Re: [akka-user] akka remoting over ssl with client auth
Hi Jim, On Mon, Jun 1, 2015 at 10:20 PM, Jim Newsham jim.news...@gmail.com wrote: Thanks Andre for your reply. I am aware of the constraints of Akka remoting, and in fact I feel that the link you referenced actually supports an argument for two-way authentication. Communication between remoting nodes must be symmetric, which implies that authentication should be performed in both directions and there should be no specific client/server roles (as would be implied by a one-way authentication). Consider what happens when only one-way authentication is used, and trust is only established in one direction -- say, because of improperly configured keystore/truststore on one of the nodes. In this case, connection can only be established when initiated in one direction, but not in the opposite direction, which violates the symmetric communication requirement. As a result, the peers will experience intermittent communication problems which may be hard to diagnose. On the other hand if two-way authentication were required, the setup would fail-fast -- no communication would be established until the trust configuration is corrected. These are good points, I will revive the ticket properly. I think it will only make into 2.4 though, but you should follow the ticket for updates. -Endre Regards, Jim On Monday, June 1, 2015 at 2:04:12 AM UTC-10, Akka Team wrote: Hi Jim, Akka Remoting has no support for this feature (see ticket https://github.com/akka/akka/issues/13874). While we might implement this in the future, you should consider that Akka remoting is designed to work intra-datacenter and not inter-datacenter. If inter-datacenter communciation is needed then it is recommended to use normal client-server technologies like akka io (for TCP) or spray (for HTTP), not just because of security, but because of the underlying assumptions in remoting (see http://doc.akka.io/docs/akka/2.3.11/general/remoting.html#Peer-to-Peer_vs__Client-Server ) -Endre On Wed, May 27, 2015 at 12:04 AM, Jim Newsham jim.n...@gmail.com wrote: For security reasons, we would like to enable two-way ssl authentication for our akka remoting communication. Is this possible? Thanks, Jim -- Read the docs: http://akka.io/docs/ Check the FAQ: http://doc.akka.io/docs/akka/current/additional/faq.html Search the archives: https://groups.google.com/group/akka-user --- You received this message because you are subscribed to the Google Groups Akka User List group. To unsubscribe from this group and stop receiving emails from it, send an email to akka-user+...@googlegroups.com. To post to this group, send email to akka...@googlegroups.com. Visit this group at http://groups.google.com/group/akka-user. For more options, visit https://groups.google.com/d/optout. -- Akka Team Typesafe - Reactive apps on the JVM Blog: letitcrash.com Twitter: @akkateam -- Read the docs: http://akka.io/docs/ Check the FAQ: http://doc.akka.io/docs/akka/current/additional/faq.html Search the archives: https://groups.google.com/group/akka-user --- You received this message because you are subscribed to the Google Groups Akka User List group. To unsubscribe from this group and stop receiving emails from it, send an email to akka-user+unsubscr...@googlegroups.com. To post to this group, send email to akka-user@googlegroups.com. Visit this group at http://groups.google.com/group/akka-user. For more options, visit https://groups.google.com/d/optout. -- Akka Team Typesafe - Reactive apps on the JVM Blog: letitcrash.com Twitter: @akkateam -- Read the docs: http://akka.io/docs/ Check the FAQ: http://doc.akka.io/docs/akka/current/additional/faq.html Search the archives: https://groups.google.com/group/akka-user --- You received this message because you are subscribed to the Google Groups Akka User List group. To unsubscribe from this group and stop receiving emails from it, send an email to akka-user+unsubscr...@googlegroups.com. To post to this group, send email to akka-user@googlegroups.com. Visit this group at http://groups.google.com/group/akka-user. For more options, visit https://groups.google.com/d/optout.
Re: [akka-user] akka remoting over ssl with client auth
Hi Jim, Akka Remoting has no support for this feature (see ticket https://github.com/akka/akka/issues/13874). While we might implement this in the future, you should consider that Akka remoting is designed to work intra-datacenter and not inter-datacenter. If inter-datacenter communciation is needed then it is recommended to use normal client-server technologies like akka io (for TCP) or spray (for HTTP), not just because of security, but because of the underlying assumptions in remoting (see http://doc.akka.io/docs/akka/2.3.11/general/remoting.html#Peer-to-Peer_vs__Client-Server ) -Endre On Wed, May 27, 2015 at 12:04 AM, Jim Newsham jim.news...@gmail.com wrote: For security reasons, we would like to enable two-way ssl authentication for our akka remoting communication. Is this possible? Thanks, Jim -- Read the docs: http://akka.io/docs/ Check the FAQ: http://doc.akka.io/docs/akka/current/additional/faq.html Search the archives: https://groups.google.com/group/akka-user --- You received this message because you are subscribed to the Google Groups Akka User List group. To unsubscribe from this group and stop receiving emails from it, send an email to akka-user+unsubscr...@googlegroups.com. To post to this group, send email to akka-user@googlegroups.com. Visit this group at http://groups.google.com/group/akka-user. For more options, visit https://groups.google.com/d/optout. -- Akka Team Typesafe - Reactive apps on the JVM Blog: letitcrash.com Twitter: @akkateam -- Read the docs: http://akka.io/docs/ Check the FAQ: http://doc.akka.io/docs/akka/current/additional/faq.html Search the archives: https://groups.google.com/group/akka-user --- You received this message because you are subscribed to the Google Groups Akka User List group. To unsubscribe from this group and stop receiving emails from it, send an email to akka-user+unsubscr...@googlegroups.com. To post to this group, send email to akka-user@googlegroups.com. Visit this group at http://groups.google.com/group/akka-user. For more options, visit https://groups.google.com/d/optout.
Re: [akka-user] akka remoting over ssl with client auth
Thanks Andre for your reply. I am aware of the constraints of Akka remoting, and in fact I feel that the link you referenced actually supports an argument for two-way authentication. Communication between remoting nodes must be symmetric, which implies that authentication should be performed in both directions and there should be no specific client/server roles (as would be implied by a one-way authentication). Consider what happens when only one-way authentication is used, and trust is only established in one direction -- say, because of improperly configured keystore/truststore on one of the nodes. In this case, connection can only be established when initiated in one direction, but not in the opposite direction, which violates the symmetric communication requirement. As a result, the peers will experience intermittent communication problems which may be hard to diagnose. On the other hand if two-way authentication were required, the setup would fail-fast -- no communication would be established until the trust configuration is corrected. Regards, Jim On Monday, June 1, 2015 at 2:04:12 AM UTC-10, Akka Team wrote: Hi Jim, Akka Remoting has no support for this feature (see ticket https://github.com/akka/akka/issues/13874). While we might implement this in the future, you should consider that Akka remoting is designed to work intra-datacenter and not inter-datacenter. If inter-datacenter communciation is needed then it is recommended to use normal client-server technologies like akka io (for TCP) or spray (for HTTP), not just because of security, but because of the underlying assumptions in remoting (see http://doc.akka.io/docs/akka/2.3.11/general/remoting.html#Peer-to-Peer_vs__Client-Server ) -Endre On Wed, May 27, 2015 at 12:04 AM, Jim Newsham jim.n...@gmail.com javascript: wrote: For security reasons, we would like to enable two-way ssl authentication for our akka remoting communication. Is this possible? Thanks, Jim -- Read the docs: http://akka.io/docs/ Check the FAQ: http://doc.akka.io/docs/akka/current/additional/faq.html Search the archives: https://groups.google.com/group/akka-user --- You received this message because you are subscribed to the Google Groups Akka User List group. To unsubscribe from this group and stop receiving emails from it, send an email to akka-user+...@googlegroups.com javascript:. To post to this group, send email to akka...@googlegroups.com javascript:. Visit this group at http://groups.google.com/group/akka-user. For more options, visit https://groups.google.com/d/optout. -- Akka Team Typesafe - Reactive apps on the JVM Blog: letitcrash.com Twitter: @akkateam -- Read the docs: http://akka.io/docs/ Check the FAQ: http://doc.akka.io/docs/akka/current/additional/faq.html Search the archives: https://groups.google.com/group/akka-user --- You received this message because you are subscribed to the Google Groups Akka User List group. To unsubscribe from this group and stop receiving emails from it, send an email to akka-user+unsubscr...@googlegroups.com. To post to this group, send email to akka-user@googlegroups.com. Visit this group at http://groups.google.com/group/akka-user. For more options, visit https://groups.google.com/d/optout.
[akka-user] akka remoting over ssl with client auth
For security reasons, we would like to enable two-way ssl authentication for our akka remoting communication. Is this possible? Thanks, Jim -- Read the docs: http://akka.io/docs/ Check the FAQ: http://doc.akka.io/docs/akka/current/additional/faq.html Search the archives: https://groups.google.com/group/akka-user --- You received this message because you are subscribed to the Google Groups Akka User List group. To unsubscribe from this group and stop receiving emails from it, send an email to akka-user+unsubscr...@googlegroups.com. To post to this group, send email to akka-user@googlegroups.com. Visit this group at http://groups.google.com/group/akka-user. For more options, visit https://groups.google.com/d/optout.