SSL/TLS
This page explains how to configure SSL/TLS encryption between the cluster nodes (server and client) and the clients that connect to your cluster.
Considerations
All internal connections in the cluster context, as well as cluster’s user interaction interfaces, are SSL-enabled. The communication categories are as follows:
-
Between the user and the cluster (node): REST
-
Between the user and the platform clients
-
Between nodes: Network (Messaging, Scalecube)
All SSL configurations activities are performed at the node level.
GridGain does not support direct paths to SSL certificates. Instead, it utilizes PKCS12 and JKS keystore.
REST
The standard implementation of SSL for REST involves configuring a secure connection on a separate port. GridGain supports HTTP and HTTPS, arch on its own port.
The GridGain 9 REST security configuration in the JSON format is provided below.
{
"ignite" : {
"rest" : {
"dualProtocol" : false,
"httpToHttpsRedirection" : false,
"ssl" : {
"enabled" : true,
"port" : 10400,
"portRange" : 100,
"keyStore" : {
"type" : "PKCS12",
"path" : "must not be empty",
"password" : "may be empty"
}
}
}
}
}Clients and JDBC
GridGain 9 Client implementation is based on the Netty framework, which supports configuration for security connections via SSLContextBuilder.
Server-side Configuration
The default way to configure SSL on the server side is to update the configuration with SSL properties. The example below is in the JSON format.
{
"ignite" : {
"clientConnector" : {
"ssl" : {
"enabled" : true,
"clientAuth" : "require",
"keyStore" : {
"type" : "PKCS12",
"path" : "must not be empty",
"password" : "may be empty"
},
"trustStore" : {
"type" : "PKCS12",
"path" : "must not be empty",
"password" : "may be empty"
}
}
}
}
}If you have enabled SSL for clientConnector, and want to use JDBC, set the corresponding properties in your code:
var url =
"jdbc:ignite:thin://{address}:{port}"
+ "?sslEnabled=true"
+ "&trustStorePath=" + trustStorePath
+ "&trustStoreType=JKS"
+ "&trustStorePassword=" + password
+ "&clientAuth=require"
+ "&keyStorePath=" + keyStorePath
+ "&keyStoreType=PKCS12"
+ "&keyStorePassword=" + password;
try (Connection conn = DriverManager.getConnection(url)) {
// Other actions.
}Client Configuration
Java
To enable SSL in your Java clients, use the IgniteClient class and pass the ssl configuration to it:
var sslConfiguration = SslConfiguration.builder()
.enabled(true)
.trustStoreType("JKS")
.trustStorePath(trustStorePath)
.trustStorePassword(password)
.clientAuth(REQUIRE)
.keyStorePath(keyStorePath)
.keyStorePassword(password)
.build();
try (IgniteClient client = IgniteClient.builder()
.addresses("localhost:10800")
.ssl(sslConfiguration)
.build()
).NET
Add the IgniteClientConfiguration.SslStreamFactory property of type ISslStreamFactory.
Provide a predefined implementation.
Use the base class library SslStream.
Basic usage without client authorization:
var cfg = new IgniteClientConfiguration { SslStreamFactory = new() }CLI
To SSL on the CLI side, use the cli config set command:
cli config set cli.trust-store.type=<type>
cli config set cli.trust-store.path=<path>
cli config set cli.trust-store.password=<password>Store the CLI security configuration in a separate file with permission settings that protect it from unauthorized read/write operations. This configuration file must match profiles from the common configuration file.
Network Configuration
The node network is based on the Netty framework. The configuration is the same as described for the GridGain Client part except for the part that addresses the GridGain 9 configuration.
{
"ignite" : {
"network" : {
"ssl" : {
"enabled" : true,
"clientAuth" : "none",
"keyStore" : {
"type" : "PKCS12",
"path" : "must not be empty",
"password" : "may be empty"
},
"trustStore" : {
"type" : "PKCS12",
"path" : "must not be empty",
"password" : "may be empty"
}
}
}
}
}SSL Client Authentication (mTLS Support)
Optionally, the connections you utilize can support the client authentication feature. Configure it separately for each connection on the server side.
Two-way authentication requires that both server and client have certificates they reciprocally trust. The client generates a private key, stores it in its keystore, and gets it signed by an entity the server’s truststore trusts.
To support client authentication, a connection must include the clientAuth, trustStore and keyStore properties. Here is an example of a possible client configuration. The example below is in the JSON format.
{
"ignite" : {
"clientConnector.ssl" : {
"enabled" : true,
"clientAuth" : "require",
"keyStore" : {
"path" : "must not be empty",
"password : "may be empty"
},
"trustStore" : {
"type" : "JKS",
"path" : "must not be empty",
"password" : "may be empty"
}
}
}
}© 2024 GridGain Systems, Inc. All Rights Reserved. Privacy Policy | Legal Notices. GridGain® is a registered trademark of GridGain Systems, Inc.
Apache, Apache Ignite, the Apache feather and the Apache Ignite logo are either registered trademarks or trademarks of The Apache Software Foundation.