[ https://issues.apache.org/jira/browse/GEODE-420?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15437474#comment-15437474 ]
ASF subversion and git services commented on GEODE-420: ------------------------------------------------------- Commit a455526b858dc949d056feedf6ca18d4db000e3c in incubator-geode's branch refs/heads/feature/GEODE-420 from [~ukohlmeyer] [ https://git-wip-us.apache.org/repos/asf?p=incubator-geode.git;h=a455526 ] GEODE-420: Fixing locators property configuration > locator ssl configuration > ------------------------- > > Key: GEODE-420 > URL: https://issues.apache.org/jira/browse/GEODE-420 > Project: Geode > Issue Type: New Feature > Components: locator > Reporter: Darrel Schneider > Assignee: Udo Kohlmeyer > > We currently allow separate SSL configuration for cluster, server, gateway, > jmx-manager, and http-service. > The "server" attributes configure the ssl connections from clients to a cache > server. > The "gateway" attributes configure the ssl connections between a gateway > sender and receiver. > The "jmx-manager" attributes configure the ssl connections between an admin > client (for example gfsh) and the jmx-manager. > The "http-service" attributes configure the ssl connections between REST > clients and the http-service. > The "cluster" attributes configure the ssl connections between the members of > a distributed system (peer-to-peer connections) AND to the locators. > Using "cluster" for the connections to a locator can be a problem. > Say you trust all your members of a distributed system since they are running > on your private network. So no need for ssl on the p2p connections. > So you disable cluster-ssl. These means that your peers are locators are all > using unsecure connections. > But some of these members are hosting a cache server and have clients > connecting to them. So you configure "server" ssl for the client to server > connections. But for your clients to find you servers they need to talk to > the locator. Since the clients are coming from the outside world you want > them to use SSL. So you configure "server" ssl on them for when they connect > to the cache server and "cluster" SSL on them for when they connect to the > locator. But your locators are configured with "cluster" SSL disabled so that > the p2p connects on the internal network will not be SSL. > So you are either forced to have you client to locator connections to be > unsecure or you need to secure all the cluster connections forcing the peers > to also use SSL. > I think we should introduce "locator" SSL configuration options that would > allow you to have just the locator and server using SSL and the "cluster" to > have SSL disabled. > Something else to consider would be for the locator to be able to use SSL for > clients but non-SSL for locator-to-locator and peers-to-locator connections. > I think this would be more complicated because we would need to have > different ports that the locator listens on (one for clients and one for > locators and members). > -- This message was sent by Atlassian JIRA (v6.3.4#6332)