PakhomovAlexander commented on code in PR #1761:
URL: https://github.com/apache/ignite-3/pull/1761#discussion_r1127940957
##########
docs/_docs/ssl-tls.adoc:
##########
@@ -0,0 +1,190 @@
+= SSL/TLS
+
+This page explains how to configure SSL/TLS encryption between the cluster
nodes (server and client) and the clients that connect to your cluster.
+
+== Considerations
+
+All internal connections in the cluster context, as well as cluster's user
interaction interfaces, are SSL-enabled. The communication categories are as
follows:
+
+* Between the user and the cluster (node): REST
+* Between the user and the platform clients
+* Between nodes: Network (Messaging, Scalecube)
+
+All SSL configurations activities are performed at the node level.
+
+Apache Ignite does not support direct paths to SSL certificates. Instead, it
utilizes PKCS12 and JKS keystore.
+
+== REST
+
+The standard implementation of SSL for REST involves configuring a secure
connection on a separate port. Apache Ignite supports HTTP and HTTPS, arch on
its own port.
+
+The Apache Ignite 3.x REST security configuration is as follows:
+
+[source,json]
+----
+"rest": {
+ "dualProtocol": false,
+ "httpToHttpsRedirection": false,
+ "ssl": {
+ "enabled": false,
+ "port": 10400,
+ "portRange": 100,
+ "keyStore": {
+ "type": "PKCS12",
+ "path": "must not be empty",
+ "password": "may be empty"
+ }
+ }
+}
+----
+
+== Clients and JDBC
+
+Apache Ignite 3.x Client implementation is based on the Netty framework, which
supports configuration for security connections via `SSLContextBuilder`.
+
+=== Client-side Configuration
+
+[source,java]
+----
+SslContextBuilder sslBuilder = SslContextBuilder
+ .forClient()
+ .keyManager(getKeyManagerFactory())
+ .trustManager(getTrustManagerFactory());
+}
+----
+
+=== Server-side Configuration
+
+[source,java]
+----
+SslContextBuilder builder = SslContextBuilder.forServer(certChainInput,
keyInput)
+ .ciphers(getCiphers(), getCiphersFilter())
+ .sessionTimeout(serverSslConfig.getSessionTimeout())
+ .sslProvider(sslProvider);
+.trustManager(trustedCerts.toArray(new X509Certificate[0]))
+ .clientAuth(serverSslConfig.getClientAuth());
+----
+
+Introduce the client configuration on the Apache Ignite 3.x server side and
map it to Netty Security Context:
+
+[source,json]
+----
+"clientConnector": {
+ "ssl": {
+ "enabled": false,
+ "clientAuth": "none",
+ "keyStore": {
+ "type": "PKCS12",
+ "path": "must not be empty",
+ "password": "may be empty"
+ },
+ "trustStore": {
+ "type": "PKCS12",
+ "path": "must not be empty",
+ "password": "may be empty"
+ }
+ }
+}
+----
+
+If you have enabled SSL for `clientConnector`, set the corresponding
properties in
link:https://github.com/apache/ignite-3/blob/be6c8b290894dbd6f88eaaa2a2aafc3eff300855/modules/jdbc/src/main/java/org/apache/ignite/internal/jdbc/ConnectionProperties.java[ConnectionProperties].
Review Comment:
ConnectionProperties are internal details that are hidden from the user.
What the user should configure is the jdbc URL.
```java
var url =
"jdbc:ignite:thin://127.0.0.1:10800"
+ "?sslEnabled=true"
+ "&trustStorePath=" + trustStorePath
+ "&trustStoreType=JKS"
+ "&trustStorePassword=" + password
+ "&clientAuth=require"
+ "&keyStorePath=" + keyStorePath
+ "&keyStoreType=PKCS12"
+ "&keyStorePassword=" + password;
try (Connection conn = DriverManager.getConnection(url)) {
// No-op.
}
```
##########
docs/_docs/ssl-tls.adoc:
##########
@@ -0,0 +1,190 @@
+= SSL/TLS
+
+This page explains how to configure SSL/TLS encryption between the cluster
nodes (server and client) and the clients that connect to your cluster.
+
+== Considerations
+
+All internal connections in the cluster context, as well as cluster's user
interaction interfaces, are SSL-enabled. The communication categories are as
follows:
+
+* Between the user and the cluster (node): REST
+* Between the user and the platform clients
+* Between nodes: Network (Messaging, Scalecube)
+
+All SSL configurations activities are performed at the node level.
+
+Apache Ignite does not support direct paths to SSL certificates. Instead, it
utilizes PKCS12 and JKS keystore.
+
+== REST
+
+The standard implementation of SSL for REST involves configuring a secure
connection on a separate port. Apache Ignite supports HTTP and HTTPS, arch on
its own port.
+
+The Apache Ignite 3.x REST security configuration is as follows:
+
+[source,json]
+----
+"rest": {
+ "dualProtocol": false,
+ "httpToHttpsRedirection": false,
+ "ssl": {
+ "enabled": false,
+ "port": 10400,
+ "portRange": 100,
+ "keyStore": {
+ "type": "PKCS12",
+ "path": "must not be empty",
+ "password": "may be empty"
+ }
+ }
+}
+----
+
+== Clients and JDBC
+
+Apache Ignite 3.x Client implementation is based on the Netty framework, which
supports configuration for security connections via `SSLContextBuilder`.
+
+=== Client-side Configuration
+
+[source,java]
+----
+SslContextBuilder sslBuilder = SslContextBuilder
+ .forClient()
+ .keyManager(getKeyManagerFactory())
+ .trustManager(getTrustManagerFactory());
+}
+----
+
+=== Server-side Configuration
+
+[source,java]
+----
+SslContextBuilder builder = SslContextBuilder.forServer(certChainInput,
keyInput)
+ .ciphers(getCiphers(), getCiphersFilter())
+ .sessionTimeout(serverSslConfig.getSessionTimeout())
+ .sslProvider(sslProvider);
+.trustManager(trustedCerts.toArray(new X509Certificate[0]))
+ .clientAuth(serverSslConfig.getClientAuth());
+----
+
+Introduce the client configuration on the Apache Ignite 3.x server side and
map it to Netty Security Context:
+
+[source,json]
+----
+"clientConnector": {
+ "ssl": {
+ "enabled": false,
+ "clientAuth": "none",
+ "keyStore": {
+ "type": "PKCS12",
+ "path": "must not be empty",
+ "password": "may be empty"
+ },
+ "trustStore": {
+ "type": "PKCS12",
+ "path": "must not be empty",
+ "password": "may be empty"
+ }
+ }
+}
+----
+
+If you have enabled SSL for `clientConnector`, set the corresponding
properties in
link:https://github.com/apache/ignite-3/blob/be6c8b290894dbd6f88eaaa2a2aafc3eff300855/modules/jdbc/src/main/java/org/apache/ignite/internal/jdbc/ConnectionProperties.java[ConnectionProperties].
+
+== Platform Clients
+
+=== .NET
+
+Add the `IgniteClientConfiguration.SslStreamFactory` property of type
`ISslStreamFactory`.
+
+Provide a
link:https://github.com/apache/ignite/blob/66f43a4bee163aadb3ad731f6eb9a6dfde9faa73/modules/platforms/dotnet/Apache.Ignite.Core/Client/SslStreamFactory.cs[predefined
implementation].
+
+Use the base class library `SslStream`.
+
+Basic usage without client authorization:
+
+[source,csharp]
+----
+var cfg = new IgniteClientConfiguration { SslStreamFactory = new() }
+----
+
+== CLI Configuration
+
+The CLI, uses OkHTTP to communicate with Apache Ignite 3.x. To enable SSL,
create `SSLSocketFactory` and pass it to the `OkHttpClient` builder:
+
+[source,java]
+----
+X509TrustManager trustManager;
+SSLSocketFactory sslSocketFactory;
+try {
+ trustManager =
trustManagerForCertificates(trustedCertificatesInputStream());
+ SSLContext sslContext = SSLContext.getInstance("TLS");
+ sslContext.init(null, new TrustManager[] { trustManager }, null);
+ sslSocketFactory = sslContext.getSocketFactory();
+}
+catch (GeneralSecurityException e) {
+ throw new RuntimeException(e);
+}
+
+client = new OkHttpClient.Builder()
+ .sslSocketFactory(sslSocketFactory, trustManager)
+ .build();
+----
+
+You can enable SSL on the CLI side using the `cli config set` command:
+
+[source,shell]
+----
+cli config set cli.trust-store.type=<type>
+cli config set cli.trust-store.path=<path>
+cli config set cli.trust-store.password=<password>
+----
+
+Store the CLI security configuration in a separate file with permission
settings that protect it from unauthorized read/write operations. This
configuration file must match profiles from the common configuration file.
+
+== Network Configuration
+
+The node network is based on the Netty framework. The configuration is the
same as described for the Apache Ignite Client part except for the part that
addresses the Apache Ignite 3.x configuration:
+
+[source,json]
+----
+"network": {
+ "ssl": {
+ "enabled": false,
+ "clientAuth": "none",
+ "keyStore": {
+ "type": "PKCS12",
+ "path": "must not be empty",
+ "password": "may be empty"
+ },
+ "trustStore": {
+ "type": "PKCS12",
+ "path": "must not be empty",
+ "password": "may be empty"
+ }
+ }
+}
+----
+
+== SSL Client Authentication (mTLS Support)
+
+Optionally, the connections you utilize can support the client authentication
feature. Configure it separately for each connection on the server side.
+
+Two-way authentication requires that both server and client have certificates
they reciprocally trust. The client generates a private key, stores it in its
keystore, and gets it signed by an entity the server's truststore trusts.
+
+To support client authentication, a connection must include the `clientAuth`,
`trustStore` and `keyStore` properties. Here is an example of a possible client
configuration:
+
+[source,json]
+----
+clientConnector.ssl: {
+ enabled: true,
+ clientAuth: "require",
+ keyStore: {
+ path: "keyStorePath",
Review Comment:
To be consistent with the rest of the documentation I would suggest using
"must not be empty" or visa-versa.
##########
docs/_docs/ssl-tls.adoc:
##########
@@ -0,0 +1,190 @@
+= SSL/TLS
+
+This page explains how to configure SSL/TLS encryption between the cluster
nodes (server and client) and the clients that connect to your cluster.
+
+== Considerations
+
+All internal connections in the cluster context, as well as cluster's user
interaction interfaces, are SSL-enabled. The communication categories are as
follows:
+
+* Between the user and the cluster (node): REST
+* Between the user and the platform clients
+* Between nodes: Network (Messaging, Scalecube)
+
+All SSL configurations activities are performed at the node level.
+
+Apache Ignite does not support direct paths to SSL certificates. Instead, it
utilizes PKCS12 and JKS keystore.
+
+== REST
+
+The standard implementation of SSL for REST involves configuring a secure
connection on a separate port. Apache Ignite supports HTTP and HTTPS, arch on
its own port.
+
+The Apache Ignite 3.x REST security configuration is as follows:
+
+[source,json]
+----
+"rest": {
+ "dualProtocol": false,
+ "httpToHttpsRedirection": false,
+ "ssl": {
+ "enabled": false,
+ "port": 10400,
+ "portRange": 100,
+ "keyStore": {
+ "type": "PKCS12",
+ "path": "must not be empty",
+ "password": "may be empty"
+ }
+ }
+}
+----
+
+== Clients and JDBC
+
+Apache Ignite 3.x Client implementation is based on the Netty framework, which
supports configuration for security connections via `SSLContextBuilder`.
+
+=== Client-side Configuration
+
+[source,java]
+----
+SslContextBuilder sslBuilder = SslContextBuilder
+ .forClient()
+ .keyManager(getKeyManagerFactory())
+ .trustManager(getTrustManagerFactory());
+}
+----
+
+=== Server-side Configuration
+
+[source,java]
+----
+SslContextBuilder builder = SslContextBuilder.forServer(certChainInput,
keyInput)
+ .ciphers(getCiphers(), getCiphersFilter())
+ .sessionTimeout(serverSslConfig.getSessionTimeout())
+ .sslProvider(sslProvider);
+.trustManager(trustedCerts.toArray(new X509Certificate[0]))
+ .clientAuth(serverSslConfig.getClientAuth());
+----
+
+Introduce the client configuration on the Apache Ignite 3.x server side and
map it to Netty Security Context:
+
+[source,json]
+----
+"clientConnector": {
+ "ssl": {
+ "enabled": false,
+ "clientAuth": "none",
+ "keyStore": {
+ "type": "PKCS12",
+ "path": "must not be empty",
+ "password": "may be empty"
+ },
+ "trustStore": {
+ "type": "PKCS12",
+ "path": "must not be empty",
+ "password": "may be empty"
+ }
+ }
+}
+----
+
+If you have enabled SSL for `clientConnector`, set the corresponding
properties in
link:https://github.com/apache/ignite-3/blob/be6c8b290894dbd6f88eaaa2a2aafc3eff300855/modules/jdbc/src/main/java/org/apache/ignite/internal/jdbc/ConnectionProperties.java[ConnectionProperties].
+
+== Platform Clients
+
+=== .NET
+
+Add the `IgniteClientConfiguration.SslStreamFactory` property of type
`ISslStreamFactory`.
+
+Provide a
link:https://github.com/apache/ignite/blob/66f43a4bee163aadb3ad731f6eb9a6dfde9faa73/modules/platforms/dotnet/Apache.Ignite.Core/Client/SslStreamFactory.cs[predefined
implementation].
+
+Use the base class library `SslStream`.
+
+Basic usage without client authorization:
+
+[source,csharp]
+----
+var cfg = new IgniteClientConfiguration { SslStreamFactory = new() }
+----
+
+== CLI Configuration
+
+The CLI, uses OkHTTP to communicate with Apache Ignite 3.x. To enable SSL,
create `SSLSocketFactory` and pass it to the `OkHttpClient` builder:
+
+[source,java]
+----
+X509TrustManager trustManager;
+SSLSocketFactory sslSocketFactory;
+try {
+ trustManager =
trustManagerForCertificates(trustedCertificatesInputStream());
+ SSLContext sslContext = SSLContext.getInstance("TLS");
+ sslContext.init(null, new TrustManager[] { trustManager }, null);
+ sslSocketFactory = sslContext.getSocketFactory();
+}
+catch (GeneralSecurityException e) {
+ throw new RuntimeException(e);
+}
+
+client = new OkHttpClient.Builder()
+ .sslSocketFactory(sslSocketFactory, trustManager)
+ .build();
+----
+
+You can enable SSL on the CLI side using the `cli config set` command:
+
+[source,shell]
+----
+cli config set cli.trust-store.type=<type>
+cli config set cli.trust-store.path=<path>
+cli config set cli.trust-store.password=<password>
+----
+
+Store the CLI security configuration in a separate file with permission
settings that protect it from unauthorized read/write operations. This
configuration file must match profiles from the common configuration file.
+
+== Network Configuration
+
+The node network is based on the Netty framework. The configuration is the
same as described for the Apache Ignite Client part except for the part that
addresses the Apache Ignite 3.x configuration:
+
+[source,json]
+----
+"network": {
+ "ssl": {
+ "enabled": false,
Review Comment:
```suggestion
"enabled": true,
```
##########
docs/_docs/ssl-tls.adoc:
##########
@@ -0,0 +1,190 @@
+= SSL/TLS
+
+This page explains how to configure SSL/TLS encryption between the cluster
nodes (server and client) and the clients that connect to your cluster.
+
+== Considerations
+
+All internal connections in the cluster context, as well as cluster's user
interaction interfaces, are SSL-enabled. The communication categories are as
follows:
+
+* Between the user and the cluster (node): REST
+* Between the user and the platform clients
+* Between nodes: Network (Messaging, Scalecube)
+
+All SSL configurations activities are performed at the node level.
+
+Apache Ignite does not support direct paths to SSL certificates. Instead, it
utilizes PKCS12 and JKS keystore.
+
+== REST
+
+The standard implementation of SSL for REST involves configuring a secure
connection on a separate port. Apache Ignite supports HTTP and HTTPS, arch on
its own port.
+
+The Apache Ignite 3.x REST security configuration is as follows:
+
+[source,json]
+----
+"rest": {
+ "dualProtocol": false,
+ "httpToHttpsRedirection": false,
+ "ssl": {
+ "enabled": false,
+ "port": 10400,
+ "portRange": 100,
+ "keyStore": {
+ "type": "PKCS12",
+ "path": "must not be empty",
+ "password": "may be empty"
+ }
+ }
+}
+----
+
+== Clients and JDBC
+
+Apache Ignite 3.x Client implementation is based on the Netty framework, which
supports configuration for security connections via `SSLContextBuilder`.
+
+=== Client-side Configuration
+
+[source,java]
+----
+SslContextBuilder sslBuilder = SslContextBuilder
+ .forClient()
+ .keyManager(getKeyManagerFactory())
+ .trustManager(getTrustManagerFactory());
+}
+----
+
+=== Server-side Configuration
+
+[source,java]
+----
+SslContextBuilder builder = SslContextBuilder.forServer(certChainInput,
keyInput)
+ .ciphers(getCiphers(), getCiphersFilter())
+ .sessionTimeout(serverSslConfig.getSessionTimeout())
+ .sslProvider(sslProvider);
+.trustManager(trustedCerts.toArray(new X509Certificate[0]))
+ .clientAuth(serverSslConfig.getClientAuth());
+----
+
+Introduce the client configuration on the Apache Ignite 3.x server side and
map it to Netty Security Context:
+
+[source,json]
+----
+"clientConnector": {
+ "ssl": {
+ "enabled": false,
+ "clientAuth": "none",
+ "keyStore": {
+ "type": "PKCS12",
+ "path": "must not be empty",
+ "password": "may be empty"
+ },
+ "trustStore": {
Review Comment:
We configure `trustStore` if `clientAuth` is set to `require` or `optional`.
In the example, we set `"clientAuth": "none"` which means we do not want mTLS
and we do not have to configure `trustStore` part.
I would suggest changing `"clientAuth": "none"` to `"clientAuth":
"require"` OR remove `trustStore` part. The choice is up to you.
##########
docs/_docs/ssl-tls.adoc:
##########
@@ -0,0 +1,190 @@
+= SSL/TLS
+
+This page explains how to configure SSL/TLS encryption between the cluster
nodes (server and client) and the clients that connect to your cluster.
+
+== Considerations
+
+All internal connections in the cluster context, as well as cluster's user
interaction interfaces, are SSL-enabled. The communication categories are as
follows:
+
+* Between the user and the cluster (node): REST
+* Between the user and the platform clients
+* Between nodes: Network (Messaging, Scalecube)
+
+All SSL configurations activities are performed at the node level.
+
+Apache Ignite does not support direct paths to SSL certificates. Instead, it
utilizes PKCS12 and JKS keystore.
+
+== REST
+
+The standard implementation of SSL for REST involves configuring a secure
connection on a separate port. Apache Ignite supports HTTP and HTTPS, arch on
its own port.
+
+The Apache Ignite 3.x REST security configuration is as follows:
+
+[source,json]
+----
+"rest": {
+ "dualProtocol": false,
+ "httpToHttpsRedirection": false,
+ "ssl": {
+ "enabled": false,
Review Comment:
```suggestion
"enabled": true,
```
##########
docs/_docs/ssl-tls.adoc:
##########
@@ -0,0 +1,190 @@
+= SSL/TLS
+
+This page explains how to configure SSL/TLS encryption between the cluster
nodes (server and client) and the clients that connect to your cluster.
+
+== Considerations
+
+All internal connections in the cluster context, as well as cluster's user
interaction interfaces, are SSL-enabled. The communication categories are as
follows:
+
+* Between the user and the cluster (node): REST
+* Between the user and the platform clients
+* Between nodes: Network (Messaging, Scalecube)
+
+All SSL configurations activities are performed at the node level.
+
+Apache Ignite does not support direct paths to SSL certificates. Instead, it
utilizes PKCS12 and JKS keystore.
+
+== REST
+
+The standard implementation of SSL for REST involves configuring a secure
connection on a separate port. Apache Ignite supports HTTP and HTTPS, arch on
its own port.
+
+The Apache Ignite 3.x REST security configuration is as follows:
+
+[source,json]
+----
+"rest": {
+ "dualProtocol": false,
+ "httpToHttpsRedirection": false,
+ "ssl": {
+ "enabled": false,
+ "port": 10400,
+ "portRange": 100,
+ "keyStore": {
+ "type": "PKCS12",
+ "path": "must not be empty",
+ "password": "may be empty"
+ }
+ }
+}
+----
+
+== Clients and JDBC
+
+Apache Ignite 3.x Client implementation is based on the Netty framework, which
supports configuration for security connections via `SSLContextBuilder`.
+
+=== Client-side Configuration
+
+[source,java]
+----
+SslContextBuilder sslBuilder = SslContextBuilder
+ .forClient()
+ .keyManager(getKeyManagerFactory())
+ .trustManager(getTrustManagerFactory());
+}
+----
+
+=== Server-side Configuration
+
+[source,java]
+----
+SslContextBuilder builder = SslContextBuilder.forServer(certChainInput,
keyInput)
Review Comment:
This java code (and above) are just examples of how the SSL might be
configured in Netty. I don't think these implementation details are important
for end users. What they are really interested in is the configuration part.
I would suggest dropping those parts from the document. WDYT?
##########
docs/_docs/ssl-tls.adoc:
##########
@@ -0,0 +1,190 @@
+= SSL/TLS
+
+This page explains how to configure SSL/TLS encryption between the cluster
nodes (server and client) and the clients that connect to your cluster.
+
+== Considerations
+
+All internal connections in the cluster context, as well as cluster's user
interaction interfaces, are SSL-enabled. The communication categories are as
follows:
+
+* Between the user and the cluster (node): REST
+* Between the user and the platform clients
+* Between nodes: Network (Messaging, Scalecube)
+
+All SSL configurations activities are performed at the node level.
+
+Apache Ignite does not support direct paths to SSL certificates. Instead, it
utilizes PKCS12 and JKS keystore.
+
+== REST
+
+The standard implementation of SSL for REST involves configuring a secure
connection on a separate port. Apache Ignite supports HTTP and HTTPS, arch on
its own port.
+
+The Apache Ignite 3.x REST security configuration is as follows:
+
+[source,json]
+----
+"rest": {
+ "dualProtocol": false,
+ "httpToHttpsRedirection": false,
+ "ssl": {
+ "enabled": false,
+ "port": 10400,
+ "portRange": 100,
+ "keyStore": {
+ "type": "PKCS12",
+ "path": "must not be empty",
+ "password": "may be empty"
+ }
+ }
+}
+----
+
+== Clients and JDBC
+
+Apache Ignite 3.x Client implementation is based on the Netty framework, which
supports configuration for security connections via `SSLContextBuilder`.
+
+=== Client-side Configuration
+
+[source,java]
+----
+SslContextBuilder sslBuilder = SslContextBuilder
+ .forClient()
+ .keyManager(getKeyManagerFactory())
+ .trustManager(getTrustManagerFactory());
+}
+----
+
+=== Server-side Configuration
+
+[source,java]
+----
+SslContextBuilder builder = SslContextBuilder.forServer(certChainInput,
keyInput)
+ .ciphers(getCiphers(), getCiphersFilter())
+ .sessionTimeout(serverSslConfig.getSessionTimeout())
+ .sslProvider(sslProvider);
+.trustManager(trustedCerts.toArray(new X509Certificate[0]))
+ .clientAuth(serverSslConfig.getClientAuth());
+----
+
+Introduce the client configuration on the Apache Ignite 3.x server side and
map it to Netty Security Context:
+
+[source,json]
+----
+"clientConnector": {
+ "ssl": {
+ "enabled": false,
+ "clientAuth": "none",
+ "keyStore": {
+ "type": "PKCS12",
+ "path": "must not be empty",
+ "password": "may be empty"
+ },
+ "trustStore": {
+ "type": "PKCS12",
+ "path": "must not be empty",
+ "password": "may be empty"
+ }
+ }
+}
+----
+
+If you have enabled SSL for `clientConnector`, set the corresponding
properties in
link:https://github.com/apache/ignite-3/blob/be6c8b290894dbd6f88eaaa2a2aafc3eff300855/modules/jdbc/src/main/java/org/apache/ignite/internal/jdbc/ConnectionProperties.java[ConnectionProperties].
Review Comment:
```suggestion
If you have enabled SSL for `clientConnector` and want to use JDBC, set the
corresponding properties in
link:https://github.com/apache/ignite-3/blob/be6c8b290894dbd6f88eaaa2a2aafc3eff300855/modules/jdbc/src/main/java/org/apache/ignite/internal/jdbc/ConnectionProperties.java[ConnectionProperties].
```
##########
docs/_docs/ssl-tls.adoc:
##########
@@ -0,0 +1,190 @@
+= SSL/TLS
+
+This page explains how to configure SSL/TLS encryption between the cluster
nodes (server and client) and the clients that connect to your cluster.
+
+== Considerations
+
+All internal connections in the cluster context, as well as cluster's user
interaction interfaces, are SSL-enabled. The communication categories are as
follows:
+
+* Between the user and the cluster (node): REST
+* Between the user and the platform clients
+* Between nodes: Network (Messaging, Scalecube)
+
+All SSL configurations activities are performed at the node level.
+
+Apache Ignite does not support direct paths to SSL certificates. Instead, it
utilizes PKCS12 and JKS keystore.
+
+== REST
+
+The standard implementation of SSL for REST involves configuring a secure
connection on a separate port. Apache Ignite supports HTTP and HTTPS, arch on
its own port.
+
+The Apache Ignite 3.x REST security configuration is as follows:
+
+[source,json]
+----
+"rest": {
+ "dualProtocol": false,
+ "httpToHttpsRedirection": false,
+ "ssl": {
+ "enabled": false,
+ "port": 10400,
+ "portRange": 100,
+ "keyStore": {
+ "type": "PKCS12",
+ "path": "must not be empty",
+ "password": "may be empty"
+ }
+ }
+}
+----
+
+== Clients and JDBC
+
+Apache Ignite 3.x Client implementation is based on the Netty framework, which
supports configuration for security connections via `SSLContextBuilder`.
+
+=== Client-side Configuration
+
+[source,java]
+----
+SslContextBuilder sslBuilder = SslContextBuilder
+ .forClient()
+ .keyManager(getKeyManagerFactory())
+ .trustManager(getTrustManagerFactory());
+}
+----
+
+=== Server-side Configuration
+
+[source,java]
+----
+SslContextBuilder builder = SslContextBuilder.forServer(certChainInput,
keyInput)
+ .ciphers(getCiphers(), getCiphersFilter())
+ .sessionTimeout(serverSslConfig.getSessionTimeout())
+ .sslProvider(sslProvider);
+.trustManager(trustedCerts.toArray(new X509Certificate[0]))
+ .clientAuth(serverSslConfig.getClientAuth());
+----
+
+Introduce the client configuration on the Apache Ignite 3.x server side and
map it to Netty Security Context:
+
+[source,json]
+----
+"clientConnector": {
+ "ssl": {
+ "enabled": false,
+ "clientAuth": "none",
+ "keyStore": {
+ "type": "PKCS12",
+ "path": "must not be empty",
+ "password": "may be empty"
+ },
+ "trustStore": {
+ "type": "PKCS12",
+ "path": "must not be empty",
+ "password": "may be empty"
+ }
+ }
+}
+----
+
+If you have enabled SSL for `clientConnector`, set the corresponding
properties in
link:https://github.com/apache/ignite-3/blob/be6c8b290894dbd6f88eaaa2a2aafc3eff300855/modules/jdbc/src/main/java/org/apache/ignite/internal/jdbc/ConnectionProperties.java[ConnectionProperties].
+
+== Platform Clients
+
+=== .NET
+
+Add the `IgniteClientConfiguration.SslStreamFactory` property of type
`ISslStreamFactory`.
+
+Provide a
link:https://github.com/apache/ignite/blob/66f43a4bee163aadb3ad731f6eb9a6dfde9faa73/modules/platforms/dotnet/Apache.Ignite.Core/Client/SslStreamFactory.cs[predefined
implementation].
+
+Use the base class library `SslStream`.
+
+Basic usage without client authorization:
+
+[source,csharp]
+----
+var cfg = new IgniteClientConfiguration { SslStreamFactory = new() }
+----
+
+== CLI Configuration
+
+The CLI, uses OkHTTP to communicate with Apache Ignite 3.x. To enable SSL,
create `SSLSocketFactory` and pass it to the `OkHttpClient` builder:
+
+[source,java]
+----
+X509TrustManager trustManager;
+SSLSocketFactory sslSocketFactory;
+try {
+ trustManager =
trustManagerForCertificates(trustedCertificatesInputStream());
+ SSLContext sslContext = SSLContext.getInstance("TLS");
+ sslContext.init(null, new TrustManager[] { trustManager }, null);
+ sslSocketFactory = sslContext.getSocketFactory();
+}
+catch (GeneralSecurityException e) {
+ throw new RuntimeException(e);
+}
+
+client = new OkHttpClient.Builder()
Review Comment:
Same thoughts about java code, the user probably do not want to know it.
##########
docs/_docs/ssl-tls.adoc:
##########
@@ -0,0 +1,190 @@
+= SSL/TLS
+
+This page explains how to configure SSL/TLS encryption between the cluster
nodes (server and client) and the clients that connect to your cluster.
+
+== Considerations
+
+All internal connections in the cluster context, as well as cluster's user
interaction interfaces, are SSL-enabled. The communication categories are as
follows:
+
+* Between the user and the cluster (node): REST
+* Between the user and the platform clients
+* Between nodes: Network (Messaging, Scalecube)
+
+All SSL configurations activities are performed at the node level.
+
+Apache Ignite does not support direct paths to SSL certificates. Instead, it
utilizes PKCS12 and JKS keystore.
+
+== REST
+
+The standard implementation of SSL for REST involves configuring a secure
connection on a separate port. Apache Ignite supports HTTP and HTTPS, arch on
its own port.
+
+The Apache Ignite 3.x REST security configuration is as follows:
+
+[source,json]
+----
+"rest": {
+ "dualProtocol": false,
+ "httpToHttpsRedirection": false,
+ "ssl": {
+ "enabled": false,
+ "port": 10400,
+ "portRange": 100,
+ "keyStore": {
+ "type": "PKCS12",
+ "path": "must not be empty",
+ "password": "may be empty"
+ }
+ }
+}
+----
+
+== Clients and JDBC
+
+Apache Ignite 3.x Client implementation is based on the Netty framework, which
supports configuration for security connections via `SSLContextBuilder`.
+
+=== Client-side Configuration
+
+[source,java]
+----
+SslContextBuilder sslBuilder = SslContextBuilder
+ .forClient()
+ .keyManager(getKeyManagerFactory())
+ .trustManager(getTrustManagerFactory());
+}
+----
+
+=== Server-side Configuration
+
+[source,java]
+----
+SslContextBuilder builder = SslContextBuilder.forServer(certChainInput,
keyInput)
+ .ciphers(getCiphers(), getCiphersFilter())
+ .sessionTimeout(serverSslConfig.getSessionTimeout())
+ .sslProvider(sslProvider);
+.trustManager(trustedCerts.toArray(new X509Certificate[0]))
+ .clientAuth(serverSslConfig.getClientAuth());
+----
+
+Introduce the client configuration on the Apache Ignite 3.x server side and
map it to Netty Security Context:
+
+[source,json]
+----
+"clientConnector": {
+ "ssl": {
+ "enabled": false,
Review Comment:
```suggestion
"enabled": true,
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
