docs/geode-native-docs/security/sslclientserver.html.md.erb - geode-native - Git at Google

 ---
 title:  SSL Client/Server Communication
 ---

 <!--
 Licensed to the Apache Software Foundation (ASF) under one or more
 contributor license agreements.  See the NOTICE file distributed with
 this work for additional information regarding copyright ownership.
 The ASF licenses this file to You under the Apache License, Version 2.0
 (the "License"); you may not use this file except in compliance with
 the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 -->

 This section describes how to configure OpenSSL, implement SSL-based communication between your clients and servers, and run clients and servers with SSL enabled.

 # Set Up OpenSSL

 The open-source OpenSSL toolkit provides a full-strength general purpose cryptography library to operate along with the PKCS sample implementation for encrypted authentication of native client credentials.

 Download and install OpenSSL 1.0.2 for your specific operating system.
 For Windows platforms, you can use either the regular or the "Light" version.

 **Note for Windows users:** If you use Cygwin, do not use the OpenSSL library that comes with
 Cygwin, which is built with `cygwin.dll` as a dependency. Instead, download a fresh copy from
 OpenSSL as described in the following section.

 ## Step 1. Create keystores

 The <%=vars.product_name%> server requires keys and keystores in the Java Key Store (JKS) format while the native client requires them in the clear PEM format. Thus you need to be able to generate private/public keypairs in either format and convert between the two using the `keytool` utility and the `openssl` command.

 There are public third party free tools and source code available to download such as the "KeyTool IUI" tool.


 ## Step 2. Configure environment variables

 Configure your system environment to build and run OpenSSL by adding the appropriate executable and library directories to your paths.
 For example, for Bourne and Korn shells (sh, ksh, bash), environment setup would look something like this:
 <code>
 % LD\_LIBRARY\_PATH=$LD\_LIBRARY\_PATH:_client-install-dir_/lib:_client-install-dir_/ssl\_libs:_openssl-install-dir_/lib<br />
 % export LD\_LIBRARY\_PATH<br />
 % CLASSPATH=_server-install-dir_/lib/securityImpl.jar:$CLASSPATH
 </code>

 where:

   _client-install-dir_ is the directory in which you installed your client.

   _openssl-install-dir_ is the directory in which you installed OpenSSL.

   _server-install-dir_ is the directory in which you installed your server.

 For Windows, environment setup might resemble this:
 <code>
 \> set PATH=_jdk-or-jre-path_\bin;_client-install-dir_\bin;_client-install-dir_\ssl\_libs;_openssl-install-dir_\bin;%PATH%<br />
 \> set CLASSPATH=_server-installdir_\lib\securityImpl.jar;%CLASSPATH%
 </code>

 where _jdk-or-jre-path_ is the directory in which Java is installed.

 ## Step 3. Enable SSL on the server and on the client

 1.  On the server, enable SSL for the `locator` and `server` components, as the SSL-enabled client
 must be able to communicate with both locator and server components. For details on the SSL
 properties available on the server, see "Managing > Security > SSL > Configuring SSL" in the
 [_<%=vars.product_name%> User's Guide_](/serverman/about_<%=vars.product_name.downcase%>.html).

 1.  On the client, set `ssl-enabled` to `true`.

 1.  On the client, set `ssl-keystore` and `ssl-truststore` to point to your keystore files. Paths to the keystore and truststore are local to the client.
 See [Security-Related System Properties](security-systemprops.html#security) for a description of these properties.

 # Starting and stopping the client and server with SSL in place

 Before you start and stop the client and server, make sure you configure the native client with the
 SSL properties as described and with the servers or locators specified as usual.

 Specifically, ensure that:

 -   OpenSSL and ACE\_SSL `DLL`s locations are in the right environment variables for your system: `PATH` for Windows, and `LD_LIBRARY_PATH` for Unix.
 -   You have generated the keys and keystores.
 -   You have set the system properties.

 For details on stopping and starting locators and cache servers with SSL, see [Starting Up and Shutting Down Your System](geodeman/configuring/running/starting_up_shutting_down.html).

 **Example locator start command**

 Ensure that all required SSL properties are configured in your server's `geode.properties` file. Then start your locator as follows:

 ``` pre
 gfsh>start locator --name=my_locator --port=12345 --dir=. \
 --security-properties-file=/path/to/your/geode.properties
 ```

 **Example locator stop command**

 ``` pre
 gfsh>stop locator --port=12345 \
 --security-properties-file=/path/to/your/geode.properties
 ```

 **Example server start command**

 Again, ensure that all required SSL properties are configured in `geode.properties`. Then start the server with:

 ``` pre
 gfsh>start server --name=my_server --locators=hostname[12345] \
 --cache-xml-file=server.xml --log-level=fine \
 --security-properties-file=/path/to/your/geode.properties
 ```

 **Example server stop command**

 ``` pre
 gfsh>stop server --name=my_server
 ```
	---
	title: SSL Client/Server Communication
	---

	<!--
	Licensed to the Apache Software Foundation (ASF) under one or more
	contributor license agreements. See the NOTICE file distributed with
	this work for additional information regarding copyright ownership.
	The ASF licenses this file to You under the Apache License, Version 2.0
	(the "License"); you may not use this file except in compliance with
	the License. You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	-->

	This section describes how to configure OpenSSL, implement SSL-based communication between your clients and servers, and run clients and servers with SSL enabled.

	# Set Up OpenSSL

	The open-source OpenSSL toolkit provides a full-strength general purpose cryptography library to operate along with the PKCS sample implementation for encrypted authentication of native client credentials.

	Download and install OpenSSL 1.0.2 for your specific operating system.
	For Windows platforms, you can use either the regular or the "Light" version.

	Note for Windows users: If you use Cygwin, do not use the OpenSSL library that comes with
	Cygwin, which is built with `cygwin.dll` as a dependency. Instead, download a fresh copy from
	OpenSSL as described in the following section.

	## Step 1. Create keystores

	The <%=vars.product_name%> server requires keys and keystores in the Java Key Store (JKS) format while the native client requires them in the clear PEM format. Thus you need to be able to generate private/public keypairs in either format and convert between the two using the `keytool` utility and the `openssl` command.

	There are public third party free tools and source code available to download such as the "KeyTool IUI" tool.


	## Step 2. Configure environment variables

	Configure your system environment to build and run OpenSSL by adding the appropriate executable and library directories to your paths.
	For example, for Bourne and Korn shells (sh, ksh, bash), environment setup would look something like this:
	<code>
	% LD\_LIBRARY\_PATH=$LD\_LIBRARY\_PATH:_client-install-dir_/lib:_client-install-dir_/ssl\_libs:_openssl-install-dir_/lib<br />
	% export LD\_LIBRARY\_PATH<br />
	% CLASSPATH=_server-install-dir_/lib/securityImpl.jar:$CLASSPATH
	</code>

	where:

	_client-install-dir_ is the directory in which you installed your client.

	_openssl-install-dir_ is the directory in which you installed OpenSSL.

	_server-install-dir_ is the directory in which you installed your server.

	For Windows, environment setup might resemble this:
	<code>
	\> set PATH=_jdk-or-jre-path_\bin;_client-install-dir_\bin;_client-install-dir_\ssl\_libs;_openssl-install-dir_\bin;%PATH%<br />
	\> set CLASSPATH=_server-installdir_\lib\securityImpl.jar;%CLASSPATH%
	</code>

	where _jdk-or-jre-path_ is the directory in which Java is installed.

	## Step 3. Enable SSL on the server and on the client

	1. On the server, enable SSL for the `locator` and `server` components, as the SSL-enabled client
	must be able to communicate with both locator and server components. For details on the SSL
	properties available on the server, see "Managing > Security > SSL > Configuring SSL" in the
	[_<%=vars.product_name%> User's Guide_](/serverman/about_<%=vars.product_name.downcase%>.html).

	1. On the client, set `ssl-enabled` to `true`.

	1. On the client, set `ssl-keystore` and `ssl-truststore` to point to your keystore files. Paths to the keystore and truststore are local to the client.
	See [Security-Related System Properties](security-systemprops.html#security) for a description of these properties.

	# Starting and stopping the client and server with SSL in place

	Before you start and stop the client and server, make sure you configure the native client with the
	SSL properties as described and with the servers or locators specified as usual.

	Specifically, ensure that:

	- OpenSSL and ACE\_SSL `DLL`s locations are in the right environment variables for your system: `PATH` for Windows, and `LD_LIBRARY_PATH` for Unix.
	- You have generated the keys and keystores.
	- You have set the system properties.

	For details on stopping and starting locators and cache servers with SSL, see [Starting Up and Shutting Down Your System](geodeman/configuring/running/starting_up_shutting_down.html).

	Example locator start command

	Ensure that all required SSL properties are configured in your server's `geode.properties` file. Then start your locator as follows:

	``` pre
	gfsh>start locator --name=my_locator --port=12345 --dir=. \
	--security-properties-file=/path/to/your/geode.properties
	```

	Example locator stop command

	``` pre
	gfsh>stop locator --port=12345 \
	--security-properties-file=/path/to/your/geode.properties
	```

	Example server start command

	Again, ensure that all required SSL properties are configured in `geode.properties`. Then start the server with:

	``` pre
	gfsh>start server --name=my_server --locators=hostname[12345] \
	--cache-xml-file=server.xml --log-level=fine \
	--security-properties-file=/path/to/your/geode.properties
	```

	Example server stop command

	``` pre
	gfsh>stop server --name=my_server
	```