|Pivotal GemFire||8.x or above|
This article provides clarification for some common misunderstandings regarding the proper configuration of SSL within GemFire.
Beginning with GemFire 8, there are four types of SSL configuration properties, each of which works in a different scenario. Among them, the
cluster-ssl-* properties are the default and works for any scenario not covered by the other three. The
sever-ssl-* properties, on the other hand, configure client/server connections (as described in the User Guide).
There are two cases in which the proper configuration type is counter intuitive since both are often considered as simply special kinds of clients:
- Connections between the gfsh and a locator (not to the jmx manager), and
- Connections between Native Clients and the distributed system
Hence, the common misunderstanding is that the
server-ssl-* properties should apply. However, the server type only applied to standard Java clients. The correct way to configure for these connections by the
In order to resolve SSL issues with either of these types of connections:
- Check whether the locators/cacheservers are configured with
- If so, the gfsh and native clients should be configured with the corresponding
- Additionally, for native clients, you cannot use the cipher 'any', which only works between Java components, so the cipher must be either SSL_RSA_WITH_NULL_SHA or SSL_RSA_WITH_NULL_MD5 (otherwise, you will have issues due to "no common ciphers available").