Securing Connection among Nodes Using SSL
By using the SSL socket communication, you can secure connection among all nodes of Apache Ignite.
- Procedure
- Navigate to
$MQ_HOME/config and open the
IgniteMember.xml file.
- Set
sslContextFactory
: by default, Apache Ignite provides a default SSL context factory,org.apache.ignite.ssl.SslContextFactory
, which uses a configuredkeystore
to initialize SSL context.<property name="sslContextFactory"> <bean class="org.apache.ignite.ssl.SslContextFactory"> <property name="keyStoreFilePath" value="keystore/keystore.jks"/> <property name="keyStorePassword" value="123456"/> <property name="trustStoreFilePath" value="keystore/truststore.ts"/> <property name="trustStorePassword" value="123456"/> </bean> </property>
- Disable Certificate Validation: in some cases, you must disable certificate validation of the client side. For example, when connecting to a server with self-signed certificate
Set a disabled trust manager to
sslContextFactory
<property name="sslContextFactory"> <bean class="org.apache.ignite.ssl.SslContextFactory"> <property name="keyStoreFilePath" value="keystore/keystore.jks"/> <property name="keyStorePassword" value="123456"/> <property name="trustManagers"> <bean class="org.apache.ignite.ssl.SslContextFactory" factory-method="getDisabledTrustManager"/> </property> </bean> </property>
- Set Protocol: By using Apache Ignite, you can configure different types of encryption. The following algorithms are supported
http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext and can be set by using the
setProtocol
method. TheTLS
encryption is the default.<property name="sslContextFactory"> <bean class="org.apache.ignite.ssl.SslContextFactory"> <property name="setProtocol" value="SSL"/> ... </bean> </property> ...
- Set
- Save the
IgniteMember.xml file.
Remember: If security is configured, the logs contain
communication encrypted=on
.INFO: Security status [authentication=off, communication encrypted=on]
The server console shows the following:INFO: Security status [authentication=off, tls/ssl=on]
- Generate
keyStore
using the following command:keytool -genkey -alias ignite -keystore keystore.jks -keyalg RSA
- Generate
trustStore
using the following two commands:keytool -export -file ignite.cert -keystore keystore.jks -alias ignite
keytool -import -v -trustcacerts -file ignite.cert -keystore truststore.ts -alias ignite
For more information, see Apache Ignite documentation.