This section describes how to implement TLS-based communication between your clients and servers using the OpenSSL encryption utility. When configuring TLS/SSL security for your client, you may find it helpful to refer to The SSL section of the GemFire User Guide.
The open-source OpenSSL toolkit provides a full-strength general purpose cryptography library for encrypting client-server communications.
Download and install OpenSSL 1.1.1 for your specific operating system.
Notes for Windows users:
For Windows platforms, you can use either the regular or the “Light” version of SSL.
Use a 64-bit implementation of OpenSSL.
If you use Cygwin, do not use the OpenSSL library that comes with Cygwin, which is built with
cygwin.dll as a dependency. Instead, download a fresh copy from OpenSSL.
For many Windows applications, the most convenient way to install OpenSSL is to use
choco (see [chocolatey.org] (https://chocolatey.org/packages/OpenSSL.Light)) to install the “Light” version of OpenSSL.
The GemFire server requires keys and keystores in the Java Key Store (JKS) format while the native client requires them in the clear PEM format. Thus you need to be able to generate private/public keypairs in either format and convert between the two using the
keytool utility and the
On the server, enable SSL for the
server components, as the SSL-enabled client must be able to communicate with both locator and server components.
On the client, set
On the client, set
ssl-truststore to point to your keystore files. Paths to the keystore and truststore are local to the client. See Security Properties for a description of these properties.
Before you start and stop the client and server, make sure you configure the native client with the SSL properties as described and with the servers or locators specified as usual.
Specifically, ensure that:
PATHfor Windows, and
For details on stopping and starting locators and cache servers with SSL, see Starting Up and Shutting Down Your System.
The GemFire Native’s libcryptoImpl found in /lib must be linked at compile time. This binary is used to interact with OpenSSL. Link libcryptoImpl, native client, and your application code. We highly recommend using cmake.
Example locator start command
Ensure that all required SSL properties are configured in your server’s
geode.properties file. Then start your locator as follows:
gfsh>start locator --name=my_locator --port=12345 --dir=. \ --security-properties-file=/path/to/your/geode.properties
Example locator stop command
gfsh>stop locator --port=12345 \ --security-properties-file=/path/to/your/geode.properties
Example server start command
Again, ensure that all required SSL properties are configured in
geode.properties. Then start the server with:
gfsh>start server --name=my_server --locators=hostname \ --cache-xml-file=server.xml --log-level=fine \ --security-properties-file=/path/to/your/geode.properties
Example server stop command
gfsh>stop server --name=my_server