Re: Veracode identifies Insufficient Entropy issue in Apache Ignite Classes

[vdpyatkov <vl...@gmail.com>]

Hi,

I do not think, which of these places of code are related security concern.
Ignite by itself does not cryptographic framework, but if you want to
implement security logic you always capable to use own random algorithm.

It will by easy, if you are explain what was you worried about?

Please properly subscribe to the mailing list so that the community can
receive email notifications for your messages. To subscribe, send empty
email to user-subscribe@ignite.apache.org and follow simple instructions in
the reply.



--
View this message in context: http://apache-ignite-users.70518.x6.nabble.com/Veracode-identifies-Insufficient-Entropy-issue-in-Apache-Ignite-Classes-tp12159p12199.html
Sent from the Apache Ignite Users mailing list archive at Nabble.com.

Re: Veracode identifies Insufficient Entropy issue in Apache Ignite Classes

[rick_tem <rv...@temenos.com>]

We've implemented our own security plugin.  But that doesn't protect you if
you start Ignite from $IGNITE_HOME/bin with Ignite.sh and haven't configured
a plugin.  The node will start fine and bypass it.  One of the problems with
Ignite is that I can connect with Visor without any security and see all of
the values in a cache.  My question would be:  What does Ignite team
recommend in terms of security?  Certainly, I think you want to use known
hosts and known ports, but is there anything else one could do besides
writing a plugin?

Best,
Rick



--
View this message in context: http://apache-ignite-users.70518.x6.nabble.com/Veracode-identifies-Insufficient-Entropy-issue-in-Apache-Ignite-Classes-tp12159p12201.html
Sent from the Apache Ignite Users mailing list archive at Nabble.com.

Re: Veracode identifies Insufficient Entropy issue in Apache Ignite Classes

[vdpyatkov <vl...@gmail.com>]

If you configure sslContextFactory then client communicate through security
socket, because client work as node of cluster (using CommunicationSPI).



--
View this message in context: http://apache-ignite-users.70518.x6.nabble.com/Veracode-identifies-Insufficient-Entropy-issue-in-Apache-Ignite-Classes-tp12159p12234.html
Sent from the Apache Ignite Users mailing list archive at Nabble.com.

Re: Veracode identifies Insufficient Entropy issue in Apache Ignite Classes

[rick_tem <rv...@temenos.com>]

Hi,

Yes, I'm aware that you can use SSL.  That only secures data going between
nodes, however.  Haven't tried it yet, but it isn't going to help you with
seeing all the values in the cache through Visor.

Best,
Rick
 



--
View this message in context: http://apache-ignite-users.70518.x6.nabble.com/Veracode-identifies-Insufficient-Entropy-issue-in-Apache-Ignite-Classes-tp12159p12233.html
Sent from the Apache Ignite Users mailing list archive at Nabble.com.

Re: Veracode identifies Insufficient Entropy issue in Apache Ignite Classes

[vdpyatkov <vl...@gmail.com>]

rick_tem,

Why you not to use SSL/TLS configuration[1]?
In this case all nodes (including visorcmd) will be communicate through a
security socket.

jackbaru,

In my point of view, those places (which was be in the report) do not
relevant to security. This is internal usage of standard platform random
algorithm, not a security layer.

If you want to encode traffic between nodes, you can use SSL/TLS[1] with
your own privet key.

For the implementation of authorization plugin we always use third party
system like as LDAP through JAAS. Look at how to do it in GridGain auth
plugin[2].

[1]: https://apacheignite.readme.io/docs/ssltls
[2]: http://docs.gridgain.com/docs/security-and-audit



--
View this message in context: http://apache-ignite-users.70518.x6.nabble.com/Veracode-identifies-Insufficient-Entropy-issue-in-Apache-Ignite-Classes-tp12159p12224.html
Sent from the Apache Ignite Users mailing list archive at Nabble.com.