SSL Client/Server Communication
This section describes how to configure OpenSSL, implement SSL-based communication between your clients and servers, and run clients and servers with SSL enabled.
Set Up OpenSSL
The open-source OpenSSL toolkit provides a full-strength general purpose cryptography library to operate along with the PKCS sample implementation for encrypted authentication of native client credentials.
Follow these instructions to download and install OpenSSL for your specific operating system.
The native client requires OpenSSL 1.0.1t or later. For Windows platforms, you can use either the regular or the OpenSSL 1.0.1t “Light” version.
Note for Windows users: If you use Cygwin, do not use the OpenSSL library that comes with
Cygwin, which is built with
cygwin.dll as a dependency. Instead, download a fresh copy from
OpenSSL as described in the following section.
Step 1. Download and install OpenSSL
To install OpenSSL:
Download the OpenSSL archive from the OpenSSL web site.
Extract the archive in a directory of your choice. For example:
$ tar xvzf openssl-1.0.1u.tar.gz x openssl-1.0.1u/ACKNOWLEDGMENTS x openssl-1.0.1u/apps/ x openssl-1.0.1u/apps/app_rand.c ...
Look in the top-level directory of the source distribution to identify the installation instructions for your operating system:
$ cd openssl-1.0.1u $ ls INSTALL* INSTALL INSTALL.DJGPP INSTALL.MacOS INSTALL.NW INSTALL.OS2 INSTALL.VMS INSTALL.W32 INSTALL.W64 INSTALL.WCE
Build the OpenSSL library by following the instructions for your operating system.
Step 2. Create keystores
The Geode server requires keys and keystores in the Java Key Store (JKS) format while the native client requires them in the clear PEM format. Thus you need to be able to generate private/public keypairs in either format and convert between the two using the
keytool utility and the
There are public third party free tools and source code available to download such as the “KeyTool IUI” tool.
Step 3. Configure environment variables
Configure your system environment to build and run OpenSSL. Follow the environment setup that applies to your operating system.
% OPENSSL=parent-folder-for-openssl-binaries; export OPENSSL
% GFCPP=product-dir; export GFCPP
% export LD_LIBRARY_PATH
> set GFCPP=product-dir
> set OPENSSL=path-to-installed-openssl
> set PATH=jdk-or-jre-path\bin;%GFCPP%\bin;%GFCPP%\ssl_libs;%OPENSSL%\bin;%PATH%
> set CLASSPATH=path-to-gemfire-installation\lib\gfSecurityImpl.jar;%CLASSPATH%
path-to-installed-openssl is typically
Step 4. Configure SSL properties in gfcpp.properties and gemfire.properties
Configure SSL properties.
ssl-enabledto true and set
ssl-truststoreto point to your keystore files. See Security-Related System Properties (gfcpp.properties) for a description of these properties.
On each locator, enable SSL and set the following SSL properties in the locator’s
ssl-enabled-components=server,locator ssl-protocols=any ssl-ciphers=SSL_RSA_WITH_NULL_SHA
Make sure your choice of cipher matches a cipher supported on the server.
Starting and stopping the client and server with SSL in place
Before you start and stop the client and server, make sure you configure the native client with the SSL properties as described and with the servers or locators specified as usual.
Specifically, ensure that:
- OpenSSL and ACE_SSL
DLLs locations are in the right environment variables for your system:
PATHfor Windows, and
- You have generated the keys and keystores.
- You have set the system properties.
For details on stopping and starting locators and cache servers with SSL, see Starting Up and Shutting Down Your System.
Example locator start command
Ensure that all required SSL properties are configured in your server’s
gfsecurity.properties file. Then start your locator as follows:
gfsh>start locator --name=my_locator --port=12345 --dir=. \ --security-properties-file=/path/to/your/gfsecurity.properties
Example locator stop command
gfsh>stop locator --port=12345 \ --security-properties-file=/path/to/your/gfsecurity.properties
Example server start command
Again, ensure that all required SSL properties are configured in
gfsecurity.properties. Then start the server with:
gfsh>start server --name=my_server --locators=hostname \ --cache-xml-file=server.xml --log-level=fine \ --security-properties-file=/path/to/your/gfsecurity.properties
Example server stop command
gfsh>stop server --name=my_server