Configuring SSL for GemFire XD Peer Connections

In addition to using SSL for client/server connections, you can optionally configure GemFire XD members to use SSL encryption and/or authorization for peer connections in the distributed system.

Peer SSL configuration is managed using both javax.net.ssl system properties and the GemFire XD boot properties ssl-enabled, ssl-protocols, ssl-ciphers, and ssl-require-authentication. The following sections provide a simple example that demonstrates the configuration and startup of GemFire XD members with SSL.

Requirements

In order to configure SSL for GemFire XD peer connections:
  • You must use locators for member discovery (mcast-port=0).
  • Configure SSL keypairs and certificates as needed for each GemFire XD member. See Generate Key Pairs and Certificates.
  • All GemFire XD members must use the same SSL boot parameters at startup.

Provider-Specific Configuration Files

This example uses keystores created by the Java keytool application to provide the proper credentials to the provider. To create the keystore and certificate for the locator, we ran the following:
$ keytool -genkey -alias myGemFireXDLocator -keystore locatorKeyStore.key
$ keytool -export -alias myGemFireXDLocator -keystore locatorKeyStore.key -rfc -file myLocator.cert
Similar commands were used for a server member:
$ keytool -genkey -alias myGemFireXDServer -keystore serverKeyStore.key
$ keytool -export -alias myGemFireXDServer -keystore serverKeyStore.key -rfc -file myServer.cert
Each member's certificate was then imported into the other member's trust store. For the server member:
$ keytool -import -alias myGemFireXDLocator -file ./myLocator.cert -keystore ./serverKeyStore.key
For the locator member:
keytool -import -alias myGemFireXDServer -file ./myServer.cert -keystore ./locatorKeyStore.key

gemfirexd.properties File

You can enable SSL encryption for peer connections in the gemfirexd.properties file. This example simply enables SSL for communication between members. The same properties file can be used by both the locator and server members:

ssl-enabled=true
mcast-port=0
locators=<hostaddress>[<port>]

Locator Startup

Before starting other system members, start the locator with using SSL and provider-specific configuration settings:
$ gfxd locator start -J-Djavax.net.ssl.keyStoreType=jks -J-Djavax.net.ssl.keyStore=./locatorKeyStore.key -J-Djavax.net.ssl.keyStorePassword=password \
-J-Djavax.net.ssl.trustStore=./locatorKeyStore.key -J-Djavax.net.ssl.trustStorePassword=password 

Other Member Startup

GemFire XD servers can be started similarly to the locator startup, with the appropriate gemfirexd.properties file in the current working directory. For example:
$ gfxd server start -J-Djavax.net.ssl.keyStoreType=jks -J-Djavax.net.ssl.keyStore=./serverKeyStore.key -J-Djavax.net.ssl.keyStorePassword=password \
-J-Djavax.net.ssl.trustStore=./serverKeyStore.key -J-Djavax.net.ssl.trustStorePassword=password -client-port=1528