SSL\TLS

Securing Connection Between Nodes

GridGain allows you to use SSL socket communication to provide a secure connection between all GridGain nodes. To use it, set the Factory<SSLContext> and configure the SSL section in the GridGain configuration. GridGain provides a default SSL context factory, org.apache.ignite.ssl.SslContextFactory, which uses a configurable keystore to initialize the SSL context.

<bean id="cfg" class="org.apache.ignite.configuration.IgniteConfiguration">
  <property name="sslContextFactory">
    <bean class="org.apache.ignite.ssl.SslContextFactory">
      <property name="keyStoreFilePath" value="keystore/server.jks"/>
      <property name="keyStorePassword" value="123456"/>
      <property name="trustStoreFilePath" value="keystore/trust.jks"/>
      <property name="trustStorePassword" value="123456"/>
    </bean>
  </property>
</bean>

IgniteConfiguration igniteCfg = new IgniteConfiguration();

SslContextFactory factory = new SslContextFactory();

factory.setKeyStoreFilePath("keystore/server.jks");
factory.setKeyStorePassword("123456".toCharArray());
factory.setTrustStoreFilePath("keystore/trust.jks");
factory.setTrustStorePassword("123456".toCharArray());

igniteCfg.setSslContextFactory(factory);

In some cases, it is useful to disable certificate validation on the client side, such as when connecting to a server with a self-signed certificate. This can be achieved by setting a disabled trust manager to this factory, which can be obtained by the getDisabledTrustManager() method.

<bean id="cfg" class="org.apache.ignite.configuration.IgniteConfiguration">
  <property name="sslContextFactory">
    <bean class="org.apache.ignite.ssl.SslContextFactory">
      <property name="keyStoreFilePath" value="keystore/server.jks"/>
      <property name="keyStorePassword" value="123456"/>
      <property name="trustManagers">
        <bean class="org.apache.ignite.ssl.SslContextFactory" factory-method="getDisabledTrustManager"/>
     </property>
    </bean>
  </property>
</bean>

IgniteConfiguration igniteCfg = new IgniteConfiguration();

SslContextFactory factory = new SslContextFactory();

factory.setKeyStoreFilePath("keystore/server.jks");
factory.setKeyStorePassword("123456".toCharArray());
factory.setTrustManagers(SslContextFactory.getDisabledTrustManager());

igniteCfg.setSslContextFactory(factory);

If security is configured, then the logs will include communication encrypted=on

INFO: Security status [authentication=off, communication encrypted=on]

SSL and TLS

Ignite allows the use of different encryption types. The following algorithms are supported http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext and can be set by using the setProtocol() method. TLS encryption is the default.

<bean id="cfg" class="org.apache.ignite.configuration.IgniteConfiguration">
  <property name="sslContextFactory">
    <bean class="org.apache.ignite.ssl.SslContextFactory">
      <property name="protocol" value="SSL"/>
      ...
    </bean>
  </property>
  ...
</bean>

IgniteConfiguration igniteCfg = new IgniteConfiguration();

SslContextFactory factory = new SslContextFactory();

...

factory.setProtocol("TLS");

igniteCfg.setSslContextFactory(factory);

Upgrading Certificates

If you’re using TLS/SSL and your certificate is going to expire, you can install the new certificate without shutting down the cluster.

If your new certificate can be read with your existing trust store, you can just stop the cluster nodes one by one, and bring them back with the new certificate.

Otherwise, first you have to push the trust store to all nodes one by one. It will contain trusts for both new and old certificates while you transition.

Configuration

The following configuration parameters can be configured on SslContextFactory.

Setter Method Description Default

Setter Method	Description	Default
`setKeyAlgorithm`	Sets the key manager algorithm that will be used to create a key manager. The default value works on most platforms; however, you should set this value to `X509` on the Android platform.	`SunX509`
`setKeyStoreFilePath`	Sets the path to the key store file. This is a mandatory parameter since the SSL context can not be initialized without a key manager.	`N/A`
`setKeyStorePassword`	Sets the key store password.	`N/A`
`setKeyStoreType`	Sets the key store type used in context initialization.	`JKS`
`setProtocol`	Sets the protocol for secure transport.	`TLS`
`setTrustStoreFilePath`	Sets the path to the trust store file.	`N/A`
`setTrustStorePassword`	Sets the trust store password.	`N/A`
`setTrustStoreType`	Sets the trust store type used in context initialization.	`JKS`
`setTrustManagers`	Sets the pre-configured trust managers.	`N/A`

setKeyAlgorithm

Sets the key manager algorithm that will be used to create a key manager. The default value works on most platforms; however, you should set this value to X509 on the Android platform.

SunX509

setKeyStoreFilePath

Sets the path to the key store file. This is a mandatory parameter since the SSL context can not be initialized without a key manager.

N/A

setKeyStorePassword

Sets the key store password.

N/A

setKeyStoreType

Sets the key store type used in context initialization.

JKS

setProtocol

Sets the protocol for secure transport.

TLS

setTrustStoreFilePath

Sets the path to the trust store file.

N/A

setTrustStorePassword

Sets the trust store password.

N/A

setTrustStoreType

Sets the trust store type used in context initialization.

JKS

setTrustManagers

Sets the pre-configured trust managers.

N/A