When running GemFire with Java 11 or newer Java 8 JDKs, GemFire members in SSL/TLS enabled clusters may fail on startup with SSLHandshakeException: "No available authentication scheme" similar to the following:

[info 2020/04/06 15:19:59.496 EDT <P2P message reader@4bee5b4f> tid=0x2a] Failed initializing socket for message receiver: No available authentication scheme
[info 2020/04/06 15:20:59.418 EDT <main> tid=0x1] TLS handshake is timing out
[warn 2020/04/06 15:21:01.504 EDT <P2P message reader@55a669c1> tid=0x2a] SSL handshake exception
javax.net.ssl.SSLHandshakeException: No available authentication scheme

This is likely due to GemFire trying to use TLS 1.3 with an incompatible certificate. This article discusses this situation and offers some possible solutions.

The GemFire property, "ssl-protocols", determines which protocols will be considered when GemFire negotiates an SSL connection. The default value for this property is "any", meaning that any protocols provided by / available to the underlying JRE will be considered and the highest (strongest) protocol shared by both ends of the connection will be used.

Java 11 (and some Java 8 JDKs) added support for TLS 1.3. Therefore, if both ends of the connection are running one of those JRE versions, GemFire will attempt to use TLS 1.3 (unless excluded by the "ssl-protocols" property). 

Unfortunately, unless you specify otherwise, keytool defaults to generating a DSA certificate, which are no longer allowed in TLS 1.3. As consequence, a certificate created by following the simple example in the GemFire User's Guide will be incompatible with TLS 1.3 connections.

Depending on the requirements of your organization's security standards, there are two possible solutions to this problem.

1. The quick solution, which is certainly suitable for development or testing purposes, is to restrict GemFire to using TLS 1.2 by setting "ssl-protocols=TLSv1.2" in your security.properties file on the locator and server.

2. Alternately, you can create a compatible certificate by choosing an appropriate key algorithm. Minimally, you could use the example from the User's Guide with an additional parameter, "-keyalg RSA", to select RSA as the key algorithm.

For example:

keytool -genkey \ 
-keyalg RSA
-alias self \ 
-dname "CN=trusted" \ 
-validity 3650 \ 
-keypass password \ 
-keystore ./trusted.keystore \ 
-storepass password \ 
-storetype JKS