TLS/SSL Client-Server Communication Encryption
This section describes how to implement TLS-based communication between your clients and servers using the OpenSSL encryption utility. When configuring TLS/SSL security for your client, you may find it helpful to refer to The SSL section of the GemFire User Guide.
Set Up OpenSSL
The open-source OpenSSL toolkit provides a full-strength general purpose cryptography library for encrypting client-server communications.
Download and install OpenSSL 1.1.1 for your specific operating system.
Notes for Windows users:
For Windows platforms, you can use either the regular or the “Light” version of SSL.
Use a 64-bit implementation of OpenSSL.
If you use Cygwin, do not use the OpenSSL library that comes with Cygwin, which is built with
cygwin.dllas a dependency. Instead, download a fresh copy from OpenSSL.
For many Windows applications, the most convenient way to install OpenSSL is to use
choco(see chocolatey.org) to install the “Light” version of OpenSSL.
Step 1. Create keystores
The GemFire server requires keys and keystores in the Java Key Store (JKS) format while the native client requires them in the clear PEM format. Thus you need to be able to generate private/public keypairs in either format and convert between the two using the
keytool utility and the
Step 2. Enable SSL on the server and on the client
On the server, enable SSL for the
servercomponents, as the SSL-enabled client must be able to communicate with both locator and server components.
On the client, set
On the client, set
ssl-truststoreto point to your keystore files. Paths to the keystore and truststore are local to the client. See Security-Related System Properties for a description of these properties.
Starting and stopping the client and server with SSL in place
Before you start and stop the client and server, make sure you configure the native client with the SSL properties as described and with the servers or locators specified as usual.
Specifically, ensure that:
- The OpenSSL and GemFire DLLs are in the right environment variables for your system:
PATHfor Windows, and
- You have generated the keys and keystores.
- You have set the system properties.
For details on stopping and starting locators and cache servers with SSL, see Starting Up and Shutting Down Your System.
The GemFire Native’s libcryptoImpl found in /lib must be linked at compile time. This binary is used to interact with OpenSSL. Link libcryptoImpl, native client, and your application code. We highly recommend using cmake.
Example locator start command
Ensure that all required SSL properties are configured in your server’s
geode.properties file. Then start your locator as follows:
gfsh>start locator --name=my_locator --port=12345 --dir=. \ --security-properties-file=/path/to/your/geode.properties
Example locator stop command
gfsh>stop locator --port=12345 \ --security-properties-file=/path/to/your/geode.properties
Example server start command
Again, ensure that all required SSL properties are configured in
geode.properties. Then start the server with:
gfsh>start server --name=my_server --locators=hostname \ --cache-xml-file=server.xml --log-level=fine \ --security-properties-file=/path/to/your/geode.properties
Example server stop command
gfsh>stop server --name=my_server