SSL/TLS Sample Implementation

A simple example demonstrates the configuration and startup of Tanzu GemFire system components with SSL/TLS.

Provider-Specific Configuration File

This example uses a keystore created by the Java keytool application to provide the proper credentials to the provider. To create the keystore, run the keytool utility:

keytool -genkey \ 
-alias self \ 
-dname "CN=trusted" \ 
-validity 3650 \ 
-keypass password \ 
-keystore ./trusted.keystore \ 
-storepass password \ 
-storetype JKS

This creates a ./trusted.keystore file to be used later.

gemfire.properties File

You can enable SSL/TLS in the gemfire.properties file. In this example, SSL/TLS is enabled for all components.

ssl-enabled-components=all
mcast-port=0
locators=<hostaddress>[<port>]

gfsecurity.properties File

You can specify the provider-specific settings in a gfsecurity.properties file, which can then be secured by restricting access to this file. The following example configures the default JSSE provider settings included with the JDK.

ssl-keystore=/path/to/trusted.keystore
ssl-keystore-password=password
ssl-truststore=/path/to/trusted.keystore
ssl-truststore-password=password
security-username=xxxx
security-userPassword=yyyy

Locator Startup

Before starting other system members, we started the locator with the SSL/TLS and provider-specific configuration settings. After properly configuring gemfire.properties and gfsecurity.properties, start the locator and provide the location of the properties files. If any of the password fields are left empty, you will be prompted to enter a password.

gfsh>start locator --name=my_locator --port=12345 \
--properties-file=/path/to/your/gemfire.properties \
--security-properties-file=/path/to/your/gfsecurity.properties

Other Member Startup

Applications and cache servers can be started similarly to the locator startup, with the appropriate gemfire.properties file and gfsecurity.properties files placed in the current working directory. You can also pass in the location of both files as system properties on the command line. For example:

gfsh>start server --name=my_server \
--properties-file=/path/to/your/gemfire.properties \
--security-properties-file=/path/to/your/gfsecurity.properties

Connecting to a Running Cluster

You can use gfsh to connect to an SSL/TLS-enabled cluster that is already running by specifying the use-ssl command-line option and providing a path to the security configuration file:

gfsh>connect --locator=localhost[10334] --use-ssl \
--security-properties-file=/path/to/your/gfsecurity.properties

Once connected, you can then issue gfsh commands to perform a variety of operations, including listing members and displaying region characteristics.