SSL and Self Signed Certificates


Author XAP Version Last Updated Reference Download
Dixson Huie 12.0 December 2016

This page describes the steps needed to secure the transport layer using SSL and self signed certificates.

Scenario

On my local computer, I am running XAP. On a remote computer, I have a client that will connect to the XAP server and writes an object to the space. In order to protect the communication with SSL, we will enable the SSLFilterFactory and supply the keystore. We will then deploy a space and run a client. This example builds upon the documentation

XAP Server (local computer, running Windows)
Name: my-pc.gspaces.com
IP address: 10.10.10.131
Client (remote linux host)
Name: blob.gspaces.com
IP address: 10.10.10.21

Private key and certificate

Generate the private key and certificates on my-pc:

cd <XAP_root>\bin

# generate the private key
keytool -genkeypair -alias server -keyalg RSA -keypass changeit -storepass changeit -keystore keystore.jks 

# export the certificate
keytool -exportcert -alias server -storepass changeit -file server.cer -keystore keystore.jks 

Generate the private key and certificates on blob:

cd <XAP_root>/bin

# generate the private key
keytool -genkeypair -alias client -keyalg RSA -keypass changeit -storepass changeit -keystore client_keystore.jks 

# export the certificate
keytool -exportcert -alias client -storepass changeit -file client.cer -keystore client_keystore.jks 

Upload and exchange the certs.

Place the server.cer in blob:<XAP_root>/bin

Place the client.cer in my-pc:<XAP_root>/bin

Import the cert into the keystore.

On many web sites, the recommendation is to put the certificate in the truststore. But here we import directly into the keystore.

On my-pc:<XAP_root>/bin, run

keytool -importcert -v -trustcacerts -alias client -file client.cer -keystore keystore.jks -keypass changeit -storepass changeit 

On blob:<XAP_root>/bin, run

keytool -importcert -v -trustcacerts -alias server -file server.cer -keystore client_keystore.jks -keypass changeit -storepass changeit 

XAP server setup

Below are the contents of the setenv-overrides.bat

set XAP_LOOKUP_LOCATORS=my-pc.gspaces.com:4174
set XAP_NIC_ADDRESS=10.10.10.131

set EXT_JAVA_OPTIONS=-Dcom.gs.lrmi.filter.factory=com.gigaspaces.lrmi.nio.filters.SSLFilterFactory -Dcom.gs.lrmi.filter.security.keystore=C:/Users/Dixson/work/xap/gigaspaces-xap-premium-12.0.0-ga-b16000/bin/keystore.jks -Dcom.gs.lrmi.filter.security.password=changeit -Djava.net.preferIPv4Stack=true -Djavax.net.debug=ssl

Start XAP by running gs-agent

Create a partitioned 2,1 space named SSLSpace. You may use the gs-ui or web-ui to do this. See (/xap/14.0/started/xap-basics.html/java-tutorial-part2.html) for more information.

Client setup

Compile the example SSLClient.java program provided in the documentation. You may need to change the Groups and Locators values as needed.

Below is the bash script I used to run the client:

#!/bin/bash

export JAVA_HOME=/opt/jdk/jdk8u66

export XAP_LOOKUP_LOCATORS=my-pc.gspaces.com:4174
export XAP_LOOKUP_GROUPS=dixson_1
export XAP_NIC_ADDRESS=10.10.10.21

CLASSPATH=/home/user/sslclient
CLASSPATH=/opt/gspaces/gigaspaces-xap-premium-12.0.0-ga-b16000/bin:${CLASSPATH}
CLASSPATH=/opt/gspaces/gigaspaces-xap-premium-12.0.0-ga-b16000/lib/required/*:${CLASSPATH}


echo $CLASSPATH
${JAVA_HOME}/bin/java -cp ${CLASSPATH} \
-Dcom.gs.jini_lus.locators=${XAP_LOOKUP_LOCATORS} \
-Dcom.gs.jini_lus.groups=${XAP_LOOKUP_GROUPS} \
-Dcom.gs.lrmi.filter.factory=com.gigaspaces.lrmi.nio.filters.SSLFilterFactory \
-Dcom.gs.lrmi.filter.security.keystore=/opt/gspaces/gigaspaces-xap-premium-12.0.0-ga-b16000/bin/client_keystore.jks \
-Dcom.gs.lrmi.filter.security.password=changeit \
-Djava.net.preferIPv4Stack=true \
-Djavax.net.debug=ssl \
SSLClient

Verification

The SSLSpace will have one object. By setting -Djavax.net.debug=ssl you will see the ssl handshake methods. If this is not enabled, you may get an error: General SSLEngine problem, but it will be missing details.

After enabling the debug option, you should see the following output in the logs:

2016-12-15 14:19:35,661  INFO [com.gigaspaces.lrmi.filters] - Created LRMI filter factory: com.gigaspaces.lrmi.nio.filters.SSLFilterFactory
adding as trusted cert:
adding as trusted cert:
 Subject: CN=blob.gspaces.com, OU=Unknown, O=Gigaspaces, L=New York, ST=New York, C=US
 Subject: CN=blob.gspaces.com, OU=Unknown, O=Gigaspaces, L=New York, ST=New York, C=US
 Issuer:  CN=blob.gspaces.com, OU=Unknown, O=Gigaspaces, L=New York, ST=New York, C=US
 Issuer:  CN=blob.gspaces.com, OU=Unknown, O=Gigaspaces, L=New York, ST=New York, C=US
 Algorithm: RSA; Serial number: 0x6aebeb13
 Algorithm: RSA; Serial number: 0x6aebeb13
 Valid from Thu Dec 15 10:35:01 EST 2016 until Wed Mar 15 11:35:01 EDT 2017
 Valid from Thu Dec 15 10:35:01 EST 2016 until Wed Mar 15 11:35:01 EDT 2017

adding as trusted cert:

adding as trusted cert:
 Subject: CN=my-pc.gspaces.com, OU=Unknown, O=Gigaspaces, L=New York, ST=New York, C=US
 Subject: CN=my-pc.gspaces.com, OU=Unknown, O=Gigaspaces, L=New York, ST=New York, C=US
 Issuer:  CN=my-pc.gspaces.com, OU=Unknown, O=Gigaspaces, L=New York, ST=New York, C=US
 Issuer:  CN=my-pc.gspaces.com, OU=Unknown, O=Gigaspaces, L=New York, ST=New York, C=US
 Algorithm: RSA; Serial number: 0x2f54a1d6
 Algorithm: RSA; Serial number: 0x2f54a1d6
 Valid from Wed Dec 14 16:57:53 EST 2016 until Tue Mar 14 17:57:53 EDT 2017

 Valid from Wed Dec 14 16:57:53 EST 2016 until Tue Mar 14 17:57:53 EDT 2017

If the certificate of the other computer is not listed, you will get an error:

***
main, fatal error: 46: General SSLEngine problem
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target