Pivotal Knowledge Base

Follow

Authentication for Client/Server and Multi-Site (WAN) Configuration

Environment

 Product  Version
 Pivotal GemFire  Tested on 8.2.x

Purpose

You may want to configure user authentication, not only for Client/Server configuration, but also for your Multi-site (WAN) configuration because of your company's security policy or some other reasons. In this case, you may need to configure the following authentication configurations: 

  • Authentication between Clients and Cache Servers for Client/Server configuration
  • Authentication between WAN Gateway Senders and Receivers for Multi-site (WAN) configuration

This article provides the specific procedure to configure the above two authentication configurations. Certain limitations are also discussed. 

Cause

You may easily configure authentication for your Client/Server configuration according to this documentation by referring to the section for "Client Authentication." Still, you may have questions regarding how to configure authentication for your Multi-site (WAN) environment. Technically, the WAN Gateway technology is based on Client/Server technology. The WAN Gateway Sender is like Client while the WAN Gateway Receiver acts like a Server. Thus, you can configure authentication for Multi-site (WAN) configuration using the same techniques as you use for your Client/Server configuration. 

Procedure

Prior to configuring actual authentication, you should prepare modules for the credentials initialization and the credentials authorization. You can use the example java modules for simple user authentication below, which you can find at /path/to/GemFire_dir/templates/security directory.

UserPasswordAuthInit.java
DummyAuthenticator.java
UsernamePrincipal.java

You can find the compiled classes for the above Java modules in /path/to/GemFire_dir/lib/gfSecurityImpl.jar. You can use those modules by simply adding the gfSecurityImpl.jar to the classpath for each component (Client, Server, WAN Gateway Sender, and Receiver).

For purposes of this article, please suppose that we are dealing with Java based Clients.

Follow the steps to configure authentication for Client/Server and Multi-site (WAN) configuration:

  1. For Clients, set the credentials initialization module and required properties via gemfire.properties or gfsecurity.properties or API as below:
    security-client-auth-init=templates.security.UserPasswordAuthInit.create
    security-username=user
    security-password=user
  2. For pure Servers (neither WAN Gateway Senders nor Receivers), set the credentials authorization module via gemfire.properties or gfsecurity.properties or API as below:
    security-client-authenticator=templates.security.DummyAuthenticator.create
  3. For WAN Gateway Senders and Receivers, set the credentials initialization module and required properties like Clients, and also set the credentials authorization module like Servers via gemfire.properties or gfsecurity.properties or API as below:
    security-client-auth-init=templates.security.UserPasswordAuthInit.create
    security-username=user
    security-password=user

    security-client-authenticator=templates.security.DummyAuthenticator.create
    WAN Gateway Senders and Receivers are typically configured as Servers for Clients. So, they are essentially both clients and servers regarding authentication to authorize communication with each other. So, they require both the configuration for the credentials initialization and the credentials authorization.

Additional Information

Limitations
As mentioned above, WAN Gateway Senders and Receivers are typically configured as Servers for Clients. So the same credentials initialization module and the credentials authorization module are used for both the authentication for Client/Server configuration and Multi-site (WAN) configuration. Therefore, in this case, you can not apply different implementations of the same credentials initialization module and the credentials authorization module for each configuration.

Trap
If you don't set both the credentials initialization module and the credentials authorization module for WAN Gateway Senders and/or Receivers, you may see the following error in the log:

com.gemstone.gemfire.security.AuthenticationRequiredException: No security-* properties are provided

The typical case is to forget to set the credentials initialization module and required properties with WAN Gateway Receivers because they basically behave like Servers for Clients and WAN Gateway Senders regarding Client/Server communication and event propagation from WAN Gateway Senders side. So, it seems like the credentials initialization module is not required for WAN Gateway Receivers. In such case, you may start WAN Gateway Receivers successfully but fail to start WAN Gateway Senders with the above error. WAN Gateway Receivers internally communicate with WAN Gateway Senders as Clients regarding authentication. So, you need to set the credentials initialization module and required properties with WAN Gateway Receivers too.

Comments

Powered by Zendesk