Individual members within the system share the same TLS configuration. When the “server” component is enabled, all client/server communication must be TLS.
FWIW, I see users adopting “defense in depth” security principles by enabling encrypted communication even on well-protected internal networks. Anthony On Jul 17, 2020, at 3:04 AM, Rupert St John Webster <[email protected]<mailto:[email protected]>> wrote: Hi Anthony, Thanks so much for reply. Is it possible to have 2 servers, where the “cluster” communication is not SSL, and 1 server has “server” SSL and the other one has no SSL. Then we can connect internal clients to the non-SSL server and external clients to the SSL server? Cheers, Rupert From: Anthony Baker [mailto:[email protected]] Sent: 16 July 2020 16:58 To: [email protected]<mailto:[email protected]> Cc: Wai Lun Poon; Edgaras Valius Subject: Re: Geode and sTunnel This email has reached the company via an external source. Please be cautious opening any attachments or links. Rupert, would setting the ssl-enabled-components work for you [1]? You should be able to configure only the components you wish to use ssl for—e.g. server, locator, jmx, etc. Anthony [1] https://geode.apache.org/docs/guide/14/managing/security/implementing_ssl.html On Jul 16, 2020, at 4:51 AM, Rupert St John Webster <[email protected]<mailto:[email protected]>> wrote: Hello, Has anyone had any luck with implementing sTunnel for Geode Server SSL get and put to encrypt traffic to client subscribers outside their immediate LAN? Per this question<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fstackoverflow.com%2Fquestions%2F62921394%2Fusing-stunnel-for-apache-geode-net-client-ssl-connection-to-server&data=02%7C01%7Cbakera%40vmware.com%7C96b9a23524fe4c0f0f6208d82a38caf8%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637305770716248143&sdata=B6J1hSnwJbsMFqKeVBAmwnv9WEyAgVpAySHx6QBasHE%3D&reserved=0> an stunnel works to secure locator connectivity via port 10334 but not the server traffic back to remote subscribers via port 40404 out to a dynamic pool of ports at the client side. Thanks, kind regards, Rupert St John Webster Engineering <image001.jpg> <image002.png><https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.facebook.com%2FImpressSolutions&data=02%7C01%7Cbakera%40vmware.com%7C96b9a23524fe4c0f0f6208d82a38caf8%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637305770716258138&sdata=ooeey1X6CpJpDAtwkAeVyfsnNWwsuMarVxBrBFYeVBE%3D&reserved=0> <image003.png><https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.twitter.com%2FImpressUK&data=02%7C01%7Cbakera%40vmware.com%7C96b9a23524fe4c0f0f6208d82a38caf8%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637305770716258138&sdata=ZZH04o%2B%2FGRHgkfVpKRS9Upjgf%2BTx2Z98wurg4gAWdxE%3D&reserved=0> <image004.png><https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fimpress-solutions&data=02%7C01%7Cbakera%40vmware.com%7C96b9a23524fe4c0f0f6208d82a38caf8%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637305770716268132&sdata=jsDotaptqEO%2F0%2BviURCGTEENY5B5kTzmPR0TG%2Fj0ejk%3D&reserved=0> Tel: 01708 759 760 Fax: 01708 759 761 Email: [email protected]<mailto:[email protected]> Website: www.impress-solutions.co.uk<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.impress-solutions.co.uk%2F&data=02%7C01%7Cbakera%40vmware.com%7C96b9a23524fe4c0f0f6208d82a38caf8%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637305770716268132&sdata=36EsbWgG%2FeaWYolMRnS87oXGCrno%2BoPeX7rH3Z9aDeY%3D&reserved=0> Head Office address: 3 Holgate Court, 4-10 Western Road, Romford, Essex, RM1 3JS City address: City Point, 1 Ropemaker Street, 17th Floor, Moorgate, London, EC2Y 9HT <image005.png> ISO 9001 Certified by BSI Group. Certificate Number: FS 653755 Please Note: This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any miss-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Impress Solutions Ltd and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of any such entity.
