Multi-Site (WAN) Deployment Security

Multi-Site (WAN) Deployment Security

In addition to peer and client authentication, Pivotal GemFire can authenticate remote sites.

The following list covres guidelines for implementing security in multi-site (WAN) deployments:
  • Implement membership authentication. Depending on your installation and security requirements, you may use a combination of peer-to-peer, client/server, and multi-site settings.
  • Joining members provide credentials to existing members who check the credentials and either reject the joining member or approve it. In terms of multi-site authentication, gateway senders and gateway receivers mutually authenticate each other when they connect.
  • If you want to use secure socket layer (SSL) protocol for your peer-to-peer and client/server connections, implement that. You can configure SSL separately for peer-to-peer, client/server, JMX, and WAN gateway connections.

Gateway SSL Configuration

The following table lists the SSL configuration property names used to configure SSL for peer-to-peer and WAN gateway connections. Remember that if you do not define a client/server, JMX, or WAN property, then GemFire uses the property value defined for peer-to-peer communication (cluster-ssl*) or the default peer-to-peer property value if unspecified.

Table 1. SSL Configuration Property Names by Connection Type
Peer-to-Peer Connection Property

(provides default value for all other connection types)

WAN Gateway Connection Property
cluster-ssl-enabled gateway-ssl-enabled
cluster-ssl-ciphers gateway-ssl-ciphers
cluster-ssl-protocols gateway-ssl-protocols
cluster-ssl-require-authentication gateway-ssl-require-authentication
cluster-ssl-keystore-type gateway-ssl-keystore-type
cluster-ssl-keystore gateway-ssl-keystore
cluster-ssl-keystore-password gateway-ssl-keystore-password
cluster-ssl-truststore gateway-ssl-truststore
cluster-ssl-keystore-password gateway-ssl-keystore-password

If you configure the above peer-to-peer SSL properties, then by default GemFire uses the same SSL property values for all stream-socket communication. This includes communication between cache servers and clients, between the JMX manager and JMX clients, and between two GemFire distributed systems connected by a WAN gateway.