为获得最大安全性,请验证 GemFire TLS 处理程序中密码套件的正确使用。
过程
- 要验证密码套件是否已激活,请在每个节点上运行以下命令来验证协议是否已激活:
1. # grep inter_cluster.supported_cipher_suites /storage/vcops/user/conf/ssl/secure-communications.properties or 2. # grep default.supported_cipher_suites /storage/vcops/user/conf/ssl/secure-communications.properties
如果命令 1 的结果为空,则表示 inter_cluster 属性未直接指定,将使用可通过命令 2 获取的默认值。以下结果是预期的:inter_cluster. supported_cipher_suites = TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
如果命令 1 的结果为空,则以下是命令 2 的预期结果。default. supported_cipher_suites = TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- 配置正确的密码套件。
- 导航至 URL/admin 处的管理员用户界面。
- 要使集群脱机,请单击脱机。
- 要配置正确的密码套件,请运行以下命令:
sed -i "/^[^#]*inter_cluster.supported_cipher_suites/ c\inter_cluster.supported_cipher_suites = TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" /storage/vcops/user/conf/ssl/secure-communications.properties
如果命令 1 的结果为空,请使用以下命令设置密码套件:sed -i "/^[^#]*default.supported_cipher_suites/ c\default.supported_cipher_suites = TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" /storage/vcops/user/conf/ssl/secure-communications.properties
为每个节点重复此步骤。 - 导航至 URL/admin 处的管理员用户界面。
- 单击联机。