Securing data that flows between eXtreme Scale and Liberty with SSL encryption

Configure SSL properties and JMX ports to secure sensitive information that flows between WebSphere® eXtreme Scale and Liberty.

1. Specify SSL in the server properties file.
   Set the transportType property to SSL-Required; for example:

   transportType=SSL-Required

2. Specify SSL properties in the server properties file.

   alias=serverprivate
   contextProvider=IBMJSSE2
   protocol=SSL
   keyStoreType=JKS
   keyStore=etc/test/security/key.jks
   keyStorePassword=serverpw
   trustStoreType=JKS
   trustStore=etc/test/security/trust.jks
   trustStorePassword=public
   clientAuthentication=false

3. Specify SSL in the client properties file when SSL is required.
   Set the transportType property to SSL-Required or SSL-Supported; for example:

   transportType=SSL-Required

4. Specify SSL properties in the client properties file.
   For example, you can specify the following properties:

   alias=clientprivate
   contextProvider=IBMJSSE2
   protocol=SSL
   keyStoreType=JKS
   keyStore=etc/test/security/client.private
   keyStorePassword={xor}PDM2OjErLyg\=
   trustStoreType=JKS
   trustStore=etc/test/security/server.public
   trustStorePassword={xor}Lyo9MzY8

   Specify the client properties file in the jvm.options file; for example:

   -Dobjectgrid.client.props="D:\IDEs\wxsEnvi\wlp\usr\servers\sessionAppServer\objectGridClient.properties"

   Remove the double quotation marks if you are using Linux operating systems.

   Configure the truststore, truststore type, and truststore password. It is not necessary to specify a keystore, keystore type, and key store password for the client. The alias, keystore, keystore password, and keystore type are not needed on the client unless the server SSL properties includes clientAuthentication=true. This value is rarely used and is only supported when running with the IBM eXtremeIO (XIO) transport.

   The client truststore must trust the server certificate. When the server certificate is self signed, as in the tutorial, that certificate must be imported into the client trust store. When the server certificate is issued by a local certificate authority, the signer certificate for that certificate authority must be imported into the client truststore. For more information about creating keystore and truststore files, see Java SE security tutorial - Step 6.

5. Optional: Enable TLS v1.2.

   You can configure the data grid to use TLS 1.2 for encrypted network communication. This version of the TLS protocol is required to support NIST standards, which ensure high protection of data as it is sent over the wire. Specify protocol=TLSv1.2 in both the client.properties file and in the server.properties file. This step applies to eXtremeIO (XIO) and ORB transport types.

   Restriction: Some web browser versions do not work with a TLS v1.2-enabled server. Current versions of most browsers, including Mozilla Firefox, Microsoft Internet Explorer, and Google Chrome, do support communication with TLS v1.2-enabled servers. You might configure the browser to enable TLS. For more information, see the following table:

   Table 1. TLS v1.2 browser support

   Browser	Operating system	TLS 1.2
   Chrome 0-21	Android, iOS, Linux, Mac OS X	No
   Chrome 2-28	Windows (XP, Vista, 7, 8) Android, iOS, Linux, Mac OS X	No
   Chrome 29-current	Windows (XP, Vista, 7, 8) Android, iOS, Linux, Mac OS X	Yes
   Firefox 1-18	Linux, Mac OS X, Windows (XP, Vista, 7, 8)	No
   Firefox 19-current	Linux, Mac OS X, Windows (XP, Vista, 7, 8)	No
   Firefox 24 (Beta)	Linux, Mac OS X, Windows (XP, Vista, 7, 8)	Yes, disabled by default
   Internet Explorer 6	Windows (98, 2000, ME, XP)	No
   Internet Explorer 7-8	Windows (XP, Vista)	No
   Internet Explorer 8-9	Windows 7	Yes, disabled by default
   Internet Explorer 9	Windows Vista	No
   Internet Explorer 10	Windows (7,8)	Yes, disabled by default

6. Set the JMX service port in the server properties file.

   The default value for the JMX service port on catalog servers is 1099. You must use a different port number for each JVM in your configuration. If you want to use JMX/RMI, explicitly specify therver JMXServicePort option and port number, even if you want to use the default port value.

7. Set the JMX connector port in the server properties file.

   Setting the JMX service port is required when you want to display container server information from the catalog server. For example, the port is required when you are using the xscmd -c showMapSizes command. Set the JMX connector port to avoid ephemeral port creation.

8. Enable on-chip Advanced Encryption Standard (AES) encryption. If you are using IBM® SDK Java™ Technology Edition Version 7, Service Refresh 3 or later, and you are running on an Intel processor that supports the Advanced Encryption Standard (AES) New Instructions (AES-NI) instruction set, you can achieve performance improvement by taking advantage of on-chip AES encryption.
   Using these features, you can run AES encryption and decryption following hardware instructions without extra software.

   To enable AES-NI usage, add the following property to the JVM command line or jvm.options file:

   com.ibm.crypto.provider.doAESInHardware=trueAdd the following property to the JVM command line or the jvm.options file to verify that the processor supports AES-NI instruction set:
   com.ibm.crypto.provider.AESNITrace=true

   For more information, see Intel Advanced Encryption Standard New Instructions.