GridGain Developers Hub
GitHub logo GridGain iso GridGain.com
GridGain Software Documentation

SSL/TLS

GridGain allows you to use SSL/TLS to secure communication between the nodes.

This page explains how to configure SSL/TLS encryption between cluster nodes (both server and client nodes) and thin clients that connect to your cluster.

Considerations

To ensure a sufficient level of security, we recommend that each node (server or client) has its own certificate in its keystore (including the private key) and the trusted CA certificates in its truststore. This configuration allows for an easier certificate replacement procedure (for example when they are expired).

SSL/TLS for Nodes

To enable SSL/TLS for cluster nodes, configure an SSLContext factory in the node configuration. You can use the org.apache.ignite.ssl.SslContextFactory, which is the default factory that uses a configurable keystore to initialize the SSL context.

Below is an example of SslContextFactory configuration:

<bean class="org.apache.ignite.configuration.IgniteConfiguration">

    <property name="sslContextFactory">
        <bean class="org.apache.ignite.ssl.SslContextFactory">
            <property name="keyStoreFilePath" value="keystore/node.jks"/>
            <property name="keyStorePassword" value="123456"/>
            <property name="trustStoreFilePath" value="keystore/trust.jks"/>
            <property name="trustStorePassword" value="123456"/>
            <property name="protocol" value="TLSv1.3"/>
        </bean>
    </property>

</bean>
IgniteConfiguration igniteCfg = new IgniteConfiguration();

SslContextFactory factory = new SslContextFactory();

factory.setKeyStoreFilePath("keystore/node.jks");
factory.setKeyStorePassword("123456".toCharArray());
factory.setTrustStoreFilePath("keystore/trust.jks");
factory.setTrustStorePassword("123456".toCharArray());
factory.setProtocol("TLSv1.3");

igniteCfg.setSslContextFactory(factory);
NOT AVAILABLE IN C++ API

The keystore must contain the node’s certificate, including its private key. The trust store must contain the trusted certificates for all other cluster nodes. We recommend that you

You can define other properties, such as key algorithm, key store type, or trust manager. See the description of the properties in the SslContextFactory Properties section.

After starting the node, you should see the following messages in the logs:

Security status [authentication=off, tls/ssl=on]

SSL/TLS for Thin Clients

To enable SSL/TLS for thin clients, refer to the thin clients documentation.

Disabling Certificate Validation

In some cases, it is useful to disable certificate validation, for example when connecting to a server with a self-signed certificate. This can be achieved by using a disabled trust manager, which can be obtained by calling SslContextFactory.getDisabledTrustManager() method.

<bean class="org.apache.ignite.configuration.IgniteConfiguration">

    <property name="sslContextFactory">
        <bean class="org.apache.ignite.ssl.SslContextFactory">
            <property name="keyStoreFilePath" value="keystore/node.jks"/>
            <property name="keyStorePassword" value="123456"/>
            <property name="trustManagers">
                <bean class="org.apache.ignite.ssl.SslContextFactory" factory-method="getDisabledTrustManager"/>
            </property>
        </bean>
    </property>

</bean>
IgniteConfiguration igniteCfg = new IgniteConfiguration();

SslContextFactory factory = new SslContextFactory();

factory.setKeyStoreFilePath("keystore/node.jks");
factory.setKeyStorePassword("123456".toCharArray());
factory.setTrustManagers(SslContextFactory.getDisabledTrustManager());

igniteCfg.setSslContextFactory(factory);

SslContextFactory Properties

SslContextFactory supports the following properties:

Property Description Default

keyAlgorithm

The key manager algorithm that will be used to create a key manager. The default value works on most platforms; however, you should set this value to X509 on the Android platform.

SunX509

keyStoreFilePath

The path to the key store file. This is a mandatory parameter since the SSL context can not be initialized without a key manager.

N/A

keyStorePassword

The key store password.

N/A

keyStoreType

The key store type.

JKS

protocol

The protocol for secure transport. Supported algorithms.

TLS

trustStoreFilePath

The path to the trust store file.

N/A

trustStorePassword

The trust store password.

N/A

trustStoreType

The trust store type.

JKS

trustManagers

A list of pre-configured trust managers.

N/A