You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@geode.apache.org by Nikhil Chandrappa <nc...@pivotal.io> on 2015/10/18 19:33:11 UTC

Fwd: Enabling SSL in Gemfire client/server configuration

Hi,

I am trying to enable the SSL communication from Gemfire Client to Gemfire
locator/Server. However, I am getting an exception that "Certificate is not
recognized".

Steps:


   1. I have created a new a public and private key pair for the client
   2. Exported the self signed certificate
   3. Imported the new self signed certificate to client side JRE keystore
   at
   /Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/lib/security/cacerts
   4. Imported the same certificate to gemfire8.keystore which is being
   used by Gemfire locator and server.
   5. when I start the client to make a connection to Gemfire, I receive an
   Fatal Exception that certificate is not recognized

I was wondering if there is any property to specify the keystore to be used
at the client side.

I searched the documentation but couldn't find any information for client
side configurations. It would be great if anyone can point me to SSL
configurations needed for Gemfire client.

For reference, following are properties that I am using -

*gemfire-server.properties*

mcast-port=0
locators=localhost[10334]
log-level=config
cache-xml-file=../config/server-cache.xml
statistic-sampling-enabled=true
statistic-sample-rate=1000
statistic-archive-file=myStatisticsArchiveFile.gfs
enable-time-statistics=false
*jmx-manager-ssl-enabled=false*
*cluster-ssl-enabled=true*
*cluster-ssl-require-authentication=false*

*gfsecurity.properties*

cluster-ssl-keystore=/Users/nchandrappa/Documents/gemfire/security/gemfire8.keystore
cluster-ssl-keystore-password=password
cluster-ssl-truststore=/Users/nchandrappa/Documents/gemfire/security/gemfire8.keystore
cluster-ssl-truststore-password=password

*locator.properties*

mcast-port=0
log-level=config
locators=localhost[10334]

*cluster-ssl-enabled=true*
*server-ssl-require-authentication=false*

*gemfire-client.properties*

mcast-port=0
log-level=config
log-file=gemClient.log
*ssl-enabled=true*

Thanks,
Nikhil Chandrappa

Re: Enabling SSL in Gemfire client/server configuration

Posted by Nikhil Chandrappa <nc...@pivotal.io>.

I see the following in logs,

[info 2015/10/18 20:48:04.643 EDT ProjectClient <poolTimer-clientPool-2>
tid=0x17] AutoConnectionSource discovered new locators
[NikhilCappasMBP.fios-router.home/192.168.1.156:10334]


[info 2015/10/18 20:48:04.672 EDT ProjectClient <poolTimer-clientPool-3>
tid=0x18] SSL Connection from peer CN=nchandrappa, OU=Gemfire, O=Pivotal,
L=Newyork, ST=NY, C=US

[info 2015/10/18 20:48:04.672 EDT ProjectClient <poolTimer-clientPool-3>
tid=0x18] Updating membership port.  Port changed from 0 to 59,223.

[info 2015/10/18 20:48:04.688 EDT ProjectClient <main> tid=0x1] SSL
Connection from peer CN=nchandrappa, OU=Gemfire, O=Pivotal, L=Newyork,
ST=NY, C=US

[info 2015/10/18 20:48:04.765 EDT ProjectClient <main> tid=0x1] SSL
Connection from peer CN=nchandrappa, OU=Gemfire, O=Pivotal, L=Newyork,
ST=NY, C=US

[info 2015/10/18 20:48:04.786 EDT ProjectClient <Cache Client Updater
Thread  on NikhilCappasMBP(serverVoya1:89103)<v1>:40100 port 59140>
tid=0x1d] Cache Client Updater Thread  on
NikhilCappasMBP(serverVoya1:89103)<v1>:40100 port 59140
(nikhilcappasmbp.fios-router.home:59140) : ready to process messages.

[info 2015/10/18 20:48:04.786 EDT ProjectClient <main> tid=0x1] Pool
clientPool started with multiuser-authentication=false

Thanks,

Nikhil

On Mon, Oct 19, 2015 at 10:13 AM, Nikhil Chandrappa <nc...@pivotal.io>
wrote:

> Shuvro,
>
> I am able to connect to client using the configuration which I had used
> for ClientCacheFactory()
>
> I see the following in logs,
>
>
>
> On Mon, Oct 19, 2015 at 12:07 AM, Shuvro Das <sd...@pivotal.io> wrote:
>
>> Hi Nikhil,
>>
>> Is you client able to connect to the server?
>>
>> If not,could you please try by setting below properties and send us the
>> client log.
>>
>> ClientCache cache = new ClientCacheFactory().set("name", "GemClient")
>>
>> .set("log-level", "config")
>> .set("cluster-ssl-enabled","true")
>> .set("cluster-ssl-require-authentication","false")
>> .set("cluster-ssl-ciphers","any")
>>
>> .set("cluster-ssl-keystore","/Users/nchandrappa/Documents/gemfire/security/gemfire8.keystore")
>>
>> .set("cluster-ssl-keystore-password","password")
>>
>>
>> .set("cluster-ssl-truststore","/Users/nchandrappa/Documents/gemfire/security/gemfire8.keystore")
>>
>> .set("cluster-ssl-truststore-password","password")
>> .set("cache-xml-file","gemfire/config/clientCache.xml").create();
>>
>>
>> Thanks and Regards,
>> Shuvro Das
>>
>> On Mon, Oct 19, 2015 at 6:15 AM, Nikhil Chandrappa <
>> nchandrappa@pivotal.io> wrote:
>>
>>> Darrel,
>>>
>>> Thank you responding to my questions.
>>>
>>> As you suggested I made "cluster-ssl-require-authentication=false" in
>>> my locator and server properties which prevents the need of authenticating
>>> the client by the locators.
>>>
>>> Actually, I was not aware that you could use the same ssl properties at
>>> client side also. Right now, I am creating ClientCache using
>>>
>>> ClientCache cache = new ClientCacheFactory().set("name", "GemClient")
>>>
>>> .set("log-level", "info")
>>>
>>> .set("cluster-ssl-enabled", "true")
>>>
>>> .set("cache-xml-file","gemfire/config/clientCache.xml").create();
>>>
>>> SSL connection is getting created and client is not getting
>>> authenticated which was the behavior I was looking for.
>>> Thanks,
>>> Nikhil
>>>
>>> On Sun, Oct 18, 2015 at 6:40 PM, Darrel Schneider <dschneider@pivotal.io
>>> > wrote:
>>>
>>>> The java client uses the same gemfire properties you are suing on the
>>>> server side. So point you client on the keystores with the *gfsecurity.properties
>>>> *file.
>>>> I would not use "ssl-*" properties. They are all deprecated in favor of
>>>> "cluster-ssl-*".
>>>> Having this in your locator properties seems wrong:
>>>> *server-ssl-require-authentication=false*
>>>> Since your locator is not a cache server the "server-ssl-*" properties
>>>> would never be used in it.
>>>> Perhaps you wanted it to also be
>>>> "cluster-ssl-require-authentication=false" so that your locator would not
>>>> require authentication of clients connecting to it.
>>>>
>>>> On Sun, Oct 18, 2015 at 10:33 AM, Nikhil Chandrappa <
>>>> nchandrappa@pivotal.io> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I am trying to enable the SSL communication from Gemfire Client to
>>>>> Gemfire locator/Server. However, I am getting an exception that
>>>>> "Certificate is not recognized".
>>>>>
>>>>> Steps:
>>>>>
>>>>>
>>>>>    1. I have created a new a public and private key pair for the
>>>>>    client
>>>>>    2. Exported the self signed certificate
>>>>>    3. Imported the new self signed certificate to client side JRE
>>>>>    keystore at
>>>>>    /Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/lib/security/cacerts
>>>>>    4. Imported the same certificate to gemfire8.keystore which is
>>>>>    being used by Gemfire locator and server.
>>>>>    5. when I start the client to make a connection to Gemfire, I
>>>>>    receive an Fatal Exception that certificate is not recognized
>>>>>
>>>>> I was wondering if there is any property to specify the keystore to be
>>>>> used at the client side.
>>>>>
>>>>> I searched the documentation but couldn't find any information for
>>>>> client side configurations. It would be great if anyone can point me to SSL
>>>>> configurations needed for Gemfire client.
>>>>>
>>>>> For reference, following are properties that I am using -
>>>>>
>>>>> *gemfire-server.properties*
>>>>>
>>>>> mcast-port=0
>>>>> locators=localhost[10334]
>>>>> log-level=config
>>>>> cache-xml-file=../config/server-cache.xml
>>>>> statistic-sampling-enabled=true
>>>>> statistic-sample-rate=1000
>>>>> statistic-archive-file=myStatisticsArchiveFile.gfs
>>>>> enable-time-statistics=false
>>>>> *jmx-manager-ssl-enabled=false*
>>>>> *cluster-ssl-enabled=true*
>>>>> *cluster-ssl-require-authentication=false*
>>>>>
>>>>> *gfsecurity.properties*
>>>>>
>>>>>
>>>>> cluster-ssl-keystore=/Users/nchandrappa/Documents/gemfire/security/gemfire8.keystore
>>>>> cluster-ssl-keystore-password=password
>>>>>
>>>>> cluster-ssl-truststore=/Users/nchandrappa/Documents/gemfire/security/gemfire8.keystore
>>>>> cluster-ssl-truststore-password=password
>>>>>
>>>>> *locator.properties*
>>>>>
>>>>> mcast-port=0
>>>>> log-level=config
>>>>> locators=localhost[10334]
>>>>>
>>>>> *cluster-ssl-enabled=true*
>>>>> *server-ssl-require-authentication=false*
>>>>>
>>>>> *gemfire-client.properties*
>>>>>
>>>>> mcast-port=0
>>>>> log-level=config
>>>>> log-file=gemClient.log
>>>>> *ssl-enabled=true*
>>>>>
>>>>> Thanks,
>>>>> Nikhil Chandrappa
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>

Re: Enabling SSL in Gemfire client/server configuration

Posted by Nikhil Chandrappa <nc...@pivotal.io>.

Shuvro,

I am able to connect to client using the configuration which I had used for
ClientCacheFactory()

I see the following in logs,



On Mon, Oct 19, 2015 at 12:07 AM, Shuvro Das <sd...@pivotal.io> wrote:

> Hi Nikhil,
>
> Is you client able to connect to the server?
>
> If not,could you please try by setting below properties and send us the
> client log.
>
> ClientCache cache = new ClientCacheFactory().set("name", "GemClient")
>
> .set("log-level", "config")
> .set("cluster-ssl-enabled","true")
> .set("cluster-ssl-require-authentication","false")
> .set("cluster-ssl-ciphers","any")
>
> .set("cluster-ssl-keystore","/Users/nchandrappa/Documents/gemfire/security/gemfire8.keystore")
>
> .set("cluster-ssl-keystore-password","password")
>
>
> .set("cluster-ssl-truststore","/Users/nchandrappa/Documents/gemfire/security/gemfire8.keystore")
>
> .set("cluster-ssl-truststore-password","password")
> .set("cache-xml-file","gemfire/config/clientCache.xml").create();
>
>
> Thanks and Regards,
> Shuvro Das
>
> On Mon, Oct 19, 2015 at 6:15 AM, Nikhil Chandrappa <nchandrappa@pivotal.io
> > wrote:
>
>> Darrel,
>>
>> Thank you responding to my questions.
>>
>> As you suggested I made "cluster-ssl-require-authentication=false" in my
>> locator and server properties which prevents the need of authenticating the
>> client by the locators.
>>
>> Actually, I was not aware that you could use the same ssl properties at
>> client side also. Right now, I am creating ClientCache using
>>
>> ClientCache cache = new ClientCacheFactory().set("name", "GemClient")
>>
>> .set("log-level", "info")
>>
>> .set("cluster-ssl-enabled", "true")
>>
>> .set("cache-xml-file","gemfire/config/clientCache.xml").create();
>>
>> SSL connection is getting created and client is not getting authenticated
>> which was the behavior I was looking for.
>> Thanks,
>> Nikhil
>>
>> On Sun, Oct 18, 2015 at 6:40 PM, Darrel Schneider <ds...@pivotal.io>
>> wrote:
>>
>>> The java client uses the same gemfire properties you are suing on the
>>> server side. So point you client on the keystores with the *gfsecurity.properties
>>> *file.
>>> I would not use "ssl-*" properties. They are all deprecated in favor of
>>> "cluster-ssl-*".
>>> Having this in your locator properties seems wrong:
>>> *server-ssl-require-authentication=false*
>>> Since your locator is not a cache server the "server-ssl-*" properties
>>> would never be used in it.
>>> Perhaps you wanted it to also be
>>> "cluster-ssl-require-authentication=false" so that your locator would not
>>> require authentication of clients connecting to it.
>>>
>>> On Sun, Oct 18, 2015 at 10:33 AM, Nikhil Chandrappa <
>>> nchandrappa@pivotal.io> wrote:
>>>
>>>> Hi,
>>>>
>>>> I am trying to enable the SSL communication from Gemfire Client to
>>>> Gemfire locator/Server. However, I am getting an exception that
>>>> "Certificate is not recognized".
>>>>
>>>> Steps:
>>>>
>>>>
>>>>    1. I have created a new a public and private key pair for the client
>>>>    2. Exported the self signed certificate
>>>>    3. Imported the new self signed certificate to client side JRE
>>>>    keystore at
>>>>    /Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/lib/security/cacerts
>>>>    4. Imported the same certificate to gemfire8.keystore which is
>>>>    being used by Gemfire locator and server.
>>>>    5. when I start the client to make a connection to Gemfire, I
>>>>    receive an Fatal Exception that certificate is not recognized
>>>>
>>>> I was wondering if there is any property to specify the keystore to be
>>>> used at the client side.
>>>>
>>>> I searched the documentation but couldn't find any information for
>>>> client side configurations. It would be great if anyone can point me to SSL
>>>> configurations needed for Gemfire client.
>>>>
>>>> For reference, following are properties that I am using -
>>>>
>>>> *gemfire-server.properties*
>>>>
>>>> mcast-port=0
>>>> locators=localhost[10334]
>>>> log-level=config
>>>> cache-xml-file=../config/server-cache.xml
>>>> statistic-sampling-enabled=true
>>>> statistic-sample-rate=1000
>>>> statistic-archive-file=myStatisticsArchiveFile.gfs
>>>> enable-time-statistics=false
>>>> *jmx-manager-ssl-enabled=false*
>>>> *cluster-ssl-enabled=true*
>>>> *cluster-ssl-require-authentication=false*
>>>>
>>>> *gfsecurity.properties*
>>>>
>>>>
>>>> cluster-ssl-keystore=/Users/nchandrappa/Documents/gemfire/security/gemfire8.keystore
>>>> cluster-ssl-keystore-password=password
>>>>
>>>> cluster-ssl-truststore=/Users/nchandrappa/Documents/gemfire/security/gemfire8.keystore
>>>> cluster-ssl-truststore-password=password
>>>>
>>>> *locator.properties*
>>>>
>>>> mcast-port=0
>>>> log-level=config
>>>> locators=localhost[10334]
>>>>
>>>> *cluster-ssl-enabled=true*
>>>> *server-ssl-require-authentication=false*
>>>>
>>>> *gemfire-client.properties*
>>>>
>>>> mcast-port=0
>>>> log-level=config
>>>> log-file=gemClient.log
>>>> *ssl-enabled=true*
>>>>
>>>> Thanks,
>>>> Nikhil Chandrappa
>>>>
>>>>
>>>>
>>>
>>
>

Re: Enabling SSL in Gemfire client/server configuration

Posted by Shuvro Das <sd...@pivotal.io>.

Hi Nikhil,

Is you client able to connect to the server?

If not,could you please try by setting below properties and send us the
client log.

ClientCache cache = new ClientCacheFactory().set("name", "GemClient")

.set("log-level", "config")
.set("cluster-ssl-enabled","true")
.set("cluster-ssl-require-authentication","false")
.set("cluster-ssl-ciphers","any")
.set("cluster-ssl-keystore","/Users/nchandrappa/Documents/gemfire/security/gemfire8.keystore")

.set("cluster-ssl-keystore-password","password")

.set("cluster-ssl-truststore","/Users/nchandrappa/Documents/gemfire/security/gemfire8.keystore")

.set("cluster-ssl-truststore-password","password")
.set("cache-xml-file","gemfire/config/clientCache.xml").create();


Thanks and Regards,
Shuvro Das

On Mon, Oct 19, 2015 at 6:15 AM, Nikhil Chandrappa <nc...@pivotal.io>
wrote:

> Darrel,
>
> Thank you responding to my questions.
>
> As you suggested I made "cluster-ssl-require-authentication=false" in my
> locator and server properties which prevents the need of authenticating the
> client by the locators.
>
> Actually, I was not aware that you could use the same ssl properties at
> client side also. Right now, I am creating ClientCache using
>
> ClientCache cache = new ClientCacheFactory().set("name", "GemClient")
>
> .set("log-level", "info")
>
> .set("cluster-ssl-enabled", "true")
>
> .set("cache-xml-file","gemfire/config/clientCache.xml").create();
>
> SSL connection is getting created and client is not getting authenticated
> which was the behavior I was looking for.
> Thanks,
> Nikhil
>
> On Sun, Oct 18, 2015 at 6:40 PM, Darrel Schneider <ds...@pivotal.io>
> wrote:
>
>> The java client uses the same gemfire properties you are suing on the
>> server side. So point you client on the keystores with the *gfsecurity.properties
>> *file.
>> I would not use "ssl-*" properties. They are all deprecated in favor of
>> "cluster-ssl-*".
>> Having this in your locator properties seems wrong:
>> *server-ssl-require-authentication=false*
>> Since your locator is not a cache server the "server-ssl-*" properties
>> would never be used in it.
>> Perhaps you wanted it to also be
>> "cluster-ssl-require-authentication=false" so that your locator would not
>> require authentication of clients connecting to it.
>>
>> On Sun, Oct 18, 2015 at 10:33 AM, Nikhil Chandrappa <
>> nchandrappa@pivotal.io> wrote:
>>
>>> Hi,
>>>
>>> I am trying to enable the SSL communication from Gemfire Client to
>>> Gemfire locator/Server. However, I am getting an exception that
>>> "Certificate is not recognized".
>>>
>>> Steps:
>>>
>>>
>>>    1. I have created a new a public and private key pair for the client
>>>    2. Exported the self signed certificate
>>>    3. Imported the new self signed certificate to client side JRE
>>>    keystore at
>>>    /Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/lib/security/cacerts
>>>    4. Imported the same certificate to gemfire8.keystore which is being
>>>    used by Gemfire locator and server.
>>>    5. when I start the client to make a connection to Gemfire, I
>>>    receive an Fatal Exception that certificate is not recognized
>>>
>>> I was wondering if there is any property to specify the keystore to be
>>> used at the client side.
>>>
>>> I searched the documentation but couldn't find any information for
>>> client side configurations. It would be great if anyone can point me to SSL
>>> configurations needed for Gemfire client.
>>>
>>> For reference, following are properties that I am using -
>>>
>>> *gemfire-server.properties*
>>>
>>> mcast-port=0
>>> locators=localhost[10334]
>>> log-level=config
>>> cache-xml-file=../config/server-cache.xml
>>> statistic-sampling-enabled=true
>>> statistic-sample-rate=1000
>>> statistic-archive-file=myStatisticsArchiveFile.gfs
>>> enable-time-statistics=false
>>> *jmx-manager-ssl-enabled=false*
>>> *cluster-ssl-enabled=true*
>>> *cluster-ssl-require-authentication=false*
>>>
>>> *gfsecurity.properties*
>>>
>>>
>>> cluster-ssl-keystore=/Users/nchandrappa/Documents/gemfire/security/gemfire8.keystore
>>> cluster-ssl-keystore-password=password
>>>
>>> cluster-ssl-truststore=/Users/nchandrappa/Documents/gemfire/security/gemfire8.keystore
>>> cluster-ssl-truststore-password=password
>>>
>>> *locator.properties*
>>>
>>> mcast-port=0
>>> log-level=config
>>> locators=localhost[10334]
>>>
>>> *cluster-ssl-enabled=true*
>>> *server-ssl-require-authentication=false*
>>>
>>> *gemfire-client.properties*
>>>
>>> mcast-port=0
>>> log-level=config
>>> log-file=gemClient.log
>>> *ssl-enabled=true*
>>>
>>> Thanks,
>>> Nikhil Chandrappa
>>>
>>>
>>>
>>
>

Re: Enabling SSL in Gemfire client/server configuration

Posted by Nikhil Chandrappa <nc...@pivotal.io>.

Darrel,

Thank you responding to my questions.

As you suggested I made "cluster-ssl-require-authentication=false" in my
locator and server properties which prevents the need of authenticating the
client by the locators.

Actually, I was not aware that you could use the same ssl properties at
client side also. Right now, I am creating ClientCache using

ClientCache cache = new ClientCacheFactory().set("name", "GemClient")

.set("log-level", "info")

.set("cluster-ssl-enabled", "true")

.set("cache-xml-file","gemfire/config/clientCache.xml").create();

SSL connection is getting created and client is not getting authenticated
which was the behavior I was looking for.
Thanks,
Nikhil

On Sun, Oct 18, 2015 at 6:40 PM, Darrel Schneider <ds...@pivotal.io>
wrote:

> The java client uses the same gemfire properties you are suing on the
> server side. So point you client on the keystores with the *gfsecurity.properties
> *file.
> I would not use "ssl-*" properties. They are all deprecated in favor of
> "cluster-ssl-*".
> Having this in your locator properties seems wrong:
> *server-ssl-require-authentication=false*
> Since your locator is not a cache server the "server-ssl-*" properties
> would never be used in it.
> Perhaps you wanted it to also be
> "cluster-ssl-require-authentication=false" so that your locator would not
> require authentication of clients connecting to it.
>
> On Sun, Oct 18, 2015 at 10:33 AM, Nikhil Chandrappa <
> nchandrappa@pivotal.io> wrote:
>
>> Hi,
>>
>> I am trying to enable the SSL communication from Gemfire Client to
>> Gemfire locator/Server. However, I am getting an exception that
>> "Certificate is not recognized".
>>
>> Steps:
>>
>>
>>    1. I have created a new a public and private key pair for the client
>>    2. Exported the self signed certificate
>>    3. Imported the new self signed certificate to client side JRE
>>    keystore at
>>    /Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/lib/security/cacerts
>>    4. Imported the same certificate to gemfire8.keystore which is being
>>    used by Gemfire locator and server.
>>    5. when I start the client to make a connection to Gemfire, I receive
>>    an Fatal Exception that certificate is not recognized
>>
>> I was wondering if there is any property to specify the keystore to be
>> used at the client side.
>>
>> I searched the documentation but couldn't find any information for client
>> side configurations. It would be great if anyone can point me to SSL
>> configurations needed for Gemfire client.
>>
>> For reference, following are properties that I am using -
>>
>> *gemfire-server.properties*
>>
>> mcast-port=0
>> locators=localhost[10334]
>> log-level=config
>> cache-xml-file=../config/server-cache.xml
>> statistic-sampling-enabled=true
>> statistic-sample-rate=1000
>> statistic-archive-file=myStatisticsArchiveFile.gfs
>> enable-time-statistics=false
>> *jmx-manager-ssl-enabled=false*
>> *cluster-ssl-enabled=true*
>> *cluster-ssl-require-authentication=false*
>>
>> *gfsecurity.properties*
>>
>>
>> cluster-ssl-keystore=/Users/nchandrappa/Documents/gemfire/security/gemfire8.keystore
>> cluster-ssl-keystore-password=password
>>
>> cluster-ssl-truststore=/Users/nchandrappa/Documents/gemfire/security/gemfire8.keystore
>> cluster-ssl-truststore-password=password
>>
>> *locator.properties*
>>
>> mcast-port=0
>> log-level=config
>> locators=localhost[10334]
>>
>> *cluster-ssl-enabled=true*
>> *server-ssl-require-authentication=false*
>>
>> *gemfire-client.properties*
>>
>> mcast-port=0
>> log-level=config
>> log-file=gemClient.log
>> *ssl-enabled=true*
>>
>> Thanks,
>> Nikhil Chandrappa
>>
>>
>>
>

Re: Enabling SSL in Gemfire client/server configuration

Posted by Darrel Schneider <ds...@pivotal.io>.

The java client uses the same gemfire properties you are suing on the
server side. So point you client on the keystores with the
*gfsecurity.properties
*file.
I would not use "ssl-*" properties. They are all deprecated in favor of
"cluster-ssl-*".
Having this in your locator properties seems wrong:
*server-ssl-require-authentication=false*
Since your locator is not a cache server the "server-ssl-*" properties
would never be used in it.
Perhaps you wanted it to also be "cluster-ssl-require-authentication=false"
so that your locator would not require authentication of clients connecting
to it.

On Sun, Oct 18, 2015 at 10:33 AM, Nikhil Chandrappa <nc...@pivotal.io>
wrote:

> Hi,
>
> I am trying to enable the SSL communication from Gemfire Client to Gemfire
> locator/Server. However, I am getting an exception that "Certificate is not
> recognized".
>
> Steps:
>
>
>    1. I have created a new a public and private key pair for the client
>    2. Exported the self signed certificate
>    3. Imported the new self signed certificate to client side JRE
>    keystore at
>    /Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/lib/security/cacerts
>    4. Imported the same certificate to gemfire8.keystore which is being
>    used by Gemfire locator and server.
>    5. when I start the client to make a connection to Gemfire, I receive
>    an Fatal Exception that certificate is not recognized
>
> I was wondering if there is any property to specify the keystore to be
> used at the client side.
>
> I searched the documentation but couldn't find any information for client
> side configurations. It would be great if anyone can point me to SSL
> configurations needed for Gemfire client.
>
> For reference, following are properties that I am using -
>
> *gemfire-server.properties*
>
> mcast-port=0
> locators=localhost[10334]
> log-level=config
> cache-xml-file=../config/server-cache.xml
> statistic-sampling-enabled=true
> statistic-sample-rate=1000
> statistic-archive-file=myStatisticsArchiveFile.gfs
> enable-time-statistics=false
> *jmx-manager-ssl-enabled=false*
> *cluster-ssl-enabled=true*
> *cluster-ssl-require-authentication=false*
>
> *gfsecurity.properties*
>
>
> cluster-ssl-keystore=/Users/nchandrappa/Documents/gemfire/security/gemfire8.keystore
> cluster-ssl-keystore-password=password
>
> cluster-ssl-truststore=/Users/nchandrappa/Documents/gemfire/security/gemfire8.keystore
> cluster-ssl-truststore-password=password
>
> *locator.properties*
>
> mcast-port=0
> log-level=config
> locators=localhost[10334]
>
> *cluster-ssl-enabled=true*
> *server-ssl-require-authentication=false*
>
> *gemfire-client.properties*
>
> mcast-port=0
> log-level=config
> log-file=gemClient.log
> *ssl-enabled=true*
>
> Thanks,
> Nikhil Chandrappa
>
>
>