Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id BECCE200B76 for ; Tue, 30 Aug 2016 20:46:25 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id BD2B8160ABA; Tue, 30 Aug 2016 18:46:25 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 0F1BB160AAF for ; Tue, 30 Aug 2016 20:46:24 +0200 (CEST) Received: (qmail 65481 invoked by uid 500); 30 Aug 2016 18:46:24 -0000 Mailing-List: contact issues-help@geode.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@geode.incubator.apache.org Delivered-To: mailing list issues@geode.incubator.apache.org Received: (qmail 65472 invoked by uid 99); 30 Aug 2016 18:46:24 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 30 Aug 2016 18:46:24 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id B6C751883E7 for ; Tue, 30 Aug 2016 18:46:23 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -5.446 X-Spam-Level: X-Spam-Status: No, score=-5.446 tagged_above=-999 required=6.31 tests=[KAM_LAZY_DOMAIN_SECURITY=1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id OfLTCKbUbsJm for ; Tue, 30 Aug 2016 18:46:22 +0000 (UTC) Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with SMTP id 7FB9060CD1 for ; Tue, 30 Aug 2016 18:46:21 +0000 (UTC) Received: (qmail 64996 invoked by uid 99); 30 Aug 2016 18:46:20 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 30 Aug 2016 18:46:20 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id 8E0812C1B7B for ; Tue, 30 Aug 2016 18:46:20 +0000 (UTC) Date: Tue, 30 Aug 2016 18:46:20 +0000 (UTC) From: "ASF subversion and git services (JIRA)" To: issues@geode.incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (GEODE-420) locator ssl configuration MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Tue, 30 Aug 2016 18:46:25 -0000 [ https://issues.apache.org/jira/browse/GEODE-420?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15449798#comment-15449798 ] ASF subversion and git services commented on GEODE-420: ------------------------------------------------------- Commit de08779ce772f7d8c9094796a719e9fb6deb25f3 in incubator-geode's branch refs/heads/feature/GEODE-420 from [~ukohlmeyer] [ https://git-wip-us.apache.org/repos/asf?p=incubator-geode.git;h=de08779 ] GEODE-420: Fixing test DistributionConfigJUnitTest.java > locator ssl configuration > ------------------------- > > Key: GEODE-420 > URL: https://issues.apache.org/jira/browse/GEODE-420 > Project: Geode > Issue Type: New Feature > Components: docs, locator > Reporter: Darrel Schneider > Assignee: Udo Kohlmeyer > > We currently allow separate SSL configuration for cluster, server, gateway, jmx-manager, and http-service. > The "server" attributes configure the ssl connections from clients to a cache server. > The "gateway" attributes configure the ssl connections between a gateway sender and receiver. > The "jmx-manager" attributes configure the ssl connections between an admin client (for example gfsh) and the jmx-manager. > The "http-service" attributes configure the ssl connections between REST clients and the http-service. > The "cluster" attributes configure the ssl connections between the members of a distributed system (peer-to-peer connections) AND to the locators. > Using "cluster" for the connections to a locator can be a problem. > Say you trust all your members of a distributed system since they are running on your private network. So no need for ssl on the p2p connections. > So you disable cluster-ssl. These means that your peers are locators are all using unsecure connections. > But some of these members are hosting a cache server and have clients connecting to them. So you configure "server" ssl for the client to server connections. But for your clients to find you servers they need to talk to the locator. Since the clients are coming from the outside world you want them to use SSL. So you configure "server" ssl on them for when they connect to the cache server and "cluster" SSL on them for when they connect to the locator. But your locators are configured with "cluster" SSL disabled so that the p2p connects on the internal network will not be SSL. > So you are either forced to have you client to locator connections to be unsecure or you need to secure all the cluster connections forcing the peers to also use SSL. > I think we should introduce "locator" SSL configuration options that would allow you to have just the locator and server using SSL and the "cluster" to have SSL disabled. > Something else to consider would be for the locator to be able to use SSL for clients but non-SSL for locator-to-locator and peers-to-locator connections. I think this would be more complicated because we would need to have different ports that the locator listens on (one for clients and one for locators and members). > -- This message was sent by Atlassian JIRA (v6.3.4#6332)