Pivotal Knowledge Base

Follow

How to configure one-way SSL for the GemFire Java client

Environment

Product Version
 Pivotal GemFire  8.x

Purpose

This article describes how to configure One-way SSL for the GemFire java client. 

Cause

GemFire provides a consistent way of configuring SSL for all java-based GemFire components (cache servers, locators, clients, etc.). Hence, you can generally configure SSL for Java clients in a similar manner to cache servers or locators as described in the User´s Guide here. However, a sample for configuring the client is not provided in the documentation.

For additional clarity, this article focuses on how to configure one-way SSL for Java clients.

Procedure

Follow these steps to configure SSL for GemFire Java client as shown in the sample implementation:

  1. You need to configure SSL for cache servers (and locators, if you use them in your cluster)
  2. Decide how you want to set parameters related to SSL configuration as there are several ways to do so, including using GemFire's property files, using the GemFire Java API, or by setting Java System Properties. In this article, the parameters will be set using GemFire's property files, which should be put in a directory specified by the CLASSPATH. Note that you can change the path of the properties files used as described below under Additional Information.
  3. Prepare the "gemfire.properties" file in an appropriate directory (in the CLASSPATH) and add the following parameter setting:
    cluster-ssl-enabled=true
  4. Prepare the "gfsecurity.properties" file in an appropriate directory (as specified by the CLASSPATH) and then add, at least, the following parameters:

  5. *****On the Locator******
    cluster-ssl-keystore-type=jks cluster-ssl-keystore=/path/to/your/keystore cluster-ssl-keystore-password=<password for your keystore> cluster-ssl-truststore=/path/to/your/truststore cluster-ssl-truststore-password=<password for your truststore> cluster-ssl-require-authentication=false
  6. *****On the Server******
    cluster-ssl-keystore-type=jks cluster-ssl-keystore=/path/to/your/keystore cluster-ssl-keystore-password=<password for your keystore> cluster-ssl-truststore=/path/to/your/truststore cluster-ssl-truststore-password=<password for your truststore> server-ssl-require-authentication=false
  7. *****On the Client******
    cluster-ssl-keystore-type=jks cluster-ssl-truststore=/path/to/your/truststore cluster-ssl-truststore-password=<password for your truststore> server-ssl-require-authentication=true
  8.  

    Note: The trust store on the client must have the appropriate certificates, i.e. matching those installed on the cache servers and locators.

 

Additional Information

  • You can change the path and the name of GemFire's property files by specifying Java system properties like the following, when you execute your GemFire Java client application:
    -DgemfirePropertyFile=/path/to/myGemfire.properties
    -DgemfireSecurityPropertyFile=/where/to/myGfsecurity.properties

    In this case, the name of the GemFire property file will be changed from the default name, "gemfire.properties", to "myGemfire.properties" and located under "/path/to directory". Similarly, the name of GemFire security property file is changed from the default name, "gfsecurity.properties", to "myGfsecurity.properties" and located under "/where/to" directory.

  • Related KB: Choose correct type to config the ssl setting for gfsh or Native Client
  • Related KB: Seeing the error: "Certificate is not recognized" when using SSL 

Comments

Powered by Zendesk