Uploaded image for project: 'Geode'
  1. Geode
  2. GEODE-420

locator ssl configuration

    XMLWordPrintableJSON

Details

    • New Feature
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 1.0.0-incubating
    • docs, locator
    • None

    Description

      We currently allow separate SSL configuration for cluster, server, gateway, jmx-manager, and http-service.

      The "server" attributes configure the ssl connections from clients to a cache server.
      The "gateway" attributes configure the ssl connections between a gateway sender and receiver.
      The "jmx-manager" attributes configure the ssl connections between an admin client (for example gfsh) and the jmx-manager.
      The "http-service" attributes configure the ssl connections between REST clients and the http-service.
      The "cluster" attributes configure the ssl connections between the members of a distributed system (peer-to-peer connections) AND to the locators.

      Using "cluster" for the connections to a locator can be a problem.
      Say you trust all your members of a distributed system since they are running on your private network. So no need for ssl on the p2p connections.
      So you disable cluster-ssl. These means that your peers are locators are all using unsecure connections.
      But some of these members are hosting a cache server and have clients connecting to them. So you configure "server" ssl for the client to server connections. But for your clients to find you servers they need to talk to the locator. Since the clients are coming from the outside world you want them to use SSL. So you configure "server" ssl on them for when they connect to the cache server and "cluster" SSL on them for when they connect to the locator. But your locators are configured with "cluster" SSL disabled so that the p2p connects on the internal network will not be SSL.

      So you are either forced to have you client to locator connections to be unsecure or you need to secure all the cluster connections forcing the peers to also use SSL.

      I think we should introduce "locator" SSL configuration options that would allow you to have just the locator and server using SSL and the "cluster" to have SSL disabled.

      Something else to consider would be for the locator to be able to use SSL for clients but non-SSL for locator-to-locator and peers-to-locator connections. I think this would be more complicated because we would need to have different ports that the locator listens on (one for clients and one for locators and members).

      Attachments

        Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. GEODE-10066 SSL handshake failures on 1 locator prevents connection pool from trying other locators

          • Major - Major loss of function.
          • Closed
          is related to

          Bug - A problem which impairs or prevents the functions of the product. GEODE-1793 Flaky: LocatorDUnitTest.testStartTwoLocatorsOneWithSSLAndTheOtherNonSSL

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Reopened

          Bug - A problem which impairs or prevents the functions of the product. GEODE-1794 Flaky: LocatorDUnitTest.testStartTwoLocatorsWithDifferentSSLCertificates

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. GEODE-1795 Flaky: LocatorDUnitTest.testStartTwoLocatorsOneWithNonSSLAndTheOtherSSL

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. GEODE-1792 Configuration consistency in SSL configuration

          • Major - Major loss of function.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. GEODE-1947 Rename SSL_HTTP_REQUIRE_AUTHENTICATION to SSL_WEB_REQUIRE_AUTHENTICATION

          • Major - Major loss of function.
          • Closed

          Activity

            People

              ukohlmeyer Udo Kohlmeyer
              dschneider Darrel Schneider
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: