Pivotal Knowledge Base

Follow

Choose correct type to config the ssl setting for gfsh or Native Client

Environment

Product Version
Pivotal GemFire 8.x or above
OS all
Others  

Purpose

This article provides clarification for some common misunderstandings regarding the proper configuration of SSL within GemFire.

Cause

Beginning with GemFire 8, there are four types of SSL configuration properties, each of which works in a different scenario. Among them, the cluster-ssl-* properties are the default and works for any scenario not covered by the other three. The sever-ssl-* properties, on the other hand, configure client/server connections (as described in the User Guide).

There are two cases in which the proper configuration type is counter intuitive since both are often considered as simply special kinds of clients:

  • Connections between the gfsh and a locator (not to the jmx manager), and
  • Connections between Native Clients and the distributed system

Hence, the common misunderstanding is that the server-ssl-* properties should apply. However, the server type only applied to standard Java clients. The correct way to configure for these connections by the cluster-ssl-* properties.

Resolution

In order to resolve SSL issues with either of these types of connections:

  1. Check whether the locators/cacheservers are configured with cluster-ssl properties.
  2. If so, the gfsh and native clients should be configured with the corresponding cluster-ssl-* settings.
  3. Additionally, for native clients, you cannot use the cipher 'any', which only works between Java components, so the cipher must be either SSL_RSA_WITH_NULL_SHA or SSL_RSA_WITH_NULL_MD5 (otherwise, you will have issues due to "no common ciphers available").

Comments

Powered by Zendesk