SSL\TLS
Securing Connection Between Nodes
GridGain allows you to use SSL socket communication to provide a secure connection between all GridGain nodes. To use it, set the Factory<SSLContext>
and configure the SSL section in the GridGain configuration. GridGain provides a default SSL context factory, org.apache.ignite.ssl.SslContextFactory
, which uses a configurable keystore to initialize the SSL context.
<bean id="cfg" class="org.apache.ignite.configuration.IgniteConfiguration">
<property name="sslContextFactory">
<bean class="org.apache.ignite.ssl.SslContextFactory">
<property name="keyStoreFilePath" value="keystore/server.jks"/>
<property name="keyStorePassword" value="123456"/>
<property name="trustStoreFilePath" value="keystore/trust.jks"/>
<property name="trustStorePassword" value="123456"/>
</bean>
</property>
</bean>
IgniteConfiguration igniteCfg = new IgniteConfiguration();
SslContextFactory factory = new SslContextFactory();
factory.setKeyStoreFilePath("keystore/server.jks");
factory.setKeyStorePassword("123456".toCharArray());
factory.setTrustStoreFilePath("keystore/trust.jks");
factory.setTrustStorePassword("123456".toCharArray());
igniteCfg.setSslContextFactory(factory);
In some cases, it is useful to disable certificate validation on the client side, such as when connecting to a server with a self-signed certificate. This can be achieved by setting a disabled trust manager to this factory, which can be obtained by the getDisabledTrustManager()
method.
<bean id="cfg" class="org.apache.ignite.configuration.IgniteConfiguration">
<property name="sslContextFactory">
<bean class="org.apache.ignite.ssl.SslContextFactory">
<property name="keyStoreFilePath" value="keystore/server.jks"/>
<property name="keyStorePassword" value="123456"/>
<property name="trustManagers">
<bean class="org.apache.ignite.ssl.SslContextFactory" factory-method="getDisabledTrustManager"/>
</property>
</bean>
</property>
</bean>
IgniteConfiguration igniteCfg = new IgniteConfiguration();
SslContextFactory factory = new SslContextFactory();
factory.setKeyStoreFilePath("keystore/server.jks");
factory.setKeyStorePassword("123456".toCharArray());
factory.setTrustManagers(SslContextFactory.getDisabledTrustManager());
igniteCfg.setSslContextFactory(factory);
If security is configured, then the logs will include communication encrypted=on
INFO: Security status [authentication=off, communication encrypted=on]
SSL and TLS
Ignite allows the use of different encryption types. The following algorithms are supported http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext and can be set by using the setProtocol()
method. TLS
encryption is the default.
<bean id="cfg" class="org.apache.ignite.configuration.IgniteConfiguration">
<property name="sslContextFactory">
<bean class="org.apache.ignite.ssl.SslContextFactory">
<property name="protocol" value="SSL"/>
...
</bean>
</property>
...
</bean>
IgniteConfiguration igniteCfg = new IgniteConfiguration();
SslContextFactory factory = new SslContextFactory();
...
factory.setProtocol("TLS");
igniteCfg.setSslContextFactory(factory);
Upgrading Certificates
If you’re using TLS/SSL and your certificate is going to expire, you can install the new certificate without shutting down the cluster.
If your new certificate can be read with your existing trust store, you can just stop the cluster nodes one by one, and bring them back with the new certificate.
Otherwise, first you have to push the trust store to all nodes one by one. It will contain trusts for both new and old certificates while you transition.
Configuration
The following configuration parameters can be configured on SslContextFactory
.
Setter Method | Description | Default |
---|---|---|
|
Sets the key manager algorithm that will be used to create a key manager. The default value works on most platforms; however, you should set this value to |
|
|
Sets the path to the key store file. This is a mandatory parameter since the SSL context can not be initialized without a key manager. |
|
|
Sets the key store password. |
|
|
Sets the key store type used in context initialization. |
|
|
Sets the protocol for secure transport. |
|
|
Sets the path to the trust store file. |
|
|
Sets the trust store password. |
|
|
Sets the trust store type used in context initialization. |
|
|
Sets the pre-configured trust managers. |
|
© 2020 GridGain Systems, Inc. All Rights Reserved. Privacy Policy | Legal Notices. GridGain® is a registered trademark of GridGain Systems, Inc.
Apache, Apache Ignite, the Apache feather and the Apache Ignite logo are either registered trademarks or trademarks of The Apache Software Foundation.