Encrypt Credentials with Diffe-Hellman
For secure transmission of sensitive credentials such as passwords, encrypt credentials using the Diffie-Hellman key exchange algorithm. With Diffie-Hellman enabled, you can have your client authenticate its servers.
security-client-dhalgo system property in the
geode.properties file to the password for the public key file store on the client (the name of a valid symmetric key cipher supported by the JDK).
security-client-dhalgo property values are
Blowfish, which enable the Diffie-Hellman algorithm with the specified cipher to encrypt the credentials.
Blowfish algorithms, optionally specify the key size for the
security-client-dhalgo property. Valid key size settings for the
AES algorithm are
AES:256. The colon separates the algorithm name and the key size. For the
Blowfish algorithm, key sizes from 128 to 448 bits are supported. For example:
AES algorithms, you may need Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from Sun or equivalent for your JDK.
Adding settings for Diffie-Hellman on clients also enables challenge response from server to client in addition to encryption of credentials using the exchanged key to avoid replay attacks from clients to servers. Clients can also enable authentication of servers, with challenge-response from client to server to avoid server-side replay attacks.
Client Authentication of Server
With Diffie-Hellman enabled, you can have your client authenticate its servers.
.pemfile for each pkcs12 keystore:
security-client-kspathto the file name of the
.pemfile password for the public key file store on the client.
security-client-kspasswdto the password for the public key file store on the client.