ssl-ciphers | gateway-ssl-ciphers |
| cluster-ssl-protocols | gateway-ssl-protocols |
| cluster-ssl-require-authentication | gateway-ssl-require-authentication |
| cluster-ssl-keystore-type | gateway-ssl-keystore-type |
| cluster-ssl-keystore | gateway-ssl-keystore |
| cluster-ssl-keystore-password | gateway-ssl-keystore-password |
| cluster-ssl-truststore | gateway-ssl-truststore |
| cluster-ssl-keystore-password | gateway-ssl-keystore-password |
If you configure the above peer-to-peer SSL properties, then by default GemFire uses the same SSL property values for all stream-socket communication. This includes communication between cache servers and clients, between the JMX manager and JMX clients, and between two GemFire distributed systems connected by a WAN gateway.