LATEST VERSION: 8.1.0 - CHANGELOG
Pivotal GemFire® v8.1

SSL Sample Implementation

SSL Sample Implementation

A simple example demonstrates the configuration and startup of GemFire system components with SSL.

Provider-Specific Configuration File

This example uses a keystore created by the Java keytool application to provide the proper credentials to the provider. To create the keystore, we ran the following:
keytool -genkey \ 
-alias self \ 
-dname "CN=trusted" \ 
-validity 3650 \ 
-keypass password \ 
-keystore ./trusted.keystore \ 
-storepass password \ 
-storetype JKS 
This creates a ./trusted.keystore file to be used later.

gemfire.properties File

You can enable SSL in the gemfire.properties file. In this example, SSL is enabled for all peer-to-peer, client/server, WAN gateway, and HTTP connections. However, the jmx-manager-ssl=false override is added to disable SSL For JMX conenctiosn:

cluster-ssl-enabled=true
mcast-port=0
locators=<hostaddress>[<port>]
jmx-manager-ssl-enabled=false

gfsecurity.properties File

You can specify the provider-specific settings in gfsecurity.properties file, which can then be secured by restricting access to this file. The following example configures the default JSSE provider settings included with the JDK.
cluster-ssl-keystore-type=jks
cluster-ssl-keystore=/path/to/trusted.keystore
cluster-ssl-keystore-password=password
cluster-ssl-truststore=/path/to/trusted.keystore
cluster-ssl-truststore-password=
security-username=xxxx
security-userPassword=yyyy 

Note that individual provider settings can also be overriden for client/server, JMX, WAN gateway, or HTTP connections by setting the appropriate property here. See Configuring SSL.

Locator Startup

Before starting other system members, we started the locator with the SSL and provider-specific configuration settings. After properly configuring gemfire.properties and gfsecurity.properties, start the locator and provide the location of the properties files. If any of the password fields are left empty, you will be prompted to enter a password.
gfsh>start locator --name=my_locator --port=12345 \
--properties-file=/path/to/your/gemfire.properties 
--security-properties-file=/path/to/your/gfsecurity.properties

Other Member Startup

Applications and cache servers can be started similarly to the locator startup, with the appropriate gemfire.properties file and gfsecurity.properties files placed in the current working directory. You can also pass in the location of both files as system properties on the command line. For example:
gfsh>start server --name=my_server \
--properties-file=/path/to/your/gemfire.properties \
--security-properties-file=/path/to/your/gfsecurity.properties