You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@geode.apache.org by db...@apache.org on 2018/11/08 22:11:06 UTC
[geode-native] branch develop updated: GEODE-4728 Geode NC doc: Add
a Security topic
This is an automated email from the ASF dual-hosted git repository.
dbarnes pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/geode-native.git
The following commit(s) were added to refs/heads/develop by this push:
new 07328a2 GEODE-4728 Geode NC doc: Add a Security topic
07328a2 is described below
commit 07328a26774fcc96dfb883058c2944442fecc9e8
Author: Dave Barnes <db...@pivotal.io>
AuthorDate: Thu Nov 8 14:10:57 2018 -0800
GEODE-4728 Geode NC doc: Add a Security topic
---
.../source/subnavs/geode-nc-nav.erb | 3 ++
.../security/overviewauthentication.html.md.erb | 9 +----
.../security/security-systemprops.html.md.erb | 4 +--
.../security/security.html.md.erb | 40 ++++++++++++++++++++++
.../security/sslclientserver.html.md.erb | 12 +++----
5 files changed, 52 insertions(+), 16 deletions(-)
diff --git a/docs/geode-native-book/master_middleman/source/subnavs/geode-nc-nav.erb b/docs/geode-native-book/master_middleman/source/subnavs/geode-nc-nav.erb
index 9089fc9..815b2f8 100644
--- a/docs/geode-native-book/master_middleman/source/subnavs/geode-nc-nav.erb
+++ b/docs/geode-native-book/master_middleman/source/subnavs/geode-nc-nav.erb
@@ -74,6 +74,9 @@ limitations under the License.
</li>
<li>
+ <a href="/docs/geode-native/<%=vars.product_version_nodot%>/security/security.html">Security</a>
+ </li>
+ <li>
<a href="/docs/geode-native/<%=vars.product_version_nodot%>/transactions/transactions.html">Transactions</a>
</li>
</ul>
diff --git a/docs/geode-native-docs/security/overviewauthentication.html.md.erb b/docs/geode-native-docs/security/overviewauthentication.html.md.erb
index 082d579..70ee2af 100644
--- a/docs/geode-native-docs/security/overviewauthentication.html.md.erb
+++ b/docs/geode-native-docs/security/overviewauthentication.html.md.erb
@@ -21,11 +21,7 @@ limitations under the License.
A client is authenticated when it connects, with valid credentials, to a <%=vars.product_name%> cache server that is configured with the client `Authenticator` callback.
-Once the client is authenticated, the server assigns the client a unique ID and principal, used to authorize operations. The client must trust all cache servers in the server system as it may connect to any one of them. For information on configuring client/server , see [Client/Server Configuration](geodeman/topologies_and_comm/cs_configuration/chapter_overview.html).
-
-- **[Process and Multiuser Authentication](authentication-levels.html)**
-
- Client connections can be authenticated at two levels, process and multiuser.
+Once the client is authenticated, the server assigns the client a unique ID and principal, used to authorize operations. The client must trust all cache servers in the server system as it may connect to any one of them.
- **[Configuring Credentials for Authentication](systempropsforauth.html)**
@@ -41,6 +37,3 @@ Once the client is authenticated, the server assigns the client a unique ID and
To create multiple, secure connections to your servers from a single client, so the client can service different user types, you create an authenticated `RegionService` for each user.
-- **[Using an LDAP Server for Client Authentication](LDAPserverauth.html)**
-
- An LDAP server can be used by a <%=vars.product_name%> cache server using the sample LDAP implementation provided with the <%=vars.product_name%> server.
diff --git a/docs/geode-native-docs/security/security-systemprops.html.md.erb b/docs/geode-native-docs/security/security-systemprops.html.md.erb
index 562dccc..3197a76 100644
--- a/docs/geode-native-docs/security/security-systemprops.html.md.erb
+++ b/docs/geode-native-docs/security/security-systemprops.html.md.erb
@@ -1,5 +1,5 @@
---
-title: Security-Related System Properties (gemfire.properties)
+title: Security-Related System Properties
---
<!--
@@ -19,7 +19,7 @@ See the License for the specific language governing permissions and
limitations under the License.
-->
-The table describes the security-related system properties in the `gemfire.properties` file for native client authentication and authorization.
+The table describes the security-related system properties in the `geode.properties` file for native client authentication and authorization.
<a id="security__section_6DC4C72A2EEB432AA40DE97D438FD1E7"></a><a id="security__table_92A6A66523764199A19BCD66BA189921"></a>
diff --git a/docs/geode-native-docs/security/security.html.md.erb b/docs/geode-native-docs/security/security.html.md.erb
new file mode 100644
index 0000000..e63e280
--- /dev/null
+++ b/docs/geode-native-docs/security/security.html.md.erb
@@ -0,0 +1,40 @@
+---
+title: Security
+---
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+
+The security framework authenticates clients as they connect to a <%=vars.product_name%> cache server and authorizes client cache operations. You can also configure it for client authentication of servers, and you can plug in your own implementations for authentication and authorization.
+
+For an explanation of the server-side implementation of security, see [Security](geodeman/managing/security/chapter_overview.html) in the *<%=vars.product_name%> User Guide*.
+
+The following sections describe some client-specific security considerations:
+
+- **Authentication**
+
+ Geode Native requires providing an authentication implementation. Examples of these implementations can be found in /templates/security. Build and link the implementation and set the implementation’s properties on the cache.
+
+- **[Security-Related System Properties](security-systemprops.html)**
+
+ The table describes the security-related system properties in the `geode.properties` file for native client authentication and authorization.
+
+- **[SSL Client/Server Communication](sslclientserver.html)**
+
+ This section describes how to configure OpenSSL, implement SSL-based communication between your clients and servers, and run clients and servers with SSL enabled.
+
+
diff --git a/docs/geode-native-docs/security/sslclientserver.html.md.erb b/docs/geode-native-docs/security/sslclientserver.html.md.erb
index bce46bc..d97cc76 100644
--- a/docs/geode-native-docs/security/sslclientserver.html.md.erb
+++ b/docs/geode-native-docs/security/sslclientserver.html.md.erb
@@ -25,7 +25,7 @@ This section describes how to configure OpenSSL, implement SSL-based communicati
The open-source OpenSSL toolkit provides a full-strength general purpose cryptography library to operate along with the PKCS sample implementation for encrypted authentication of native client credentials.
-Download and install OpenSSL 1.0.2 for your specific operating system.
+Download and install OpenSSL 1.1.1 for your specific operating system.
For Windows platforms, you can use either the regular or the "Light" version.
**Note for Windows users:** If you use Cygwin, do not use the OpenSSL library that comes with
@@ -46,7 +46,7 @@ For example, for Bourne and Korn shells (sh, ksh, bash), environment setup would
<code>
% LD\_LIBRARY\_PATH=$LD\_LIBRARY\_PATH:_client-install-dir_/lib:_client-install-dir_/ssl\_libs:_openssl-install-dir_/lib<br />
% export LD\_LIBRARY\_PATH<br />
-% CLASSPATH=_server-install-dir_/lib/securityImpl.jar:$CLASSPATH
+% CLASSPATH=_server-install-dir_/lib/libcryptoImpl.jar:$CLASSPATH
</code>
where:
@@ -60,7 +60,7 @@ where:
For Windows, environment setup might resemble this:
<code>
\> set PATH=_jdk-or-jre-path_\bin;_client-install-dir_\bin;_client-install-dir_\ssl\_libs;_openssl-install-dir_\bin;%PATH%<br />
-\> set CLASSPATH=_server-installdir_\lib\securityImpl.jar;%CLASSPATH%
+\> set CLASSPATH=_server-installdir_\lib\libcryptoImpl.jar;%CLASSPATH%
</code>
where _jdk-or-jre-path_ is the directory in which Java is installed.
@@ -68,9 +68,7 @@ where _jdk-or-jre-path_ is the directory in which Java is installed.
## Step 3. Enable SSL on the server and on the client
1. On the server, enable SSL for the `locator` and `server` components, as the SSL-enabled client
-must be able to communicate with both locator and server components. For details on the SSL
-properties available on the server, see "Managing > Security > SSL > Configuring SSL" in the
-[_<%=vars.product_name%> User's Guide_](/serverman/about_<%=vars.product_name.downcase%>.html).
+must be able to communicate with both locator and server components.
1. On the client, set `ssl-enabled` to `true`.
@@ -90,6 +88,8 @@ Specifically, ensure that:
For details on stopping and starting locators and cache servers with SSL, see [Starting Up and Shutting Down Your System](geodeman/configuring/running/starting_up_shutting_down.html).
+The <%=vars.product_name%> Native’s libcryptoImpl found in /lib must be linked at compile time. This binary is used to interact with OpenSSL. Link libcryptoImpl, native client, and your application code. We highly recommend using cmake.
+
**Example locator start command**
Ensure that all required SSL properties are configured in your server's `geode.properties` file. Then start your locator as follows: