[Java programming language only]

Securing data that flows between eXtreme Scale and the OSGi framework with SSL encryption

Configure SSL properties and JMX ports to secure sensitive information that flows between WebSphere® eXtreme Scale and the OSGi framework.

Before you begin

You must install the OSGi framework before you secure the data grid. For more information, see Installing the Eclipse Equinox OSGi framework with Eclipse Gemini for clients and servers.

About this task

When a data grid is deployed, the sensitive information it contains flows over the network. Also, the credentials that data grid clients use to authenticate to the data grid flow over the network. To protect data and credentials as they flow, use transport-level encryption using SSL to secure deployments.

The security of SSL depends on protecting the keystores and the truststores, so that only authorized users have access to the keystores and truststores. After you enable SSL encryption, you must specify a JMXConnectorPort and a JMXServicePort value in the server properties file to have SSL protection for JMX traffic.

The transport between the JMX client and server can be secured with transport layer security (TLS) or SSL. If the transportType of catalog server or container server is set to SSL_Required or SSL_Supported, then you must use SSL to connect to the JMX server.

Procedure

  1. Specify SSL in the server properties file.
    Set the transportType property to SSL-Required; for example: 
    transportType=SSL-Required
  2. To use SSL, you need to configure the truststore, truststore type, and truststore password on the MBean client with -D system properties; for example: 
    -Djavax.net.ssl.trustStore=TRUST_STORE_LOCATION
-Djavax.net.ssl.trustStorePassword=TRUST_STORE_PASSWORD
-Djavax.net.ssl.trustStoreType=TRUST_STORE_TYPE
    If you use com.ibm.websphere.ssl.protocol.SSLSocketFactory as your SSL socket factory in your java_home/jre/lib/security/java.security file, then use the following properties:
    -Dcom.ibm.ssl.trustStore=TRUST_STORE_LOCATION
-Dcom.ibm.ssl.trustStorePassword=TRUST_STORE_PASSWORD
-Dcom.ibm.ssl.trustStoreType=TRUST_STORE_TYPE
  3. Set the JMX service port in the server properties file.

    The default value for the JMX service port on catalog servers is 1099. You must use a different port number for each JVM in your configuration. If you want to use JMX/RMI, explicitly specify theJMXServicePort option and port number, even if you want to use the default port value.

  4. Set the JMX connector port in the server properties file.

    Setting the JMX service port is required when you want to display container server information from the catalog server. For example, the port is required when you are using the xscmd c showMapSizes command. Set the JMX connector port to avoid ephemeral port creation.

  5. Specify the SSL port on the OSGi framework command line using the following JVM argument: 
    -Dcom.ibm.CSI.SSL.Port=7602
  6. Optional: [Version 8.6.0.5 and later]Enable TLS v1.2.

    You can configure the data grid to use TLS 1.2 for encrypted network communication. This version of the TLS protocol is required to support NIST standards, which ensure high protection of data as it is sent over the wire. Specify protocol=TLSv1.2 in both the client.properties file and in the server.properties file. This step applies to eXtremeIO (XIO) and ORB transport types.

    Restriction: Some web browser versions do not work with a TLS v1.2-enabled server. Current® versions of most browsers, including Mozilla Firefox, Microsoft Internet Explorer, and Google Chrome, do support communication with TLS v1.2-enabled servers. You might configure the browser to enable TLS. For more information, see the following table:
    Table 1. TLS v1.2 browser support
    Browser Operating system TLS 1.2
    Chrome 0-21 Android, iOS, Linux, Mac OS X No
    Chrome 2-28

    Windows (XP, Vista, 7, 8)

    Android, iOS, Linux, Mac OS X

    		 No
    Chrome 29-current

    Windows (XP, Vista, 7, 8)

    Android, iOS, Linux, Mac OS X

    		 Yes
    Firefox 1-18 Linux, Mac OS X, Windows (XP, Vista, 7, 8) No
    Firefox 19-current Linux, Mac OS X, Windows (XP, Vista, 7, 8) No
    Firefox 24 (Beta) Linux, Mac OS X, Windows (XP, Vista, 7, 8) Yes, disabled by default
    Internet Explorer 6 Windows (98, 2000, ME, XP) No
    Internet Explorer 7-8 Windows (XP, Vista) No
    Internet Explorer 8-9 Windows 7 Yes, disabled by default
    Internet Explorer 9 Windows Vista No
    Internet Explorer 10 Windows (7,8) Yes, disabled by default
  7. Enable on-chip Advanced Encryption Standard (AES) encryption. If you are using IBM® SDK Java™ Technology Edition Version 7, Service Refresh 3 or later, and you are running on an Intel processor that supports the Advanced Encryption Standard (AES) New Instructions (AES-NI) instruction set, you can achieve performance improvement by taking advantage of on-chip AES encryption.
    Using these features, you can run AES encryption and decryption following hardware instructions without extra software.
    To enable AES-NI usage, add the following property to the JVM command line or jvm.options file:
    com.ibm.crypto.provider.doAESInHardware=trueAdd the following property to the JVM command line or the jvm.options file to verify that the processor supports AES-NI instruction set:
com.ibm.crypto.provider.AESNITrace=true
    For more information, see Intel Advanced Encryption Standard New Instructions.

What to do next

Storing security artifacts in the OSGi framework