For maximum security, verify the correct use of cipher suites in GemFire TLS Handler.

Procedure

  1. To verify that the cipher suites are activated, run the following commands on each node to verify that the protocols are activated: 
    1. # grep inter_cluster.supported_cipher_suites /storage/vcops/user/conf/ssl/secure-communications.properties
or
2. # grep default.supported_cipher_suites /storage/vcops/user/conf/ssl/secure-communications.properties
    If the result of command 1 is blank, that means that the inter_cluster properties are not specified directly and it uses default values which you can obtain by command 2.
    The following result is expected: 
    inter_cluster. supported_cipher_suites = 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    If the result of command 1 is blank, here is the expected result from command 2. 
    default. supported_cipher_suites = TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  2. Configure the correct cipher suites.
    1. Navigate to the administrator user interface at URL/admin.
    2. To bring the cluster offline, click Bring Offline.
    3. To configure the correct cipher suites, run the following commands: 
      sed -i "/^[^#]*inter_cluster.supported_cipher_suites/ c\inter_cluster.supported_cipher_suites = TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" /storage/vcops/user/conf/ssl/secure-communications.properties
      If the result of command 1 is blank, use the following command to set cipher suites: 
      sed -i "/^[^#]*default.supported_cipher_suites/ c\default.supported_cipher_suites = TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" /storage/vcops/user/conf/ssl/secure-communications.properties
      Repeat this step for each node.
    4. Navigate to the administrator user interface at URL/admin.
    5. Click Bring Online.