Securing Connection among Nodes Using SSL

By using the SSL socket communication, you can secure connection among all nodes of Apache Ignite.

Procedure

  1. Navigate to $MQ_HOME/config and open the IgniteMember.xml file.
    1. Set sslContextFactory: by default, Apache Ignite provides a default SSL context factory, org.apache.ignite.ssl.SslContextFactory, which uses configured keystore to initialize SSL context.
      <property name="sslContextFactory">
          <bean class="org.apache.ignite.ssl.SslContextFactory">
            <property name="keyStoreFilePath" value="keystore/keystore.jks"/>
            <property name="keyStorePassword" value="123456"/>
            <property name="trustStoreFilePath" value="keystore/truststore.ts"/>
            <property name="trustStorePassword" value="123456"/>
          </bean>
        </property>
      
    2. Disable Certificate Validation: in some cases, you must disable certificate validation of the client side. For example, when connecting to a server with self-signed certificate
      Set a disabled trust manager to sslContextFactory
      <property name="sslContextFactory">
          <bean class="org.apache.ignite.ssl.SslContextFactory">
            <property name="keyStoreFilePath" value="keystore/keystore.jks"/>
            <property name="keyStorePassword" value="123456"/>
            <property name="trustManagers">
              <bean class="org.apache.ignite.ssl.SslContextFactory" factory-method="getDisabledTrustManager"/>
           </property>
          </bean>
        </property>
      
    3. Set Protocol: By using Apache Ignite, you can configure different types of encryption. The following algorithms are supported http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext and can be set by using the setProtocol method. TLS encryption is the default.
      <property name="sslContextFactory">
          <bean class="org.apache.ignite.ssl.SslContextFactory">
            <property name="setProtocol" value="SSL"/>
            ...
          </bean>
        </property>
        ...
      
  2. Save the IgniteMember.xml file.
    Remember: If security is configured, the logs contain communication encrypted=on.
    INFO: Security status [authentication=off, communication encrypted=on]
    The server console shows the following:
    INFO: Security status [authentication=off, tls/ssl=on]
  3. Generate keyStore using the following command:
     keytool -genkey -alias ignite -keystore keystore.jks -keyalg RSA
  4. Generate trustStore using the following two commands:
    • keytool -export -file ignite.cert -keystore keystore.jks -alias ignite
    • keytool -import -v -trustcacerts -file ignite.cert -keystore truststore.ts -alias ignite