| --- |
| title: Encrypt Credentials with Diffe-Hellman |
| --- |
| |
| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one or more |
| contributor license agreements. See the NOTICE file distributed with |
| this work for additional information regarding copyright ownership. |
| The ASF licenses this file to You under the Apache License, Version 2.0 |
| (the "License"); you may not use this file except in compliance with |
| the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| |
| For secure transmission of sensitive credentials such as passwords, encrypt credentials using the Diffie-Hellman key exchange algorithm. With Diffie-Hellman enabled, you can have your client authenticate its servers. |
| |
| ## <a id="security__section_1BB8F13C7ACB44668FF337F59A3BA5AE" class="no-quick-link"></a>Enabling Diffe-Hellman |
| |
| Set the `security-client-dhalgo` system property in the `geode.properties` file to the password for the public key file store on the client (the name of a valid symmetric key cipher supported by the JDK). |
| |
| Valid `security-client-dhalgo` property values are `DESede`, `AES`, and `Blowfish`, which enable the Diffie-Hellman algorithm with the specified cipher to encrypt the credentials. |
| |
| For the `AES` and `Blowfish` algorithms, optionally specify the key size for the `security-client-dhalgo` property. Valid key size settings for the `AES` algorithm are `AES:128`, `AES:192`, and `AES:256`. The colon separates the algorithm name and the key size. For the `Blowfish` algorithm, key sizes from 128 to 448 bits are supported. For example: |
| |
| ``` pre |
| security-client-dhalgo=Blowfish:128 |
| ``` |
| |
| For `AES` algorithms, you may need Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from Sun or equivalent for your JDK. |
| |
| Adding settings for Diffie-Hellman on clients also enables challenge response from server to client in addition to encryption of credentials using the exchanged key to avoid replay attacks from clients to servers. Clients can also enable authentication of servers, with challenge-response from client to server to avoid server-side replay attacks. |
| |
| ## <a id="security__section_F881653044EC4AB5BE88F673890F2A40" class="no-quick-link"></a>Client Authentication of Server |
| |
| With Diffie-Hellman enabled, you can have your client authenticate its servers. |
| |
| 1. Generate a `.pem` file for each pkcs12 keystore: |
| |
| 1. Enter this command from a pkcs12 file or a pkcs keystore: <a id="security__fig_3CAFDE3CB29348A19AF3BE3591AFA2F7"></a> |
| |
| ``` pre |
| user@host: ~> openssl pkcs12 -nokeys -in <keystore/pkcs12 file> -out <outputfilename.pem > |
| ``` |
| |
| 2. Concatenate the generated .pem files into a single .pem file. You will use this file name in the next step. |
| |
| 2. In the `geode.properties` file: |
| |
| 1. Set `security-client-kspath` to the file name of the `.pem` file password for the public key file store on the client. |
| 2. Set `security-client-kspasswd` to the password for the public key file store on the client. |
| |
| |
