Encrypt Credentials with Diffe-Hellman
For secure transmission of sensitive credentials such as passwords, encrypt credentials using the Diffie-Hellman key exchange algorithm. With Diffie-Hellman enabled, you can have your client authenticate its servers.
Enabling Diffe-Hellman
Set the security-client-dhalgo system property in the geode.properties file to the password for the public key file store on the client (the name of a valid symmetric key cipher supported by the JDK).
Valid security-client-dhalgo property values are DESede, AES, and Blowfish, which enable the Diffie-Hellman algorithm with the specified cipher to encrypt the credentials.
For the AES and Blowfish algorithms, optionally specify the key size for the security-client-dhalgo property. Valid key size settings for the AES algorithm are AES:128, AES:192, and AES:256. The colon separates the algorithm name and the key size. For the Blowfish algorithm, key sizes from 128 to 448 bits are supported. For example:
security-client-dhalgo=Blowfish:128
For AES algorithms, you may need Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from Sun or equivalent for your JDK.
Adding settings for Diffie-Hellman on clients also enables challenge response from server to client in addition to encryption of credentials using the exchanged key to avoid replay attacks from clients to servers. Clients can also enable authentication of servers, with challenge-response from client to server to avoid server-side replay attacks.
Client Authentication of Server
With Diffie-Hellman enabled, you can have your client authenticate its servers.
Generate a
.pemfile for each pkcs12 keystore:In the
geode.propertiesfile:- Set
security-client-kspathto the file name of the.pemfile password for the public key file store on the client. - Set
security-client-kspasswdto the password for the public key file store on the client.
- Set