Securing Connection among Nodes Using SSL
By using the SSL socket communication, you can secure connection among all nodes of Apache Ignite.
Procedure
-
Navigate to
$MQ_HOME/config and open the
IgniteMember.xml file.
-
Set
sslContextFactory: by default, Apache Ignite provides a default SSL context factory,
org.apache.ignite.ssl.SslContextFactory, which uses configured
keystore to initialize SSL context.
<property name="sslContextFactory"> <bean class="org.apache.ignite.ssl.SslContextFactory"> <property name="keyStoreFilePath" value="keystore/keystore.jks"/> <property name="keyStorePassword" value="123456"/> <property name="trustStoreFilePath" value="keystore/truststore.ts"/> <property name="trustStorePassword" value="123456"/> </bean> </property>
-
Disable Certificate Validation: in some cases, you must disable certificate validation of the client side. For example, when connecting to a server with self-signed certificate
Set a disabled trust manager to sslContextFactory
<property name="sslContextFactory"> <bean class="org.apache.ignite.ssl.SslContextFactory"> <property name="keyStoreFilePath" value="keystore/keystore.jks"/> <property name="keyStorePassword" value="123456"/> <property name="trustManagers"> <bean class="org.apache.ignite.ssl.SslContextFactory" factory-method="getDisabledTrustManager"/> </property> </bean> </property>
-
Set Protocol: By using Apache Ignite, you can configure different types of encryption. The following algorithms are supported
http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext and can be set by using the
setProtocol method.
TLS encryption is the default.
<property name="sslContextFactory"> <bean class="org.apache.ignite.ssl.SslContextFactory"> <property name="setProtocol" value="SSL"/> ... </bean> </property> ...
-
Set
sslContextFactory: by default, Apache Ignite provides a default SSL context factory,
org.apache.ignite.ssl.SslContextFactory, which uses configured
keystore to initialize SSL context.
- Save the IgniteMember.xml file.
-
Generate
keyStore using the following command:
keytool -genkey -alias ignite -keystore keystore.jks -keyalg RSA
- Generate trustStore using the following two commands:
Copyright © Cloud Software Group, Inc. All rights reserved.