LATEST VERSION: 8.1.0 - CHANGELOG
Pivotal GemFire® v8.1

Encrypt Credentials with Diffe-Hellman

Encrypt Credentials with Diffe-Hellman

For secure transmission of sensitive credentials like passwords, encrypt credentials using the Diffie-Hellman key exchange algorithm. With Diffie-Hellman enabled, you can have your client authenticate its servers.

Enabling Diffe-Hellman

Set the security-client-dhalgo system property in the gfcpp.properties file to the password for the public key file store on the client (the name of a valid symmetric key cipher supported by the JDK).

Valid security-client-dhalgo property values are DESede, AES, and Blowfish, which enable the Diffie-Hellman algorithm with the specified cipher to encrypt the credentials.

For the AES and Blowfish algorithms, optionally specify the key size for the security-client-dhalgo property. Valid key size settings for the AES algorithm are AES:128, AES:192, and AES:256. The colon separates the algorithm name and the key size. For the Blowfish algorithm, key sizes from 128 to 448 bits are supported. For example:
security-client-dhalgo=Blowfish:128
    

For AES algorithms, you may need Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from Sun or equivalent for your JDK.

Adding settings for Diffie-Hellman on clients also enables challenge response from server to client in addition to encryption of credentials using the exchanged key to avoid replay attacks from clients to servers. Clients can also enable authentication of servers, with challenge-response from client to server to avoid server-side replay attacks.

Client Authentication of Server

With Diffie-Hellman enabled, you can have your client authenticate its servers.

  1. Generate a .pem file for each pkcs12 keystore:

    1. Enter this command from a pkcs12 file or a pkcs keystore:
      user@host: ~> openssl pkcs12 -nokeys -in <keystore/pkcs12 file> -out <outputfilename.pem >
    2. Concatenate the generated .pem files into a single .pem file. You will use its name in the next step.
  2. In the gfcpp.properties file:

    1. Set security-client-kspath to the name of the .pem file password for the public key file store on the client.
    2. Set security-client-kspasswd to the password for the public key file store on the client.