[ 
https://issues.apache.org/jira/browse/GEODE-420?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15388672#comment-15388672
 ] 

ASF subversion and git services commented on GEODE-420:
-------------------------------------------------------

Commit 3047e5e2ce41d981bc373000dc98466e38caa0f8 in incubator-geode's branch 
refs/heads/feature/GEODE-420 from [~ukohlmeyer]
[ https://git-wip-us.apache.org/repos/asf?p=incubator-geode.git;h=3047e5e ]

GEODE-420: reverting debug system out


> locator ssl configuration
> -------------------------
>
>                 Key: GEODE-420
>                 URL: https://issues.apache.org/jira/browse/GEODE-420
>             Project: Geode
>          Issue Type: New Feature
>          Components: locator
>            Reporter: Darrel Schneider
>            Assignee: Udo Kohlmeyer
>
> We currently allow separate SSL configuration for cluster, server, gateway, 
> jmx-manager, and http-service.
> The "server" attributes configure the ssl connections from clients to a cache 
> server.
> The "gateway" attributes configure the ssl connections between a gateway 
> sender and receiver.
> The "jmx-manager" attributes configure the ssl connections between an admin 
> client (for example gfsh) and the jmx-manager.
> The "http-service" attributes configure the ssl connections between REST 
> clients and the http-service.
> The "cluster" attributes configure the ssl connections between the members of 
> a distributed system (peer-to-peer connections) AND to the locators.
> Using "cluster" for the connections to a locator can be a problem.
> Say you trust all your members of a distributed system since they are running 
> on your private network. So no need for ssl on the p2p connections.
> So you disable cluster-ssl. These means that your peers are locators are all 
> using unsecure connections.
> But some of these members are hosting a cache server and have clients 
> connecting to them. So you configure "server" ssl for the client to server 
> connections. But for your clients to find you servers they need to talk to 
> the locator. Since the clients are coming from the outside world you want 
> them to use SSL. So you configure "server" ssl on them for when they connect 
> to the cache server and "cluster" SSL on them for when they connect to the 
> locator. But your locators are configured with "cluster" SSL disabled so that 
> the p2p connects on the internal network will not be SSL.
> So you are either forced to have you client to locator connections to be 
> unsecure or you need to secure all the cluster connections forcing the peers 
> to also use SSL.
> I think we should introduce "locator" SSL configuration options that would 
> allow you to have just the locator and server using SSL and the "cluster" to 
> have SSL disabled.
> Something else to consider would be for the locator to be able to use SSL for 
> clients but non-SSL for locator-to-locator and peers-to-locator connections. 
> I think this would be more complicated because we would need to have 
> different ports that the locator listens on (one for clients and one for 
> locators and members).
>  



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to