geode-docs/managing/security/ssl_example.html.md.erb - geode - Git at Google

 ---
 title:  SSL Sample Implementation
 ---

 <!--
 Licensed to the Apache Software Foundation (ASF) under one or more
 contributor license agreements.  See the NOTICE file distributed with
 this work for additional information regarding copyright ownership.
 The ASF licenses this file to You under the Apache License, Version 2.0
 (the "License"); you may not use this file except in compliance with
 the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 -->

 A simple example demonstrates the configuration and startup of <%=vars.product_name%> system components with SSL.

 ## <a id="ssl_example__section_A8817FA8EF654CFB862F2375C0DD6770" class="no-quick-link"></a>Provider-Specific Configuration File

 This example uses a keystore created by the Java `keytool` application to provide the proper credentials to the provider. To create the keystore, run the `keytool` utility:

 ``` pre
 keytool -genkey \
 -alias self \
 -dname "CN=trusted" \
 -validity 3650 \
 -keypass password \
 -keystore ./trusted.keystore \
 -storepass password \
 -storetype JKS
 ```

 This creates a `./trusted.keystore` file to be used later.

 ## <a id="ssl_example__section_4D54B2E9045C4E34AE6DFFBECDED9271" class="no-quick-link"></a>gemfire.properties File

 You can enable SSL in the `gemfire.properties` file. In this example, SSL is enabled for all
 components.

 ``` pre
 ssl-enabled-components=all
 mcast-port=0
 locators=<hostaddress>[<port>]
 ```

 ## <a id="ssl_example__section_7B8E0BBF4A4C4B9FB9BC34AC1CDD4D3E" class="no-quick-link"></a>gfsecurity.properties File

 You can specify the provider-specific settings in a `gfsecurity.properties` file, which can then be
 secured by restricting access to this file. The following example configures the default JSSE
 provider settings included with the JDK.

 ``` pre
 ssl-keystore=/path/to/trusted.keystore
 ssl-keystore-password=password
 ssl-truststore=/path/to/trusted.keystore
 ssl-truststore-password=password
 security-username=xxxx
 security-userPassword=yyyy
 ```


 ## <a id="ssl_example__section_32E55F2088804667BB448DB577AC2940" class="no-quick-link"></a>Locator Startup

 Before starting other system members, we started the locator with the SSL and provider-specific
 configuration settings. After properly configuring `gemfire.properties` and `gfsecurity.properties`,
 start the locator and provide the location of the properties files. If any of the password fields
 are left empty, you will be prompted to enter a password.

 ``` pre
 gfsh>start locator --name=my_locator --port=12345 \
 --properties-file=/path/to/your/gemfire.properties \
 --security-properties-file=/path/to/your/gfsecurity.properties
 ```

 ## <a id="ssl_example__section_8FCC32091E97422BA45AA76C82D8294D" class="no-quick-link"></a>Other Member Startup

 Applications and cache servers can be started similarly to the locator startup, with the appropriate
 `gemfire.properties` file and `gfsecurity.properties` files placed in the current working
 directory. You can also pass in the location of both files as system properties on the command
 line. For example:

 ``` pre
 gfsh>start server --name=my_server \
 --properties-file=/path/to/your/gemfire.properties \
 --security-properties-file=/path/to/your/gfsecurity.properties
 ```

 ## <a id="ssl_example__section_connect_cluster" class="no-quick-link"></a>Connecting to a Running Cluster

 You can use `gfsh` to connect to an SSL-enabled cluster that is already running by specifying the
 `use-ssl` command-line option and providing a path to the security configuration file:

 ``` pre
 gfsh>connect --locator=localhost[10334] --use-ssl \
 --security-properties-file=/path/to/your/gfsecurity.properties
 ```

 Once connected, you can then issue `gfsh` commands to perform a variety of operations, including
 listing members and displaying region characteristics.
	---
	title: SSL Sample Implementation
	---

	<!--
	Licensed to the Apache Software Foundation (ASF) under one or more
	contributor license agreements. See the NOTICE file distributed with
	this work for additional information regarding copyright ownership.
	The ASF licenses this file to You under the Apache License, Version 2.0
	(the "License"); you may not use this file except in compliance with
	the License. You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	-->

	A simple example demonstrates the configuration and startup of <%=vars.product_name%> system components with SSL.

	## <a id="ssl_example__section_A8817FA8EF654CFB862F2375C0DD6770" class="no-quick-link"></a>Provider-Specific Configuration File

	This example uses a keystore created by the Java `keytool` application to provide the proper credentials to the provider. To create the keystore, run the `keytool` utility:

	``` pre
	keytool -genkey \
	-alias self \
	-dname "CN=trusted" \
	-validity 3650 \
	-keypass password \
	-keystore ./trusted.keystore \
	-storepass password \
	-storetype JKS
	```

	This creates a `./trusted.keystore` file to be used later.

	## <a id="ssl_example__section_4D54B2E9045C4E34AE6DFFBECDED9271" class="no-quick-link"></a>gemfire.properties File

	You can enable SSL in the `gemfire.properties` file. In this example, SSL is enabled for all
	components.

	``` pre
	ssl-enabled-components=all
	mcast-port=0
	locators=<hostaddress>[<port>]
	```

	## <a id="ssl_example__section_7B8E0BBF4A4C4B9FB9BC34AC1CDD4D3E" class="no-quick-link"></a>gfsecurity.properties File

	You can specify the provider-specific settings in a `gfsecurity.properties` file, which can then be
	secured by restricting access to this file. The following example configures the default JSSE
	provider settings included with the JDK.

	``` pre
	ssl-keystore=/path/to/trusted.keystore
	ssl-keystore-password=password
	ssl-truststore=/path/to/trusted.keystore
	ssl-truststore-password=password
	security-username=xxxx
	security-userPassword=yyyy
	```


	## <a id="ssl_example__section_32E55F2088804667BB448DB577AC2940" class="no-quick-link"></a>Locator Startup

	Before starting other system members, we started the locator with the SSL and provider-specific
	configuration settings. After properly configuring `gemfire.properties` and `gfsecurity.properties`,
	start the locator and provide the location of the properties files. If any of the password fields
	are left empty, you will be prompted to enter a password.

	``` pre
	gfsh>start locator --name=my_locator --port=12345 \
	--properties-file=/path/to/your/gemfire.properties \
	--security-properties-file=/path/to/your/gfsecurity.properties
	```

	## <a id="ssl_example__section_8FCC32091E97422BA45AA76C82D8294D" class="no-quick-link"></a>Other Member Startup

	Applications and cache servers can be started similarly to the locator startup, with the appropriate
	`gemfire.properties` file and `gfsecurity.properties` files placed in the current working
	directory. You can also pass in the location of both files as system properties on the command
	line. For example:

	``` pre
	gfsh>start server --name=my_server \
	--properties-file=/path/to/your/gemfire.properties \
	--security-properties-file=/path/to/your/gfsecurity.properties
	```

	## <a id="ssl_example__section_connect_cluster" class="no-quick-link"></a>Connecting to a Running Cluster

	You can use `gfsh` to connect to an SSL-enabled cluster that is already running by specifying the
	`use-ssl` command-line option and providing a path to the security configuration file:

	``` pre
	gfsh>connect --locator=localhost[10334] --use-ssl \
	--security-properties-file=/path/to/your/gfsecurity.properties
	```

	Once connected, you can then issue `gfsh` commands to perform a variety of operations, including
	listing members and displaying region characteristics.