Configuring Network Encryption and Authentication with SSL/TLS

By default, all GemFire XD network traffic is unencrypted, with the exception of user names and user passwords, which can be encrypted separately. There is also no network layer access control mechanism. For deployment scenarios where these are possible security issues, the GemFire XD Network Server supports network security with Secure Socket Layer/Transport Layer Security (SSL/TLS).

With SSL/TLS, the client/server communication protocol is encrypted, and independently of each other, both client and server can require certificate-based authentication of each other.

It is assumed that the reader is somewhat familiar with SSL, key pairs, and certificates. This documentation is also based on the Java Development Kit (JDK) and its keytool application.

For the remainder of this section, the term SSL is used for SSL/TLS and the term peer is used for the other part of the communication (The server's peer is the client and vice versa).

SSL for GemFire XD (both for client and for server) operates in three possible modes:
The default, no SSL encryption
SSL encryption, no peer authentication
SSL encryption and peer authentication

You can set peer authentication on the server or on the client or on both. Peer authentication means that the other side of the SSL connection is authenticated based on a trusted certificate installed locally.

Alternatively, you can install a Certification Authority (CA) certificate locally and the peer has a certificate signed by that authority. How to achieve this is not described in this document. Consult your Java environment documentation for details.

Attention: If a plaintext client tries to communicate with an SSL server or an SSL client tries to communicate with a plaintext server, the plaintext side of the communication will see the SSL communication as noise and report protocol errors.