This article refers to Configuring GemFire SSL Cluster with Java SSL Client

Prior to configuring SSL for GemFire Java client, you need to configure TLS/SSL for GemFire cache servers and/or locators. Please refer to this docs link ("SSL Sample Implementation") for more information and a sample on how to achieve that. The above link does not include a sample for configuring a Java client with TLS/SSL. Hence this article covers both parts of Client-Server SSL configuration.

Server-side Setup:

Any GemFire Locator, Server or communication channel can be configured to be SSL enabled. In the below example all components (communication channels) will be configured as TLS/SSL enabled. The most recommended way to achieve this is using a security properties file with locator and server start up.

For example, the below command starts a locator that will use the securityproperties.properties file, and depending on the configurations provided, it will ensure this locator's TLS/SSL setup. Similar steps need to be taken for server.

start locator --name=locator1 --dir=/GF-SSL-test --properties-file=gemfire.properties --security-properties-file=securityproperties.properties

Example content of securityproperties.properties file:

ssl-enabled-components=all
ssl-keystore-type=jks
ssl-keystore=/certs/trusted.keystore
ssl-keystore-password=#########
ssl-truststore=/certs/trusted.keystore
ssl-truststore-password=########

Client-side Setup:

There are several ways you can configure the TLS/SSL properties for your GemFire Java client. The below code snippet shows how to configure TLS/SSL using the API, however, the most common way is to set this up using an external securityproperties.properties file just like the GemFire server side uses on its startup. This securitiesproperties.properties file can be placed on the CLASSPATH for a Java client along with the gemfire.properties file. The contents of the security properties for client application will be same as above displayed for server side.

Another simple way to test your TLS/SSL client application is using the API as shown below:

    ClientCacheFactory clientCacheFactory = new ClientCacheFactory()
        .set("cache-xml-file", "/resources/MyGemFire.xml")
        .set("ssl-enabled-components", "all")
        .set("ssl-keystore", "/certs/trusted.keystore")
        .set("ssl-keystore-password", "########")
        .set("ssl-truststore", "/certs/trusted.keystore")
        .set("ssl-truststore-password", "########")
        .addPoolLocator("localhost", 10334);

You can change the path and name of GemFire's property files by specifying Java system properties (gemfirePropertyFile and gemfireSecurityPropertyFile), like the following, when you execute your GemFire Java client application:

-DgemfirePropertyFile=/path/to/myGemfire.properties
-DgemfireSecurityPropertyFile=/where/to/myGfsecurity.properties 

(In this case, the name of GemFire property file will be changed from the default, "gemfire.properties", to "myGemfire.properties" and located under "/path/to directory". Similarly, the name of GemFire security property file is changed from the default, "gfsecurity.properties", to "myGfsecurity.properties" and located under "/where/to" directory.)

Related Articles:

• Choose correct type to config the ssl setting for gfsh or Native Client
• Seeing the error: "Certificate is not recognized" when using SSL