Securing Connection among Nodes Using SSL

By using the SSL socket communication, you can secure connection among all nodes of Apache Ignite.

1. Navigate to $MQ_HOME/config and open the IgniteMember.xml file.
   1. Set sslContextFactory: by default, Apache Ignite provides a default SSL context factory, org.apache.ignite.ssl.SslContextFactory, which uses configured keystore to initialize SSL context.

      <property name="sslContextFactory">
          <bean class="org.apache.ignite.ssl.SslContextFactory">
            <property name="keyStoreFilePath" value="keystore/keystore.jks"/>
            <property name="keyStorePassword" value="123456"/>
            <property name="trustStoreFilePath" value="keystore/truststore.ts"/>
            <property name="trustStorePassword" value="123456"/>
          </bean>
        </property>
      

   2. Disable Certificate Validation: in some cases, you must disable certificate validation of the client side. For example, when connecting to a server with self-signed certificate
      Set a disabled trust manager to sslContextFactory

      <property name="sslContextFactory">
          <bean class="org.apache.ignite.ssl.SslContextFactory">
            <property name="keyStoreFilePath" value="keystore/keystore.jks"/>
            <property name="keyStorePassword" value="123456"/>
            <property name="trustManagers">
              <bean class="org.apache.ignite.ssl.SslContextFactory" factory-method="getDisabledTrustManager"/>
           </property>
          </bean>
        </property>
      

   3. Set Protocol: By using Apache Ignite, you can configure different types of encryption. The following algorithms are supported http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext and can be set by using the setProtocol method. TLS encryption is the default.

      <property name="sslContextFactory">
          <bean class="org.apache.ignite.ssl.SslContextFactory">
            <property name="setProtocol" value="SSL"/>
            ...
          </bean>
        </property>
        ...
      

2. Save the IgniteMember.xml file.
   Remember: If security is configured, the logs contain communication encrypted=on.

   INFO: Security status [authentication=off, communication encrypted=on]

   The server console shows the following:

   INFO: Security status [authentication=off, tls/ssl=on]

3. Generate keyStore using the following command:

    keytool -genkey -alias ignite -keystore keystore.jks -keyalg RSA

4. Generate trustStore using the following two commands:

   • keytool -export -file ignite.cert -keystore keystore.jks -alias ignite

   • keytool -import -v -trustcacerts -file ignite.cert -keystore truststore.ts -alias ignite