Configure SSL properties and JMX ports to secure sensitive
information that flows between servers over the network.
About this task
When a data grid is deployed, the sensitive information it
contains flows over the network. Also, the credentials that data
grid clients use to authenticate to the data grid flow over the network.
To protect data and credentials as they flow, use transport-level
encryption using SSL to secure deployments.The security of SSL
depends on protecting the keystores and the truststores, so that only
authorized users have access to the keystores and truststores. After
you enable SSL encryption, you must specify a JMXConnectorPort and
a JMXServicePort value in the server properties file to have SSL protection
for JMX traffic.
The transport between the JMX client and server
can be secured with transport layer security (TLS) or SSL. If the
transportType of catalog server or container server is set to SSL_Required
or SSL_Supported, then you must use SSL to connect to the JMX server.
Procedure
- Specify SSL in the server properties file.
Set
the transportType property to
SSL-Required
; for example:
transportType=SSL-Required
- Specify SSL properties in the server properties file.
alias=serverprivate
contextProvider=IBMJSSE2
protocol=SSL
keyStoreType=JKS
keyStore=etc/test/security/key.jks
keyStorePassword=serverpw
trustStoreType=JKS
trustStore=etc/test/security/trust.jks
trustStorePassword=public
clientAuthentication=false
- Specify SSL in the client properties file when SSL is required.
Set the transportType property to
SSL-Required
or
SSL-Supported
;
for example:
transportType=SSL-Required
- Specify SSL properties in the client properties file.
For example, you can specify the following
properties:
alias=clientprivate
contextProvider=IBMJSSE2
protocol=SSL
keyStoreType=JKS
keyStore=etc/test/security/client.private
keyStorePassword={xor}PDM2OjErLyg\=
trustStoreType=JKS
trustStore=etc/test/security/server.public
trustStorePassword={xor}Lyo9MzY8
Configure
the truststore, truststore type, and truststore password. It is not necessary to specify a keystore,
keystore type, and key store password for the client. The alias, keystore, keystore password, and
keystore type are not needed on the client unless the server SSL properties includes
clientAuthentication=true
. This value is rarely used and is only supported when
running with the IBM eXtremeIO (XIO) transport.
The client truststore must trust the server
certificate. When the server certificate is self signed, as in the tutorial, that certificate must
be imported into the client trust store. When the server certificate is issued by a local
certificate authority, the signer certificate for that certificate authority must be imported into
the client truststore. For more information about creating keystore and truststore files, see Developing keystore files for data encryption.
- Optional: Enable TLS v1.2
data encryption.
You can configure the data grid to
use TLS 1.2 for encrypted network communication. This version of the
TLS protocol is required to support NIST standards, which ensure high
protection of data as it is sent over the wire. Specify protocol=TLSv1.2 in
both the client.properties file and in the server.properties file.
This step applies to eXtremeIO (XIO) and ORB transport types.
Restriction: Some web browser versions do not work with a TLS
v1.2-enabled server. Current® versions
of most browsers, including Mozilla Firefox, Microsoft Internet Explorer, and Google
Chrome, do support communication with TLS v1.2-enabled servers. You
might configure the browser to enable TLS. For more information,
see the following table:
Table 1. TLS v1.2 browser support
Browser |
Operating system |
TLS 1.2 |
Chrome 0-21 |
Android, iOS, Linux, Mac OS X |
No |
Chrome 2-28 |
Windows (XP, Vista, 7, 8)
Android,
iOS, Linux, Mac OS X
|
No |
Chrome 29-current |
Windows (XP, Vista, 7, 8)
Android,
iOS, Linux, Mac OS X
|
Yes |
Firefox 1-18 |
Linux, Mac OS X, Windows (XP, Vista, 7, 8) |
No |
Firefox 19-current |
Linux, Mac OS X, Windows (XP, Vista, 7, 8) |
No |
Firefox 24 (Beta) |
Linux, Mac OS X, Windows (XP, Vista, 7, 8) |
Yes, disabled by default |
Internet Explorer 6 |
Windows (98, 2000, ME, XP) |
No |
Internet Explorer 7-8 |
Windows (XP, Vista) |
No |
Internet Explorer 8-9 |
Windows 7 |
Yes, disabled by default |
Internet Explorer 9 |
Windows Vista |
No |
Internet Explorer 10 |
Windows (7,8) |
Yes, disabled by default |
- Set the JMX service port.
Use the
-JMXServicePort option
on the
startOgServer or startXsServer script.
The
default value for the JMX service port on catalog servers is 1099.
You must use a different port number for each JVM in your configuration.
If you want to use JMX/RMI, explicitly specify the-JMXServicePort option
and port number, even if you want to use the default port value.
- Set the JMX connector port.
Use the -JMXConnectorPort option
on the startOgServer or startXsServer script.
Setting
the JMX service port is required when you want to display container
server information from the catalog server. For example, the port
is required when you are using the xscmd -c showMapSizes command.
Set the JMX connector port to avoid ephemeral port creation.
- Enable on-chip Advanced Encryption Standard (AES) encryption.
If you are using IBM® SDK Java™ Technology Edition Version 7, Service
Refresh 3 or later, and you are running on an Intel processor that
supports the Advanced Encryption Standard (AES) New Instructions (AES-NI)
instruction set, you can achieve performance improvement by taking
advantage of on-chip AES encryption.
Using these features, you can run AES encryption and decryption following hardware
instructions without extra software.
To enable AES-NI usage, add the following property to the JVM
command line or
jvm.options
file:
com.ibm.crypto.provider.doAESInHardware=trueAdd the following property to the JVM command line or the jvm.options file to verify that the processor supports AES-NI instruction set:
com.ibm.crypto.provider.AESNITrace=true
For more information, see
Intel Advanced Encryption Standard New
Instructions.