Using SSL and Self-Signed Certificates

Overview

This topic describes a scenario where a GigaSpaces product is running locally, with a client on a remote server that needs to connect to the GigaSpaces host machine and write an object to the Space. In order to protect the communication with SSL, we enable the SSLFilterFactory and supply the keystore. We then deploy a Space and run a client.

GigaSpaces (local) host machine details:

  • Operating system: Windows
  • Machine name: my-pc.gspaces.com
  • IP address: 10.10.10.131

Client (remote) machine details:

  • Operating system: Linux
  • Machine name: blob.gspaces.com
  • IP address: 10.10.10.21

Securing the Connection

In order to secure the transport layer between the local and remote servers, you must generate a private key and certificate for each server.

To secure the connection (transport layer):

  1. On the local server (my-pc), open a command window from the GigaSpaces bin directory and generate the private key and certificates, as shown using the following code.

    cd <XAP_HOME>\bin
    
    # generate the private key
    keytool -genkeypair -alias server -keyalg RSA -keypass changeit -storepass changeit -keystore keystore.jks 
    
    # export the certificate
    keytool -exportcert -alias server -storepass changeit -file server.cer -keystore keystore.jks 
    
  2. On the remote server (blob), open a command window from the GigaSpaces bin directory and generate the private key and certificates, as shown using the following code.

    cd <XAP_HOME>/bin
    
    # generate the private key
    keytool -genkeypair -alias client -keyalg RSA -keypass changeit -storepass changeit -keystore client_keystore.jks 
    
    # export the certificate
    keytool -exportcert -alias client -storepass changeit -file client.cer -keystore client_keystore.jks 
    
  3. To upload and exchange the certificates, do the following:

    • Place the server.cer file in blob:<XAP_HOME>/bin
    • Place the client.cer file in my-pc:<XAP_HOME>/bin
  4. To import the certificates to the key store, do the following:

    • From my-pc:<XAP_HOME>/bin, run the following command:

      keytool -importcert -v -trustcacerts -alias client -file client.cer -keystore keystore.jks -keypass changeit -storepass changeit 
      

      For many websites, the recommendation is to put the certificate in the trust store. However, in this scenario we import the certificate directly to the key store.

    • From blob:<XAP_HOME>/bin, run the following command:

      keytool -importcert -v -trustcacerts -alias server -file server.cer -keystore client_keystore.jks -keypass changeit -storepass changeit 
      

Local Server Setup

The local server should have the XAP_LOOKUP_LOCATORS, XAP-NIC_ADDRESS, and XAP_OPTIONS_EXT environment variables set as demonstrated in the following setenv-overrides.bat example. This provides the necessary configuration for the scenario.

set XAP_LOOKUP_LOCATORS=my-pc.gspaces.com:4174
set XAP_NIC_ADDRESS=10.10.10.131

set XAP_OPTIONS_EXT=-Dcom.gs.lrmi.filter.factory=com.gigaspaces.lrmi.nio.filters.SSLFilterFactory -Dcom.gs.lrmi.filter.security.keystore=C:/Users/Dixson/work/xap/gigaspaces-xap-premium-12.0.0-ga-b16000/bin/keystore.jks -Dcom.gs.lrmi.filter.security.password=changeit -Djava.net.preferIPv4Stack=true -Djavax.net.debug=ssl

After you configure the environment variables, you can deploy your data grid by running the following CLI command from my-pc:<XAP_home>/bin:

<XAP-HOME>\bin\gs space deploy --partitions=2 --ha SSLSpace

Client Server Setup

To create a client server that will send an object to the local data grid, compile the sample SSLClient.java program provided in the Default SSLFilterFactory section of the Securing the Transport Layer page. If necessary, change the Groups and Locators values as needed.

Use the following bash script to run the client:

#!/bin/bash

export JAVA_HOME=/opt/jdk/jdk8u66

export XAP_LOOKUP_LOCATORS=my-pc.gspaces.com:4174
export XAP_LOOKUP_GROUPS=dixson_1
export XAP_NIC_ADDRESS=10.10.10.21

CLASSPATH=/home/user/sslclient
CLASSPATH=/opt/gspaces/gigaspaces-xap-premium-12.0.0-ga-b16000/bin:${CLASSPATH}
CLASSPATH=/opt/gspaces/gigaspaces-xap-premium-12.0.0-ga-b16000/lib/required/*:${CLASSPATH}


echo $CLASSPATH
${JAVA_HOME}/bin/java -cp ${CLASSPATH} \
-Dcom.gs.jini_lus.locators=${XAP_LOOKUP_LOCATORS} \
-Dcom.gs.jini_lus.groups=${XAP_LOOKUP_GROUPS} \
-Dcom.gs.lrmi.filter.factory=com.gigaspaces.lrmi.nio.filters.SSLFilterFactory \
-Dcom.gs.lrmi.filter.security.keystore=/opt/gspaces/gigaspaces-xap-premium-12.0.0-ga-b16000/bin/client_keystore.jks \
-Dcom.gs.lrmi.filter.security.password=changeit \
-Djava.net.preferIPv4Stack=true \
-Djavax.net.debug=ssl \
SSLClient

Verifying the Security Configuration

The local SSLSpace data grid will contain one object. Set -Djavax.net.debug=ssl to see the SSL handshake methods. If this is not enabled, you may get the following error, although it will be missing details: General SSLEngine problem

After enabling the debug option, you should see the following output in the logs:

2016-12-15 14:19:35,661  INFO [com.gigaspaces.lrmi.filters] - Created LRMI filter factory: com.gigaspaces.lrmi.nio.filters.SSLFilterFactory
adding as trusted cert:
adding as trusted cert:
 Subject: CN=blob.gspaces.com, OU=Unknown, O=Gigaspaces, L=New York, ST=New York, C=US
 Subject: CN=blob.gspaces.com, OU=Unknown, O=Gigaspaces, L=New York, ST=New York, C=US
 Issuer:  CN=blob.gspaces.com, OU=Unknown, O=Gigaspaces, L=New York, ST=New York, C=US
 Issuer:  CN=blob.gspaces.com, OU=Unknown, O=Gigaspaces, L=New York, ST=New York, C=US
 Algorithm: RSA; Serial number: 0x6aebeb13
 Algorithm: RSA; Serial number: 0x6aebeb13
 Valid from Thu Dec 15 10:35:01 EST 2016 until Wed Mar 15 11:35:01 EDT 2017
 Valid from Thu Dec 15 10:35:01 EST 2016 until Wed Mar 15 11:35:01 EDT 2017

adding as trusted cert:

adding as trusted cert:
 Subject: CN=my-pc.gspaces.com, OU=Unknown, O=Gigaspaces, L=New York, ST=New York, C=US
 Subject: CN=my-pc.gspaces.com, OU=Unknown, O=Gigaspaces, L=New York, ST=New York, C=US
 Issuer:  CN=my-pc.gspaces.com, OU=Unknown, O=Gigaspaces, L=New York, ST=New York, C=US
 Issuer:  CN=my-pc.gspaces.com, OU=Unknown, O=Gigaspaces, L=New York, ST=New York, C=US
 Algorithm: RSA; Serial number: 0x2f54a1d6
 Algorithm: RSA; Serial number: 0x2f54a1d6
 Valid from Wed Dec 14 16:57:53 EST 2016 until Tue Mar 14 17:57:53 EDT 2017

 Valid from Wed Dec 14 16:57:53 EST 2016 until Tue Mar 14 17:57:53 EDT 2017

If the certificate of the other server is not listed, you will get the following error:

***
main, fatal error: 46: General SSLEngine problem
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target