This topic presents a simple example that demonstrates the configuration and startup of VMware Tanzu GemFire system components with SSL/TLS.
This example uses a keystore created by the Java keytool
application to provide the proper credentials to the provider. To create the keystore, run the keytool
utility:
keytool -genkey \
-alias self \
-dname "CN=trusted" \
-validity 3650 \
-keypass password \
-keystore ./trusted.keystore \
-storepass password \
-storetype JKS
This creates a ./trusted.keystore
file to be used later.
You can enable SSL/TLS in the gemfire.properties
file. In this example, SSL/TLS is enabled for all components.
ssl-enabled-components=all
locators=<hostaddress>[<port>]
You can specify the provider-specific settings in a gfsecurity.properties
file, which can then be secured by restricting access to this file. The following example configures the default JSSE provider settings included with the JDK.
ssl-keystore=/path/to/trusted.keystore
ssl-keystore-password=password
ssl-truststore=/path/to/trusted.keystore
ssl-truststore-password=password
security-username=xxxx
security-userPassword=yyyy
Before starting other system members, we started the locator with the SSL/TLS and provider-specific configuration settings. After properly configuring gemfire.properties
and gfsecurity.properties
, start the locator and provide the location of the properties files. If any of the password fields are left empty, you will be prompted to enter a password.
gfsh>start locator --name=my_locator --port=12345 \
--properties-file=/path/to/your/gemfire.properties \
--security-properties-file=/path/to/your/gfsecurity.properties
Applications and cache servers can be started similarly to the locator startup, with the appropriate gemfire.properties
file and gfsecurity.properties
files placed in the current working directory. You can also pass in the location of both files as system properties on the command line. For example:
gfsh>start server --name=my_server \
--properties-file=/path/to/your/gemfire.properties \
--security-properties-file=/path/to/your/gfsecurity.properties
You can use gfsh
to connect to an SSL/TLS-enabled cluster that is already running by specifying the use-ssl
command-line option and providing a path to the security configuration file:
gfsh>connect --locator=localhost[10334] --use-ssl \
--security-properties-file=/path/to/your/gfsecurity.properties
Once connected, you can then issue gfsh
commands to perform a variety of operations, including listing members and displaying region characteristics.