geode-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dbar...@apache.org
Subject geode-native git commit: GEODE-2486 Developer can use encrypted ciphers. Modified SSL section to remove prior statement of limitations. This closes #31
Date Fri, 24 Feb 2017 18:53:16 GMT
Repository: geode-native
Updated Branches:
  refs/heads/develop 2e3e2a021 -> 3e2e4230c


GEODE-2486 Developer can use encrypted ciphers. Modified SSL section to remove prior statement
of limitations.
This closes #31


Project: http://git-wip-us.apache.org/repos/asf/geode-native/repo
Commit: http://git-wip-us.apache.org/repos/asf/geode-native/commit/3e2e4230
Tree: http://git-wip-us.apache.org/repos/asf/geode-native/tree/3e2e4230
Diff: http://git-wip-us.apache.org/repos/asf/geode-native/diff/3e2e4230

Branch: refs/heads/develop
Commit: 3e2e4230c272253d6b19a63bb83197c521b8338b
Parents: 2e3e2a0
Author: Dave Barnes <dbarnes@pivotal.io>
Authored: Thu Feb 23 17:56:01 2017 -0800
Committer: Dave Barnes <dbarnes@pivotal.io>
Committed: Fri Feb 24 10:52:24 2017 -0800

----------------------------------------------------------------------
 .../source/subnavs/geode-nc-nav.erb             |  12 +-
 .../security/limitations.html.md.erb            |  26 ----
 .../security/overviewsecurity.html.md.erb       |   4 +-
 .../overviewsslclientserver.html.md.erb         |  30 -----
 .../security/sslclientserver.html.md.erb        | 124 +++++++++++++++++++
 5 files changed, 128 insertions(+), 68 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/geode-native/blob/3e2e4230/docs/geode-native-book/master_middleman/source/subnavs/geode-nc-nav.erb
----------------------------------------------------------------------
diff --git a/docs/geode-native-book/master_middleman/source/subnavs/geode-nc-nav.erb b/docs/geode-native-book/master_middleman/source/subnavs/geode-nc-nav.erb
index 3e9365c..2189cc0 100644
--- a/docs/geode-native-book/master_middleman/source/subnavs/geode-nc-nav.erb
+++ b/docs/geode-native-book/master_middleman/source/subnavs/geode-nc-nav.erb
@@ -626,16 +626,8 @@ limitations under the License.
                             <li>
                                 <a href="/docs/guide-native/11/security/security-systemprops.html">Security-Related
System Properties (gfcpp.properties)</a>
                             </li>
-                            <li class="has_submenu">
-                                <a href="/docs/guide-native/11/security/overviewsslclientserver.html">SSL
Client/Server Communication</a>
-                                <ul>
-                                    <li>
-                                        <a href="/docs/guide-native/11/security/ssl-setup.html">Set
Up OpenSSL</a>
-                                    </li>
-                                    <li>
-                                        <a href="/docs/guide-native/11/security/limitations.html">Limitations</a>
-                                    </li>
-                                </ul>
+                            <li>
+                                <a href="/docs/guide-native/11/security/sslclientserver.html">SSL
Client/Server Communication</a>
                             </li>
                         </ul>
                     </li>

http://git-wip-us.apache.org/repos/asf/geode-native/blob/3e2e4230/docs/geode-native-docs/security/limitations.html.md.erb
----------------------------------------------------------------------
diff --git a/docs/geode-native-docs/security/limitations.html.md.erb b/docs/geode-native-docs/security/limitations.html.md.erb
deleted file mode 100644
index 042e48b..0000000
--- a/docs/geode-native-docs/security/limitations.html.md.erb
+++ /dev/null
@@ -1,26 +0,0 @@
----
-title:  Limitations
----
-
-<!--
-Licensed to the Apache Software Foundation (ASF) under one or more
-contributor license agreements.  See the NOTICE file distributed with
-this work for additional information regarding copyright ownership.
-The ASF licenses this file to You under the Apache License, Version 2.0
-(the "License"); you may not use this file except in compliance with
-the License.  You may obtain a copy of the License at
-
-     http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
--->
-
-Currently the native client only supports the NULL cipher with mutual authentication for
SSL socket communications.
-
-The keys and keystores need to be in the JKS (Java KeyStore) format for the Geode server
and in the clear PEM format for the native client.
-
-

http://git-wip-us.apache.org/repos/asf/geode-native/blob/3e2e4230/docs/geode-native-docs/security/overviewsecurity.html.md.erb
----------------------------------------------------------------------
diff --git a/docs/geode-native-docs/security/overviewsecurity.html.md.erb b/docs/geode-native-docs/security/overviewsecurity.html.md.erb
index be89f6e..ec4ea25 100644
--- a/docs/geode-native-docs/security/overviewsecurity.html.md.erb
+++ b/docs/geode-native-docs/security/overviewsecurity.html.md.erb
@@ -19,7 +19,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 -->
 
-*Security* describes how to implement the security framework for the Geode native client,
including authentication, authorization, ecryption, and SSL client/server communication.
+*Security* describes how to implement the security framework for the Geode native client,
including authentication, authorization, encryption, and SSL client/server communication.
 
 The security framework authenticates clients that attempt to connect to a Geode cache server,
and authorizes client cache operations. You can also configure it for client authentication
of servers, and you can plug in your own implementations for authentication and authorization.
 
@@ -39,7 +39,7 @@ The security framework authenticates clients that attempt to connect to
a Geode
 
     The table describes the security-related system properties in the `gfcpp.properties`
file for native client authentication and authorization.
 
--   **[SSL Client/Server Communication](overviewsslclientserver.html)**
+-   **[SSL Client/Server Communication](sslclientserver.html)**
 
     This section describes how to configure OpenSSL; implement SSL-based communication between
your clients and servers; and run clients and servers with SSL enabled.
 

http://git-wip-us.apache.org/repos/asf/geode-native/blob/3e2e4230/docs/geode-native-docs/security/overviewsslclientserver.html.md.erb
----------------------------------------------------------------------
diff --git a/docs/geode-native-docs/security/overviewsslclientserver.html.md.erb b/docs/geode-native-docs/security/overviewsslclientserver.html.md.erb
deleted file mode 100644
index 32a459b..0000000
--- a/docs/geode-native-docs/security/overviewsslclientserver.html.md.erb
+++ /dev/null
@@ -1,30 +0,0 @@
----
-title:  SSL Client/Server Communication
----
-
-<!--
-Licensed to the Apache Software Foundation (ASF) under one or more
-contributor license agreements.  See the NOTICE file distributed with
-this work for additional information regarding copyright ownership.
-The ASF licenses this file to You under the Apache License, Version 2.0
-(the "License"); you may not use this file except in compliance with
-the License.  You may obtain a copy of the License at
-
-     http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
--->
-
-This section describes how to configure OpenSSL, implement SSL-based communication between
your clients and servers, and run clients and servers with SSL enabled.
-
--   **[Set Up OpenSSL](ssl-setup.html)**
-
--   **[Limitations](limitations.html)**
-
-    Currently the native client only supports the NULL cipher with mutual authentication
for SSL socket communications.
-
-

http://git-wip-us.apache.org/repos/asf/geode-native/blob/3e2e4230/docs/geode-native-docs/security/sslclientserver.html.md.erb
----------------------------------------------------------------------
diff --git a/docs/geode-native-docs/security/sslclientserver.html.md.erb b/docs/geode-native-docs/security/sslclientserver.html.md.erb
new file mode 100644
index 0000000..2614a46
--- /dev/null
+++ b/docs/geode-native-docs/security/sslclientserver.html.md.erb
@@ -0,0 +1,124 @@
+---
+title:  SSL Client/Server Communication
+---
+
+This section describes how to configure OpenSSL, implement SSL-based communication between
your clients and servers, and run clients and servers with SSL enabled.
+
+# Set Up OpenSSL
+
+The open-source OpenSSL toolkit provides a full-strength general purpose cryptography library
to operate along with the PKCS sample implementation for encrypted authentication of native
client credentials.
+
+Follow these instructions to download and install OpenSSL for your specific operating system.
+
+The native client requires OpenSSL 1.0.1t or later. For Windows platforms, you can use either
the regular or the OpenSSL 1.0.1t "Light" version.
+
+**Note:**
+If you use Cygwin, it is recommended that you do not use the OpenSSL library that comes with
Cygwin because it is built with `cygwin.dll` as a dependency.
+
+## Step 1. Download and install OpenSSL
+
+### <a id="security__section_5C95C2E4D9244B27BF8FD178E402D993" class="no-quick-link"></a>Linux
+
+Download the OpenSSL tarball archive from the OpenSSL web site at [http://www.openssl.org/source/](http://www.openssl.org/source/).
Copy the downloaded tarball file into `NativeClient_xxxx/templates/security/openssl/Linux`
and run `buildit.sh`.
+
+### <a id="security__section_93651F296C1A4EA5A3FA045EC15FB506" class="no-quick-link"></a>Solaris
+
+Download the OpenSSL tarball archive from the OpenSSL web site at [http://www.openssl.org/source/](http://www.openssl.org/source/).
Copy the downloaded tarball file into `NativeClient_xxxx/templates/security/openssl/SunOS`
and run `buildit.sh`.
+
+### <a id="security__section_68961A8829D44BFB8F542F3317464E5E" class="no-quick-link"></a>Windows
+
+Download the installer for OpenSSL from [http://www.openssl.org/related/binaries.html](http://www.openssl.org/related/binaries.html).
You can also use the OpenSSL "Light" version.
+
+Use the downloaded OpenSSL installer to install it on Windows. You can usually accept the
default installation path (`C:\OpenSSL`).
+
+
+## Step 2. Create keystores
+
+The Geode server requires keys and keystores in the Java Key Store (JKS) format while the
native client requires them in the clear PEM format. Thus you need to be able to generate
private/public keypairs in either format and convert between the two using the `keytool` utility
and the `openssl` command.
+
+There are public third party free tools and source code available to download such as the
"KeyTool IUI" tool.
+
+
+## Step 3. Configure environment variables
+
+Configure your system environment to build and run OpenSSL. Follow the environment setup
that applies to your operating system.
+
+### <a id="security__section_6C173D0D8C8343EA92961C954032E2CA" class="no-quick-link"></a>Bourne
and Korn shells (sh, ksh, bash)
+
+<code>
+% OPENSSL=_parent-folder-for-openssl-binaries_; export OPENSSL<br />
+% GFCPP=_product-dir_; export GFCPP<br />
+% LD\_LIBRARY\_PATH=$LD\_LIBRARY\_PATH:$GFCPP/lib:$GFCPP/ssl\_libs:$OPENSSL/lib<br />
+% export LD\_LIBRARY\_PATH<br />
+% CLASSPATH=$GEMFIRE/lib/gfSecurityImpl.jar:$CLASSPATH
+</code>
+
+### <a id="security__section_76CF86EDC2234BA6BF7DA6E253C71F61" class="no-quick-link"></a>Windows
+
+<code>
+\> set GFCPP=_product-dir_<br />
+\> set OPENSSL=_path-to-installed-openssl_<br />
+\> set PATH=_path-to-jdk-or-jre_\bin;%GFCPP%\bin;%GFCPP%\ssl\_libs;%OPENSSL%\bin;%PATH%<br
/>
+\> set CLASSPATH=_path-to-gemfire-installation_\lib\gfSecurityImpl.jar;%CLASSPATH%
+</code>
+
+where <code>_path-to-installed-openssl_</code> is typically `C:\OpenSSL>`.
+
+## Step 4. Configure SSL properties in gfcpp.properties and gemfire.properties
+
+Configure SSL properties.
+
+1.  In `gfcpp.properties`, set `ssl-enabled` to true and set `ssl-keystore` and `ssl-truststore`
to point to your keystore files. See [Security-Related System Properties (gfcpp.properties)](security-systemprops.html#security)
for a description of these properties.
+2.  On each locator, enable SSL and set the following SSL properties in the locator’s `gemfire.properties`
file:
+
+    ``` pre
+    ssl-enabled-components=server,locator
+    ssl-protocols=any
+    ssl-ciphers=SSL_RSA_WITH_NULL_SHA
+    ```
+
+
+## Step 5. Start and stop the client and server
+
+Before you start and stop the client and server, make sure you configure the native client
with the SSL properties as described and with the servers or locators specified as usual.
+
+Specifically, ensure that:
+
+-   OpenSSL and ACE\_SSL `DLL`s locations are in the right environment variables for your
system: `PATH` for Windows, and `LD_LIBRARY_PATH` for Unix.
+-   You have generated the keys and keystores.
+-   You have set the system properties.
+
+For details on stopping and starting locators and cache servers with SSL, see [Starting Up
and Shutting Down Your System](geodeman/configuring/running/starting_up_shutting_down.html).
+
+**Example locator start command**
+
+Ensure that all required SSL properties are configured in your server's `gfsecurity.properties`
file. Then start your locator as follows:
+
+``` pre
+gfsh>start locator --name=my_locator --port=12345 --dir=. \
+--security-properties-file=/path/to/your/gfsecurity.properties
+```
+
+**Example locator stop command**
+
+``` pre
+gfsh>stop locator --port=12345 \
+--security-properties-file=/path/to/your/gfsecurity.properties
+```
+
+**Example server start command**
+
+Again, ensure that all required SSL properties are configured in `gfsecurity.properties`.
Then start the server with:
+
+``` pre
+gfsh>start server --name=my_server --locators=hostname[12345] \
+--cache-xml-file=server.xml --log-level=fine \
+--security-properties-file=/path/to/your/gfsecurity.properties
+```
+
+**Example server stop command**
+
+``` pre
+gfsh>stop server --name=my_server
+```
+


Mime
View raw message