ASF subversion and git services commented on GEODE-420:

Commit 61c6ae0378310b970ecd5cd826f9bc3af8dde13e in incubator-geode's branch 
refs/heads/develop from [~ukohlmeyer]
[ https://git-wip-us.apache.org/repos/asf?p=incubator-geode.git;h=61c6ae0 ]

GEODE-420: Renaming SSLConfigurationFactoryTest.java to 

> locator ssl configuration
> -------------------------
>                 Key: GEODE-420
>                 URL: https://issues.apache.org/jira/browse/GEODE-420
>             Project: Geode
>          Issue Type: New Feature
>          Components: docs, locator
>            Reporter: Darrel Schneider
>            Assignee: Udo Kohlmeyer
>             Fix For: 1.0.0-incubating
> We currently allow separate SSL configuration for cluster, server, gateway, 
> jmx-manager, and http-service.
> The "server" attributes configure the ssl connections from clients to a cache 
> server.
> The "gateway" attributes configure the ssl connections between a gateway 
> sender and receiver.
> The "jmx-manager" attributes configure the ssl connections between an admin 
> client (for example gfsh) and the jmx-manager.
> The "http-service" attributes configure the ssl connections between REST 
> clients and the http-service.
> The "cluster" attributes configure the ssl connections between the members of 
> a distributed system (peer-to-peer connections) AND to the locators.
> Using "cluster" for the connections to a locator can be a problem.
> Say you trust all your members of a distributed system since they are running 
> on your private network. So no need for ssl on the p2p connections.
> So you disable cluster-ssl. These means that your peers are locators are all 
> using unsecure connections.
> But some of these members are hosting a cache server and have clients 
> connecting to them. So you configure "server" ssl for the client to server 
> connections. But for your clients to find you servers they need to talk to 
> the locator. Since the clients are coming from the outside world you want 
> them to use SSL. So you configure "server" ssl on them for when they connect 
> to the cache server and "cluster" SSL on them for when they connect to the 
> locator. But your locators are configured with "cluster" SSL disabled so that 
> the p2p connects on the internal network will not be SSL.
> So you are either forced to have you client to locator connections to be 
> unsecure or you need to secure all the cluster connections forcing the peers 
> to also use SSL.
> I think we should introduce "locator" SSL configuration options that would 
> allow you to have just the locator and server using SSL and the "cluster" to 
> have SSL disabled.
> Something else to consider would be for the locator to be able to use SSL for 
> clients but non-SSL for locator-to-locator and peers-to-locator connections. 
> I think this would be more complicated because we would need to have 
> different ports that the locator listens on (one for clients and one for 
> locators and members).

This message was sent by Atlassian JIRA

Reply via email to