You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@geode.apache.org by Rupert St John Webster <ru...@impress-solutions.com> on 2020/07/16 11:51:34 UTC
Geode and sTunnel
Hello,
Has anyone had any luck with implementing sTunnel for Geode Server SSL get and put to encrypt traffic to client subscribers outside their immediate LAN?
Per this question<https://stackoverflow.com/questions/62921394/using-stunnel-for-apache-geode-net-client-ssl-connection-to-server> an stunnel works to secure locator connectivity via port 10334 but not the server traffic back to remote subscribers via port 40404 out to a dynamic pool of ports at the client side.
Thanks, kind regards,
Rupert St John Webster
Engineering
[ISL_logo-V2]
[cid:image002.png@01D5C228.27844D40]<http://www.facebook.com/ImpressSolutions> [Description: Description: Description: http://www.impress-solutions.com/emailsig/twitter_scaled.png] <http://www.twitter.com/ImpressUK> [Description: Description: Description: http://www.impress-solutions.com/emailsig/LinkedIn_scaled.png] <http://www.linkedin.com/company/impress-solutions>
Tel: 01708 759 760
Fax: 01708 759 761
Email: rupert@impress-solutions.com<ma...@impress-solutions.com>
Website: www.impress-solutions.co.uk
Head Office address: 3 Holgate Court, 4-10 Western Road, Romford, Essex, RM1 3JS
City address: City Point, 1 Ropemaker Street, 17th Floor, Moorgate, London, EC2Y 9HT
[BSI-Assurance-Mark-ISO-9001-2015-KEYB]
ISO 9001 Certified by BSI Group. Certificate Number: FS 653755
Please Note:
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any miss-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Impress Solutions Ltd and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks.
Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of any such entity.
RE: Geode and sTunnel
Posted by Rupert St John Webster <ru...@impress-solutions.com>.
Jake & Anthony thanks for the comments, much appreciated.
We are going to work on the “defense in depth” approach in the long run.
Meanwhile can I ask do you know if the native client will support the SNI proxy approach?
Finally, I guess an answer to the stack overflow question<https://stackoverflow.com/questions/62921394/using-stunnel-for-apache-geode-net-client-ssl-connection-to-server> is it’s possible using DNS entries, but not recommended as a robust solution. I shall have a go later and update.
By the way, what’s the UML tool you have there?! I’ve been looking for one for some time ☺
Thanks, kind regards
Rupert
From: Jacob Barrett [mailto:jabarrett@vmware.com]
Sent: 17 July 2020 17:36
To: user@geode.apache.org
Cc: Wai Lun Poon; Edgaras Valius
Subject: Re: Geode and sTunnel
This email has reached the company via an external source.
Please be cautious opening any attachments or links.
Ok, I got it. I am not sure if you can make this work this way with Geode. Certainly won’t work if you scale up the locators or servers above 1. In your LAN1 you would need to setup DNS entries for locator1 and server1 that resolved to the IP of the local sTunnel. This split horizon DNS can be complicated and cumbersome to maintain. Setting hostname for clients won’t help you because it will cause the clients in LAN2 to connect to the LAN1 sTunnel.
My suggestion is to investigate stunnel's SNI proxy features. Geode 1.13 (releasing soon) supports custom socket factories for clients that can be used to proxy connections through a third party. There is also an included implementation of this using the TLS SNI header. In this model the client does not resolve the host locally but rather opens a socket to the SNI proxy and sends the original hostname in the SNI header (like your web browser does). The proxy, like sTunnel, reads the SNI header in the TLS handshake and completes the connection to the original host on the backend.
You end up with a picture like the last one I sent with a single sTunnel. The clients all talk through it. There is no need for split horizon DNS or hostname for clients. It also supports N number of locators and servers.
-Jake
On Jul 17, 2020, at 9:19 AM, Rupert St John Webster <ru...@impress-solutions.com>> wrote:
Hi,
Stunnel is running on both LANs like so (with the sTunnels on the LAN boundaries)
<image001.png>
The config for LAN1 is
<image003.png>
The config for LAN2 is
<image004.png>
From: Jacob Barrett [mailto:jabarrett@vmware.com]
Sent: 17 July 2020 17:09
To: user@geode.apache.org<ma...@geode.apache.org>
Cc: Wai Lun Poon; Edgaras Valius
Subject: Re: Geode and sTunnel
This email has reached the company via an external source.
Please be cautious opening any attachments or links.
Ok, so more like this? Is sTunnel running as a service on lan2?
@startuml
cloud lan1 {
object client1
object client2
}
cloud lan2 {
object locator1
object server1
object client3
object client4
object sTunnel
}
client1 --> sTunnel #blue
sTunnel --> locator1 #blue
client1 --> sTunnel #darkblue
sTunnel --> server1 #darkblue
client2 --> sTunnel #red
sTunnel --> locator1 #red
client2 --> sTunnel #darkred
sTunnel --> server1 #darkred
client3 --> locator1
client3 --> server1
client4 --> locator1
client4 --> server1
@enduml
<image002.png>
On Jul 17, 2020, at 8:59 AM, Rupert St John Webster <ru...@impress-solutions.com>> wrote:
Hi, thanks so much for response. Basically, yes, except there’s only 1 server / locator and there are also clients 3 & 4 (and a lot more) on LAN2
<image002.png>
May I ask what UML modelling tool you have there? ☺
Thanks, kind regards
Rupert
From: Jacob Barrett [mailto:jabarrett@vmware.com]
Sent: 17 July 2020 16:49
To: user@geode.apache.org<ma...@geode.apache.org>
Cc: Wai Lun Poon; Edgaras Valius
Subject: Re: Geode and sTunnel
This email has reached the company via an external source.
Please be cautious opening any attachments or links.
Rupert,
Are you describing a picture that looks like this?
@startuml
cloud lan1 {
object client1
object client2
}
cloud lan2 {
object locator1
object locator2
object server1
object server2
}
object sTunnel
client1 --> sTunnel #blue
sTunnel --> locator1 #blue
client1 --> sTunnel #darkblue
sTunnel --> server1 #darkblue
client1 --> sTunnel #lightblue
sTunnel --> server2 #lightblue
@enduml
<image001.png>
On Jul 16, 2020, at 4:51 AM, Rupert St John Webster <ru...@impress-solutions.com>> wrote:
Hello,
Has anyone had any luck with implementing sTunnel for Geode Server SSL get and put to encrypt traffic to client subscribers outside their immediate LAN?
Per this question<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fstackoverflow.com%2Fquestions%2F62921394%2Fusing-stunnel-for-apache-geode-net-client-ssl-connection-to-server&data=02%7C01%7Cjabarrett%40vmware.com%7Cfe22b8431c0e4eb3729808d82a6d277c%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637305995622750684&sdata=O0YVCDjX4J%2BUYTubxwHa%2Fo%2BS%2B92NJ58lKDW4xVe64kE%3D&reserved=0> an stunnel works to secure locator connectivity via port 10334 but not the server traffic back to remote subscribers via port 40404 out to a dynamic pool of ports at the client side.
Thanks, kind regards,
Rupert St John Webster
Engineering
<image001.jpg>
<image002.png><https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.facebook.com%2FImpressSolutions&data=02%7C01%7Cjabarrett%40vmware.com%7Cfe22b8431c0e4eb3729808d82a6d277c%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637305995622760675&sdata=oPd6EQDNQxyEA%2BcmaLcUj9wpnKGWTJKFv1o63oPJFDw%3D&reserved=0> <image003.png><https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.twitter.com%2FImpressUK&data=02%7C01%7Cjabarrett%40vmware.com%7Cfe22b8431c0e4eb3729808d82a6d277c%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637305995622770670&sdata=%2BQXzWykb5OxthqjzYrTV9lnGRGZqIWxpe5HuMSCp6RM%3D&reserved=0> <image004.png><https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fimpress-solutions&data=02%7C01%7Cjabarrett%40vmware.com%7Cfe22b8431c0e4eb3729808d82a6d277c%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637305995622770670&sdata=17TWRBwaL0wbYnaMgulyZKvk3935SFgX%2F2YAo0shNv4%3D&reserved=0>
Tel: 01708 759 760
Fax: 01708 759 761
Email: rupert@impress-solutions.com<ma...@impress-solutions.com>
Website: www.impress-solutions.co.uk<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.impress-solutions.co.uk%2F&data=02%7C01%7Cjabarrett%40vmware.com%7Cfe22b8431c0e4eb3729808d82a6d277c%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637305995622780661&sdata=uzTsFzq36Qy5Tfrhcrndmm4kIh7S%2FuuvkzqEv0j%2Bf6Q%3D&reserved=0>
Head Office address: 3 Holgate Court, 4-10 Western Road, Romford, Essex, RM1 3JS
City address: City Point, 1 Ropemaker Street, 17th Floor, Moorgate, London, EC2Y 9HT
<image005.png>
ISO 9001 Certified by BSI Group. Certificate Number: FS 653755
Please Note:
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any miss-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Impress Solutions Ltd and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks.
Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of any such entity.
Re: Geode and sTunnel
Posted by Jacob Barrett <ja...@vmware.com>.
Ok, I got it. I am not sure if you can make this work this way with Geode. Certainly won’t work if you scale up the locators or servers above 1. In your LAN1 you would need to setup DNS entries for locator1 and server1 that resolved to the IP of the local sTunnel. This split horizon DNS can be complicated and cumbersome to maintain. Setting hostname for clients won’t help you because it will cause the clients in LAN2 to connect to the LAN1 sTunnel.
My suggestion is to investigate stunnel's SNI proxy features. Geode 1.13 (releasing soon) supports custom socket factories for clients that can be used to proxy connections through a third party. There is also an included implementation of this using the TLS SNI header. In this model the client does not resolve the host locally but rather opens a socket to the SNI proxy and sends the original hostname in the SNI header (like your web browser does). The proxy, like sTunnel, reads the SNI header in the TLS handshake and completes the connection to the original host on the backend.
You end up with a picture like the last one I sent with a single sTunnel. The clients all talk through it. There is no need for split horizon DNS or hostname for clients. It also supports N number of locators and servers.
-Jake
On Jul 17, 2020, at 9:19 AM, Rupert St John Webster <ru...@impress-solutions.com>> wrote:
Hi,
Stunnel is running on both LANs like so (with the sTunnels on the LAN boundaries)
<image001.png>
The config for LAN1 is
<image003.png>
The config for LAN2 is
<image004.png>
From: Jacob Barrett [mailto:jabarrett@vmware.com]
Sent: 17 July 2020 17:09
To: user@geode.apache.org<ma...@geode.apache.org>
Cc: Wai Lun Poon; Edgaras Valius
Subject: Re: Geode and sTunnel
This email has reached the company via an external source.
Please be cautious opening any attachments or links.
Ok, so more like this? Is sTunnel running as a service on lan2?
@startuml
cloud lan1 {
object client1
object client2
}
cloud lan2 {
object locator1
object server1
object client3
object client4
object sTunnel
}
client1 --> sTunnel #blue
sTunnel --> locator1 #blue
client1 --> sTunnel #darkblue
sTunnel --> server1 #darkblue
client2 --> sTunnel #red
sTunnel --> locator1 #red
client2 --> sTunnel #darkred
sTunnel --> server1 #darkred
client3 --> locator1
client3 --> server1
client4 --> locator1
client4 --> server1
@enduml
<image002.png>
On Jul 17, 2020, at 8:59 AM, Rupert St John Webster <ru...@impress-solutions.com>> wrote:
Hi, thanks so much for response. Basically, yes, except there’s only 1 server / locator and there are also clients 3 & 4 (and a lot more) on LAN2
<image002.png>
May I ask what UML modelling tool you have there? ☺
Thanks, kind regards
Rupert
From: Jacob Barrett [mailto:jabarrett@vmware.com]
Sent: 17 July 2020 16:49
To: user@geode.apache.org<ma...@geode.apache.org>
Cc: Wai Lun Poon; Edgaras Valius
Subject: Re: Geode and sTunnel
This email has reached the company via an external source.
Please be cautious opening any attachments or links.
Rupert,
Are you describing a picture that looks like this?
@startuml
cloud lan1 {
object client1
object client2
}
cloud lan2 {
object locator1
object locator2
object server1
object server2
}
object sTunnel
client1 --> sTunnel #blue
sTunnel --> locator1 #blue
client1 --> sTunnel #darkblue
sTunnel --> server1 #darkblue
client1 --> sTunnel #lightblue
sTunnel --> server2 #lightblue
@enduml
<image001.png>
On Jul 16, 2020, at 4:51 AM, Rupert St John Webster <ru...@impress-solutions.com>> wrote:
Hello,
Has anyone had any luck with implementing sTunnel for Geode Server SSL get and put to encrypt traffic to client subscribers outside their immediate LAN?
Per this question<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fstackoverflow.com%2Fquestions%2F62921394%2Fusing-stunnel-for-apache-geode-net-client-ssl-connection-to-server&data=02%7C01%7Cjabarrett%40vmware.com%7Cfe22b8431c0e4eb3729808d82a6d277c%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637305995622750684&sdata=O0YVCDjX4J%2BUYTubxwHa%2Fo%2BS%2B92NJ58lKDW4xVe64kE%3D&reserved=0> an stunnel works to secure locator connectivity via port 10334 but not the server traffic back to remote subscribers via port 40404 out to a dynamic pool of ports at the client side.
Thanks, kind regards,
Rupert St John Webster
Engineering
<image001.jpg>
<image002.png><https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.facebook.com%2FImpressSolutions&data=02%7C01%7Cjabarrett%40vmware.com%7Cfe22b8431c0e4eb3729808d82a6d277c%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637305995622760675&sdata=oPd6EQDNQxyEA%2BcmaLcUj9wpnKGWTJKFv1o63oPJFDw%3D&reserved=0> <image003.png><https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.twitter.com%2FImpressUK&data=02%7C01%7Cjabarrett%40vmware.com%7Cfe22b8431c0e4eb3729808d82a6d277c%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637305995622770670&sdata=%2BQXzWykb5OxthqjzYrTV9lnGRGZqIWxpe5HuMSCp6RM%3D&reserved=0> <image004.png><https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fimpress-solutions&data=02%7C01%7Cjabarrett%40vmware.com%7Cfe22b8431c0e4eb3729808d82a6d277c%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637305995622770670&sdata=17TWRBwaL0wbYnaMgulyZKvk3935SFgX%2F2YAo0shNv4%3D&reserved=0>
Tel: 01708 759 760
Fax: 01708 759 761
Email: rupert@impress-solutions.com<ma...@impress-solutions.com>
Website: www.impress-solutions.co.uk<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.impress-solutions.co.uk%2F&data=02%7C01%7Cjabarrett%40vmware.com%7Cfe22b8431c0e4eb3729808d82a6d277c%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637305995622780661&sdata=uzTsFzq36Qy5Tfrhcrndmm4kIh7S%2FuuvkzqEv0j%2Bf6Q%3D&reserved=0>
Head Office address: 3 Holgate Court, 4-10 Western Road, Romford, Essex, RM1 3JS
City address: City Point, 1 Ropemaker Street, 17th Floor, Moorgate, London, EC2Y 9HT
<image005.png>
ISO 9001 Certified by BSI Group. Certificate Number: FS 653755
Please Note:
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any miss-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Impress Solutions Ltd and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks.
Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of any such entity.
RE: Geode and sTunnel
Posted by Rupert St John Webster <ru...@impress-solutions.com>.
Hi,
Stunnel is running on both LANs like so (with the sTunnels on the LAN boundaries)
[cid:image001.png@01D65C5E.1BF46110]
The config for LAN1 is
[cid:image003.png@01D65C5E.5C99C1B0]
The config for LAN2 is
[cid:image004.png@01D65C5E.5C99C1B0]
From: Jacob Barrett [mailto:jabarrett@vmware.com]
Sent: 17 July 2020 17:09
To: user@geode.apache.org
Cc: Wai Lun Poon; Edgaras Valius
Subject: Re: Geode and sTunnel
This email has reached the company via an external source.
Please be cautious opening any attachments or links.
Ok, so more like this? Is sTunnel running as a service on lan2?
@startuml
cloud lan1 {
object client1
object client2
}
cloud lan2 {
object locator1
object server1
object client3
object client4
object sTunnel
}
client1 --> sTunnel #blue
sTunnel --> locator1 #blue
client1 --> sTunnel #darkblue
sTunnel --> server1 #darkblue
client2 --> sTunnel #red
sTunnel --> locator1 #red
client2 --> sTunnel #darkred
sTunnel --> server1 #darkred
client3 --> locator1
client3 --> server1
client4 --> locator1
client4 --> server1
@enduml
[cid:image002.png@01D65C5E.1BF46110]
On Jul 17, 2020, at 8:59 AM, Rupert St John Webster <ru...@impress-solutions.com>> wrote:
Hi, thanks so much for response. Basically, yes, except there’s only 1 server / locator and there are also clients 3 & 4 (and a lot more) on LAN2
<image002.png>
May I ask what UML modelling tool you have there? ☺
Thanks, kind regards
Rupert
From: Jacob Barrett [mailto:jabarrett@vmware.com]
Sent: 17 July 2020 16:49
To: user@geode.apache.org<ma...@geode.apache.org>
Cc: Wai Lun Poon; Edgaras Valius
Subject: Re: Geode and sTunnel
This email has reached the company via an external source.
Please be cautious opening any attachments or links.
Rupert,
Are you describing a picture that looks like this?
@startuml
cloud lan1 {
object client1
object client2
}
cloud lan2 {
object locator1
object locator2
object server1
object server2
}
object sTunnel
client1 --> sTunnel #blue
sTunnel --> locator1 #blue
client1 --> sTunnel #darkblue
sTunnel --> server1 #darkblue
client1 --> sTunnel #lightblue
sTunnel --> server2 #lightblue
@enduml
<image001.png>
On Jul 16, 2020, at 4:51 AM, Rupert St John Webster <ru...@impress-solutions.com>> wrote:
Hello,
Has anyone had any luck with implementing sTunnel for Geode Server SSL get and put to encrypt traffic to client subscribers outside their immediate LAN?
Per this question<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fstackoverflow.com%2Fquestions%2F62921394%2Fusing-stunnel-for-apache-geode-net-client-ssl-connection-to-server&data=02%7C01%7Cjabarrett%40vmware.com%7Ca0c1074e3dda4d89b03b08d82a6a6e7f%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637305983911415220&sdata=QZT%2FRvlpKejnOIVIA4caBctrOw2jWaVa0cI5dyGSRcI%3D&reserved=0> an stunnel works to secure locator connectivity via port 10334 but not the server traffic back to remote subscribers via port 40404 out to a dynamic pool of ports at the client side.
Thanks, kind regards,
Rupert St John Webster
Engineering
<image001.jpg>
<image002.png><https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.facebook.com%2FImpressSolutions&data=02%7C01%7Cjabarrett%40vmware.com%7Ca0c1074e3dda4d89b03b08d82a6a6e7f%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637305983911415220&sdata=EAwLJH%2Bgf5lElWO4cyN7gkr69iFn6QdarrFL7xdGJio%3D&reserved=0> <image003.png><https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.twitter.com%2FImpressUK&data=02%7C01%7Cjabarrett%40vmware.com%7Ca0c1074e3dda4d89b03b08d82a6a6e7f%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637305983911425209&sdata=R%2F2H3TRJJ40md9t1BcLQbh97EQrBumV04w8tOwOWZYg%3D&reserved=0> <image004.png><https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fimpress-solutions&data=02%7C01%7Cjabarrett%40vmware.com%7Ca0c1074e3dda4d89b03b08d82a6a6e7f%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637305983911425209&sdata=nGYGCdgNNsBdEAEaTlTrjXgqUUYU6QE9m6rmzQAORzk%3D&reserved=0>
Tel: 01708 759 760
Fax: 01708 759 761
Email: rupert@impress-solutions.com<ma...@impress-solutions.com>
Website: www.impress-solutions.co.uk<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.impress-solutions.co.uk%2F&data=02%7C01%7Cjabarrett%40vmware.com%7Ca0c1074e3dda4d89b03b08d82a6a6e7f%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637305983911435207&sdata=nEv%2Bkeu37uAQebwKgVTbP%2BBNzFgb55KYNHdYBvXiwWY%3D&reserved=0>
Head Office address: 3 Holgate Court, 4-10 Western Road, Romford, Essex, RM1 3JS
City address: City Point, 1 Ropemaker Street, 17th Floor, Moorgate, London, EC2Y 9HT
<image005.png>
ISO 9001 Certified by BSI Group. Certificate Number: FS 653755
Please Note:
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any miss-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Impress Solutions Ltd and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks.
Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of any such entity.
Re: Geode and sTunnel
Posted by Jacob Barrett <ja...@vmware.com>.
Ok, so more like this? Is sTunnel running as a service on lan2?
@startuml
cloud lan1 {
object client1
object client2
}
cloud lan2 {
object locator1
object server1
object client3
object client4
object sTunnel
}
client1 --> sTunnel #blue
sTunnel --> locator1 #blue
client1 --> sTunnel #darkblue
sTunnel --> server1 #darkblue
client2 --> sTunnel #red
sTunnel --> locator1 #red
client2 --> sTunnel #darkred
sTunnel --> server1 #darkred
client3 --> locator1
client3 --> server1
client4 --> locator1
client4 --> server1
@enduml
[cid:F284558D-2DDB-4A6B-95F4-D7A7DB33D2E3@bvt.pivotal.io]
On Jul 17, 2020, at 8:59 AM, Rupert St John Webster <ru...@impress-solutions.com>> wrote:
Hi, thanks so much for response. Basically, yes, except there’s only 1 server / locator and there are also clients 3 & 4 (and a lot more) on LAN2
<image002.png>
May I ask what UML modelling tool you have there? ☺
Thanks, kind regards
Rupert
From: Jacob Barrett [mailto:jabarrett@vmware.com]
Sent: 17 July 2020 16:49
To: user@geode.apache.org<ma...@geode.apache.org>
Cc: Wai Lun Poon; Edgaras Valius
Subject: Re: Geode and sTunnel
This email has reached the company via an external source.
Please be cautious opening any attachments or links.
Rupert,
Are you describing a picture that looks like this?
@startuml
cloud lan1 {
object client1
object client2
}
cloud lan2 {
object locator1
object locator2
object server1
object server2
}
object sTunnel
client1 --> sTunnel #blue
sTunnel --> locator1 #blue
client1 --> sTunnel #darkblue
sTunnel --> server1 #darkblue
client1 --> sTunnel #lightblue
sTunnel --> server2 #lightblue
@enduml
<image001.png>
On Jul 16, 2020, at 4:51 AM, Rupert St John Webster <ru...@impress-solutions.com>> wrote:
Hello,
Has anyone had any luck with implementing sTunnel for Geode Server SSL get and put to encrypt traffic to client subscribers outside their immediate LAN?
Per this question<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fstackoverflow.com%2Fquestions%2F62921394%2Fusing-stunnel-for-apache-geode-net-client-ssl-connection-to-server&data=02%7C01%7Cjabarrett%40vmware.com%7Ca0c1074e3dda4d89b03b08d82a6a6e7f%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637305983911415220&sdata=QZT%2FRvlpKejnOIVIA4caBctrOw2jWaVa0cI5dyGSRcI%3D&reserved=0> an stunnel works to secure locator connectivity via port 10334 but not the server traffic back to remote subscribers via port 40404 out to a dynamic pool of ports at the client side.
Thanks, kind regards,
Rupert St John Webster
Engineering
<image001.jpg>
<image002.png><https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.facebook.com%2FImpressSolutions&data=02%7C01%7Cjabarrett%40vmware.com%7Ca0c1074e3dda4d89b03b08d82a6a6e7f%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637305983911415220&sdata=EAwLJH%2Bgf5lElWO4cyN7gkr69iFn6QdarrFL7xdGJio%3D&reserved=0> <image003.png><https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.twitter.com%2FImpressUK&data=02%7C01%7Cjabarrett%40vmware.com%7Ca0c1074e3dda4d89b03b08d82a6a6e7f%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637305983911425209&sdata=R%2F2H3TRJJ40md9t1BcLQbh97EQrBumV04w8tOwOWZYg%3D&reserved=0> <image004.png><https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fimpress-solutions&data=02%7C01%7Cjabarrett%40vmware.com%7Ca0c1074e3dda4d89b03b08d82a6a6e7f%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637305983911425209&sdata=nGYGCdgNNsBdEAEaTlTrjXgqUUYU6QE9m6rmzQAORzk%3D&reserved=0>
Tel: 01708 759 760
Fax: 01708 759 761
Email: rupert@impress-solutions.com<ma...@impress-solutions.com>
Website: www.impress-solutions.co.uk<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.impress-solutions.co.uk%2F&data=02%7C01%7Cjabarrett%40vmware.com%7Ca0c1074e3dda4d89b03b08d82a6a6e7f%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637305983911435207&sdata=nEv%2Bkeu37uAQebwKgVTbP%2BBNzFgb55KYNHdYBvXiwWY%3D&reserved=0>
Head Office address: 3 Holgate Court, 4-10 Western Road, Romford, Essex, RM1 3JS
City address: City Point, 1 Ropemaker Street, 17th Floor, Moorgate, London, EC2Y 9HT
<image005.png>
ISO 9001 Certified by BSI Group. Certificate Number: FS 653755
Please Note:
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any miss-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Impress Solutions Ltd and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks.
Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of any such entity.
RE: Geode and sTunnel
Posted by Rupert St John Webster <ru...@impress-solutions.com>.
Hi, thanks so much for response. Basically, yes, except there's only 1 server / locator and there are also clients 3 & 4 (and a lot more) on LAN2
[cid:image002.png@01D65C5B.A35F00E0]
May I ask what UML modelling tool you have there? :)
Thanks, kind regards
Rupert
From: Jacob Barrett [mailto:jabarrett@vmware.com]
Sent: 17 July 2020 16:49
To: user@geode.apache.org
Cc: Wai Lun Poon; Edgaras Valius
Subject: Re: Geode and sTunnel
This email has reached the company via an external source.
Please be cautious opening any attachments or links.
Rupert,
Are you describing a picture that looks like this?
@startuml
cloud lan1 {
object client1
object client2
}
cloud lan2 {
object locator1
object locator2
object server1
object server2
}
object sTunnel
client1 --> sTunnel #blue
sTunnel --> locator1 #blue
client1 --> sTunnel #darkblue
sTunnel --> server1 #darkblue
client1 --> sTunnel #lightblue
sTunnel --> server2 #lightblue
@enduml
[cid:image001.png@01D65C5B.146DAE40]
On Jul 16, 2020, at 4:51 AM, Rupert St John Webster <ru...@impress-solutions.com>> wrote:
Hello,
Has anyone had any luck with implementing sTunnel for Geode Server SSL get and put to encrypt traffic to client subscribers outside their immediate LAN?
Per this question<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fstackoverflow.com%2Fquestions%2F62921394%2Fusing-stunnel-for-apache-geode-net-client-ssl-connection-to-server&data=02%7C01%7Cjabarrett%40vmware.com%7C22cc708841bd4e5e2c7e08d8297e9e02%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C1%7C637304971090449034&sdata=lMAT11nFC7vxzl%2BXghovZjMo%2BweslToxQFgAoC42RTo%3D&reserved=0> an stunnel works to secure locator connectivity via port 10334 but not the server traffic back to remote subscribers via port 40404 out to a dynamic pool of ports at the client side.
Thanks, kind regards,
Rupert St John Webster
Engineering
<image001.jpg>
<image002.png><https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.facebook.com%2FImpressSolutions&data=02%7C01%7Cjabarrett%40vmware.com%7C22cc708841bd4e5e2c7e08d8297e9e02%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C1%7C637304971090459029&sdata=5LwpY%2B4I7maeM3WmnszsfJxlR8if8uDKHMUgvUMlMQo%3D&reserved=0> <image003.png><https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.twitter.com%2FImpressUK&data=02%7C01%7Cjabarrett%40vmware.com%7C22cc708841bd4e5e2c7e08d8297e9e02%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C1%7C637304971090459029&sdata=ypKmZH1bHJ81Z6Ypcwn8zrU16ubOO2xsJ2MCW%2FcAtts%3D&reserved=0> <image004.png><https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fimpress-solutions&data=02%7C01%7Cjabarrett%40vmware.com%7C22cc708841bd4e5e2c7e08d8297e9e02%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C1%7C637304971090469026&sdata=9gOwrPRjpJt0pcByt6VoKFpQi1tnXUq7wQ69I4xXJ5Q%3D&reserved=0>
Tel: 01708 759 760
Fax: 01708 759 761
Email: rupert@impress-solutions.com<ma...@impress-solutions.com>
Website: www.impress-solutions.co.uk<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.impress-solutions.co.uk%2F&data=02%7C01%7Cjabarrett%40vmware.com%7C22cc708841bd4e5e2c7e08d8297e9e02%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C1%7C637304971090479027&sdata=suIzAVk7oomdZCbCq7LVs4KiaFAFNChR5uHwUWbCpWA%3D&reserved=0>
Head Office address: 3 Holgate Court, 4-10 Western Road, Romford, Essex, RM1 3JS
City address: City Point, 1 Ropemaker Street, 17th Floor, Moorgate, London, EC2Y 9HT
<image005.png>
ISO 9001 Certified by BSI Group. Certificate Number: FS 653755
Please Note:
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any miss-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Impress Solutions Ltd and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks.
Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of any such entity.
Re: Geode and sTunnel
Posted by Jacob Barrett <ja...@vmware.com>.
Rupert,
Are you describing a picture that looks like this?
@startuml
cloud lan1 {
object client1
object client2
}
cloud lan2 {
object locator1
object locator2
object server1
object server2
}
object sTunnel
client1 --> sTunnel #blue
sTunnel --> locator1 #blue
client1 --> sTunnel #darkblue
sTunnel --> server1 #darkblue
client1 --> sTunnel #lightblue
sTunnel --> server2 #lightblue
@enduml
[cid:CE0138D5-BC1A-4354-9F4F-B9FAD741B879@bvt.pivotal.io]
On Jul 16, 2020, at 4:51 AM, Rupert St John Webster <ru...@impress-solutions.com>> wrote:
Hello,
Has anyone had any luck with implementing sTunnel for Geode Server SSL get and put to encrypt traffic to client subscribers outside their immediate LAN?
Per this question<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fstackoverflow.com%2Fquestions%2F62921394%2Fusing-stunnel-for-apache-geode-net-client-ssl-connection-to-server&data=02%7C01%7Cjabarrett%40vmware.com%7C22cc708841bd4e5e2c7e08d8297e9e02%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C1%7C637304971090449034&sdata=lMAT11nFC7vxzl%2BXghovZjMo%2BweslToxQFgAoC42RTo%3D&reserved=0> an stunnel works to secure locator connectivity via port 10334 but not the server traffic back to remote subscribers via port 40404 out to a dynamic pool of ports at the client side.
Thanks, kind regards,
Rupert St John Webster
Engineering
<image001.jpg>
<image002.png><https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.facebook.com%2FImpressSolutions&data=02%7C01%7Cjabarrett%40vmware.com%7C22cc708841bd4e5e2c7e08d8297e9e02%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C1%7C637304971090459029&sdata=5LwpY%2B4I7maeM3WmnszsfJxlR8if8uDKHMUgvUMlMQo%3D&reserved=0> <image003.png><https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.twitter.com%2FImpressUK&data=02%7C01%7Cjabarrett%40vmware.com%7C22cc708841bd4e5e2c7e08d8297e9e02%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C1%7C637304971090459029&sdata=ypKmZH1bHJ81Z6Ypcwn8zrU16ubOO2xsJ2MCW%2FcAtts%3D&reserved=0> <image004.png><https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fimpress-solutions&data=02%7C01%7Cjabarrett%40vmware.com%7C22cc708841bd4e5e2c7e08d8297e9e02%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C1%7C637304971090469026&sdata=9gOwrPRjpJt0pcByt6VoKFpQi1tnXUq7wQ69I4xXJ5Q%3D&reserved=0>
Tel: 01708 759 760
Fax: 01708 759 761
Email: rupert@impress-solutions.com<ma...@impress-solutions.com>
Website: www.impress-solutions.co.uk<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.impress-solutions.co.uk%2F&data=02%7C01%7Cjabarrett%40vmware.com%7C22cc708841bd4e5e2c7e08d8297e9e02%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C1%7C637304971090479027&sdata=suIzAVk7oomdZCbCq7LVs4KiaFAFNChR5uHwUWbCpWA%3D&reserved=0>
Head Office address: 3 Holgate Court, 4-10 Western Road, Romford, Essex, RM1 3JS
City address: City Point, 1 Ropemaker Street, 17th Floor, Moorgate, London, EC2Y 9HT
<image005.png>
ISO 9001 Certified by BSI Group. Certificate Number: FS 653755
Please Note:
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any miss-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Impress Solutions Ltd and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks.
Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of any such entity.
Re: Geode and sTunnel
Posted by Anthony Baker <ba...@vmware.com>.
Individual members within the system share the same TLS configuration. When the “server” component is enabled, all client/server communication must be TLS.
FWIW, I see users adopting “defense in depth” security principles by enabling encrypted communication even on well-protected internal networks.
Anthony
On Jul 17, 2020, at 3:04 AM, Rupert St John Webster <ru...@impress-solutions.com>> wrote:
Hi Anthony,
Thanks so much for reply. Is it possible to have 2 servers, where the “cluster” communication is not SSL, and 1 server has “server” SSL and the other one has no SSL. Then we can connect internal clients to the non-SSL server and external clients to the SSL server?
Cheers,
Rupert
From: Anthony Baker [mailto:bakera@vmware.com]
Sent: 16 July 2020 16:58
To: user@geode.apache.org<ma...@geode.apache.org>
Cc: Wai Lun Poon; Edgaras Valius
Subject: Re: Geode and sTunnel
This email has reached the company via an external source.
Please be cautious opening any attachments or links.
Rupert, would setting the ssl-enabled-components work for you [1]? You should be able to configure only the components you wish to use ssl for—e.g. server, locator, jmx, etc.
Anthony
[1] https://geode.apache.org/docs/guide/14/managing/security/implementing_ssl.html
On Jul 16, 2020, at 4:51 AM, Rupert St John Webster <ru...@impress-solutions.com>> wrote:
Hello,
Has anyone had any luck with implementing sTunnel for Geode Server SSL get and put to encrypt traffic to client subscribers outside their immediate LAN?
Per this question<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fstackoverflow.com%2Fquestions%2F62921394%2Fusing-stunnel-for-apache-geode-net-client-ssl-connection-to-server&data=02%7C01%7Cbakera%40vmware.com%7C96b9a23524fe4c0f0f6208d82a38caf8%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637305770716248143&sdata=B6J1hSnwJbsMFqKeVBAmwnv9WEyAgVpAySHx6QBasHE%3D&reserved=0> an stunnel works to secure locator connectivity via port 10334 but not the server traffic back to remote subscribers via port 40404 out to a dynamic pool of ports at the client side.
Thanks, kind regards,
Rupert St John Webster
Engineering
<image001.jpg>
<image002.png><https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.facebook.com%2FImpressSolutions&data=02%7C01%7Cbakera%40vmware.com%7C96b9a23524fe4c0f0f6208d82a38caf8%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637305770716258138&sdata=ooeey1X6CpJpDAtwkAeVyfsnNWwsuMarVxBrBFYeVBE%3D&reserved=0> <image003.png><https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.twitter.com%2FImpressUK&data=02%7C01%7Cbakera%40vmware.com%7C96b9a23524fe4c0f0f6208d82a38caf8%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637305770716258138&sdata=ZZH04o%2B%2FGRHgkfVpKRS9Upjgf%2BTx2Z98wurg4gAWdxE%3D&reserved=0> <image004.png><https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fimpress-solutions&data=02%7C01%7Cbakera%40vmware.com%7C96b9a23524fe4c0f0f6208d82a38caf8%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637305770716268132&sdata=jsDotaptqEO%2F0%2BviURCGTEENY5B5kTzmPR0TG%2Fj0ejk%3D&reserved=0>
Tel: 01708 759 760
Fax: 01708 759 761
Email: rupert@impress-solutions.com<ma...@impress-solutions.com>
Website: www.impress-solutions.co.uk<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.impress-solutions.co.uk%2F&data=02%7C01%7Cbakera%40vmware.com%7C96b9a23524fe4c0f0f6208d82a38caf8%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637305770716268132&sdata=36EsbWgG%2FeaWYolMRnS87oXGCrno%2BoPeX7rH3Z9aDeY%3D&reserved=0>
Head Office address: 3 Holgate Court, 4-10 Western Road, Romford, Essex, RM1 3JS
City address: City Point, 1 Ropemaker Street, 17th Floor, Moorgate, London, EC2Y 9HT
<image005.png>
ISO 9001 Certified by BSI Group. Certificate Number: FS 653755
Please Note:
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any miss-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Impress Solutions Ltd and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks.
Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of any such entity.
RE: Geode and sTunnel
Posted by Rupert St John Webster <ru...@impress-solutions.com>.
Hi Anthony,
Thanks so much for reply. Is it possible to have 2 servers, where the “cluster” communication is not SSL, and 1 server has “server” SSL and the other one has no SSL. Then we can connect internal clients to the non-SSL server and external clients to the SSL server?
Cheers,
Rupert
From: Anthony Baker [mailto:bakera@vmware.com]
Sent: 16 July 2020 16:58
To: user@geode.apache.org
Cc: Wai Lun Poon; Edgaras Valius
Subject: Re: Geode and sTunnel
This email has reached the company via an external source.
Please be cautious opening any attachments or links.
Rupert, would setting the ssl-enabled-components work for you [1]? You should be able to configure only the components you wish to use ssl for—e.g. server, locator, jmx, etc.
Anthony
[1] https://geode.apache.org/docs/guide/14/managing/security/implementing_ssl.html
On Jul 16, 2020, at 4:51 AM, Rupert St John Webster <ru...@impress-solutions.com>> wrote:
Hello,
Has anyone had any luck with implementing sTunnel for Geode Server SSL get and put to encrypt traffic to client subscribers outside their immediate LAN?
Per this question<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fstackoverflow.com%2Fquestions%2F62921394%2Fusing-stunnel-for-apache-geode-net-client-ssl-connection-to-server&data=02%7C01%7Cbakera%40vmware.com%7C9b627e06b0994497e79808d8297e9da1%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C1%7C637304971073700359&sdata=jwWsMQZsb8OPFfa2VFZoTnOvIIkodIcfAtdPp4t2%2BBY%3D&reserved=0> an stunnel works to secure locator connectivity via port 10334 but not the server traffic back to remote subscribers via port 40404 out to a dynamic pool of ports at the client side.
Thanks, kind regards,
Rupert St John Webster
Engineering
<image001.jpg>
<image002.png><https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.facebook.com%2FImpressSolutions&data=02%7C01%7Cbakera%40vmware.com%7C9b627e06b0994497e79808d8297e9da1%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C1%7C637304971073710352&sdata=MwJMjvhJAEvrIWScquP9uLRKTJ7ir540oh5cp1jtvqg%3D&reserved=0> <image003.png><https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.twitter.com%2FImpressUK&data=02%7C01%7Cbakera%40vmware.com%7C9b627e06b0994497e79808d8297e9da1%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C1%7C637304971073710352&sdata=6dYzYK%2F0azyYUB9grlZZnYkPeHXuvc303sMVJ2bWf58%3D&reserved=0> <image004.png><https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fimpress-solutions&data=02%7C01%7Cbakera%40vmware.com%7C9b627e06b0994497e79808d8297e9da1%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C1%7C637304971073720352&sdata=EV5yg3inVD1s5uJgx%2F0KGlscFbFvoNyhKOhW4xFjYRE%3D&reserved=0>
Tel: 01708 759 760
Fax: 01708 759 761
Email: rupert@impress-solutions.com<ma...@impress-solutions.com>
Website: www.impress-solutions.co.uk<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.impress-solutions.co.uk%2F&data=02%7C01%7Cbakera%40vmware.com%7C9b627e06b0994497e79808d8297e9da1%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C1%7C637304971073720352&sdata=teCq%2BUEZ%2BR2qsTV7rLHSqiv89L5qmxnfQtBk49uFc9g%3D&reserved=0>
Head Office address: 3 Holgate Court, 4-10 Western Road, Romford, Essex, RM1 3JS
City address: City Point, 1 Ropemaker Street, 17th Floor, Moorgate, London, EC2Y 9HT
<image005.png>
ISO 9001 Certified by BSI Group. Certificate Number: FS 653755
Please Note:
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any miss-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Impress Solutions Ltd and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks.
Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of any such entity.
Re: Geode and sTunnel
Posted by Anthony Baker <ba...@vmware.com>.
Rupert, would setting the ssl-enabled-components work for you [1]? You should be able to configure only the components you wish to use ssl for—e.g. server, locator, jmx, etc.
Anthony
[1] https://geode.apache.org/docs/guide/14/managing/security/implementing_ssl.html
On Jul 16, 2020, at 4:51 AM, Rupert St John Webster <ru...@impress-solutions.com>> wrote:
Hello,
Has anyone had any luck with implementing sTunnel for Geode Server SSL get and put to encrypt traffic to client subscribers outside their immediate LAN?
Per this question<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fstackoverflow.com%2Fquestions%2F62921394%2Fusing-stunnel-for-apache-geode-net-client-ssl-connection-to-server&data=02%7C01%7Cbakera%40vmware.com%7C9b627e06b0994497e79808d8297e9da1%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C1%7C637304971073700359&sdata=jwWsMQZsb8OPFfa2VFZoTnOvIIkodIcfAtdPp4t2%2BBY%3D&reserved=0> an stunnel works to secure locator connectivity via port 10334 but not the server traffic back to remote subscribers via port 40404 out to a dynamic pool of ports at the client side.
Thanks, kind regards,
Rupert St John Webster
Engineering
<image001.jpg>
<image002.png><https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.facebook.com%2FImpressSolutions&data=02%7C01%7Cbakera%40vmware.com%7C9b627e06b0994497e79808d8297e9da1%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C1%7C637304971073710352&sdata=MwJMjvhJAEvrIWScquP9uLRKTJ7ir540oh5cp1jtvqg%3D&reserved=0> <image003.png><https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.twitter.com%2FImpressUK&data=02%7C01%7Cbakera%40vmware.com%7C9b627e06b0994497e79808d8297e9da1%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C1%7C637304971073710352&sdata=6dYzYK%2F0azyYUB9grlZZnYkPeHXuvc303sMVJ2bWf58%3D&reserved=0> <image004.png><https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fimpress-solutions&data=02%7C01%7Cbakera%40vmware.com%7C9b627e06b0994497e79808d8297e9da1%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C1%7C637304971073720352&sdata=EV5yg3inVD1s5uJgx%2F0KGlscFbFvoNyhKOhW4xFjYRE%3D&reserved=0>
Tel: 01708 759 760
Fax: 01708 759 761
Email: rupert@impress-solutions.com<ma...@impress-solutions.com>
Website: www.impress-solutions.co.uk<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.impress-solutions.co.uk%2F&data=02%7C01%7Cbakera%40vmware.com%7C9b627e06b0994497e79808d8297e9da1%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C1%7C637304971073720352&sdata=teCq%2BUEZ%2BR2qsTV7rLHSqiv89L5qmxnfQtBk49uFc9g%3D&reserved=0>
Head Office address: 3 Holgate Court, 4-10 Western Road, Romford, Essex, RM1 3JS
City address: City Point, 1 Ropemaker Street, 17th Floor, Moorgate, London, EC2Y 9HT
<image005.png>
ISO 9001 Certified by BSI Group. Certificate Number: FS 653755
Please Note:
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any miss-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Impress Solutions Ltd and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks.
Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of any such entity.