You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by ie...@apache.org on 2013/10/11 09:59:16 UTC

svn commit: r1531216 - /sling/site/trunk/content/documentation/bundles/discovery-api-and-impl.mdtext

Author: ieb
Date: Fri Oct 11 07:59:16 2013
New Revision: 1531216

URL: http://svn.apache.org/r1531216
Log:
CMS commit to sling by ieb

Modified:
    sling/site/trunk/content/documentation/bundles/discovery-api-and-impl.mdtext

Modified: sling/site/trunk/content/documentation/bundles/discovery-api-and-impl.mdtext
URL: http://svn.apache.org/viewvc/sling/site/trunk/content/documentation/bundles/discovery-api-and-impl.mdtext?rev=1531216&r1=1531215&r2=1531216&view=diff
==============================================================================
--- sling/site/trunk/content/documentation/bundles/discovery-api-and-impl.mdtext (original)
+++ sling/site/trunk/content/documentation/bundles/discovery-api-and-impl.mdtext Fri Oct 11 07:59:16 2013
@@ -131,27 +131,44 @@ A Felix WebConsole plugin at [/system/co
 
 The following properties can be configured (at [/system/console/configMgr/org.apache.sling.discovery.impl.Config][1]):
 
- * heartbeatInterval: the time in seconds between two heartbeats (both cluster-internal and for HTTP-connectors). Default
+  * heartbeatInterval: the time in seconds between two heartbeats (both cluster-internal and for HTTP-connectors). Default
    value is 15 seconds.
    
- * heartbeatTimeout: the time in seconds after which an instance is considered dead if no heartbeat was sent since. Default
+  * heartbeatTimeout: the time in seconds after which an instance is considered dead if no heartbeat was sent since. Default
    value is 20 seconds.
    
- * topologyConnectorUrls: a list of connector URLs to which this instance should connect to. The list can contain multiple
+  * topologyConnectorUrls: a list of connector URLs to which this instance should connect to. The list can contain multiple
    instances of the same cluster (for fallback configurations). If the list is empty, no connector will be created.
    The default relative URL is /libs/sling/topology/connector. Note that this URL is accessible without authentication -
    to avoid having to configure administrative username/passwords in all instances. Instead, a whitelist approach is used
    (see next item).
    
- * topologyConnectorWhitelist: As mentioned above, the path /libs/sling/topology/connector does not require authentication.
+  * topologyConnectorWhitelist: As mentioned above, the path /libs/sling/topology/connector does not require authentication.
    To assure that only trusted instances can connect to the topology, its hostname or IP address must be in a whitelist.
    By default this whitelist only contains localhost and 127.0.0.1.
    
- * minEventDelay: To reduce the number of events sent during changes, there is a delay (in seconds) before the event is sent.
+  * minEventDelay: To reduce the number of events sent during changes, there is a delay (in seconds) before the event is sent.
    If additional changes happen during this delay, the change will be combined in one event.
    
- * leaderElectionRepositoryDescriptor: this is an advanced parameter. It denotes a repository descriptor that is evaluated
+  * leaderElectionRepositoryDescriptor: this is an advanced parameter. It denotes a repository descriptor that is evaluated
    and taken into account for leader Election: the corresponding value of the descriptor is sorted by first.
 
+  * hmacEnabled: If this is true, and sharedKey is set to a value on all Sling instances within the same topology, then messages are
+  validates using a signature of the content of the message based on the shared key. The signature and the digest of the content 
+  appear as http headers. When hmac message validation is enabled, whitelisting is disabled. This use useful where the topology
+  messages are transported through multiple reverse proxy layers or the topology is dynamic. The Hmac algorithm in use is HmacSHA256.
+  The JVM is expected to have a provider implementing this algorithm (The Standard JDKs do).
+
+  * sharedKey: If hmacEnabled is true, this must be set to a secret value, shared amongst all Sling instances that are members of the
+   same topology.
+
+  * enableEncryption: If hmacEnabled is true, and sharedKey is set, setting this to true will encrypt the body of the message using 128 Bit
+    AES encryption. The encryption key is derived from the sharedKey using a 9 byte random salt, giving 2^^72 potential salt values.
+
+  * hmacSharedKeyTTL: The key used for the signatures is derived from the shared key. Each derived key has a lifetime before the next key 
+    is generated. This parameter sets the lifetime of each key in ms. The default is 4h. Messages sent using old keys will remain valid for 
+    2x the TTL, after which time the message will be ignored.
+
+
   [1]: http://localhost:8888/system/console/configMgr/org.apache.sling.discovery.impl.Config
   [2]: http://localhost:8888/system/console/topology
\ No newline at end of file