Welcome to the new Gigaspaces XAP forum. To recover your account, please follow these instructions.

 Ask Your Question

# How do Certificates and CA work in XAP? How to proceed with it?

Hey there!

About TSL, area in which I'm starting right now in XAP ...

What if I want to generate my own certificate using keytool, to release as part of the application we develop? From my understanding, I'd have to set the password, the path to the keystore file, as well as the SSL filter as system properties, through EXTJAVAOPTIONS, in setenv.sh.

What I don't understand is what happens backstages and how do I specify and play with Certificate Authorities to validate the certificate. Actually, I'd like to understand the specifics about certificates, certificate authorities and keystores in the XAP universe, and how they relate to each other. My first question in this regard would be: creating a keystore file from the scratch, what concerns and general points I have to have in mind in order to have a certificate from it and, later, a CA validating the certificate? What sort of procedure may I follow in order to make the configuration work? I'm very new to this area in XAP, just read the documentation at http://docs.gigaspaces.com/xap120sec/... and all it talks about give just a basic idea of what we need to do. I'm wondering if there is a bunch of things backstages that I may care about.

Thanks in advance, guys! Have a nice week!

Cheers, Pedro

edit retag close merge delete

## 5 Answers

Sort by » oldest newest most voted

Well, filtering the SSL debug messages doesn't help me. Not sure why. But one thing I discovered is that, by not pointing to a keystore (delegating the key generation and exchange completely to XAP), I can make it work. So, the problem is in the either in the keystore or in the certificates. But, since I'm using keytool to generate the private key entries (one per server in the cluster), exporting it to a client certificate (.cer) and importing these .cer files into the keystore of all the other servers (each server has the others' certificates imported into their keystore), what else should I be doing?

Whenever I try to use authentication with the certificates I created, I see those messages already posted in another message:

2016-12-22 12:58:00,082 GSM WARNING [net.jini.discovery.LookupLocatorDiscovery] - Exception in InternalDiscoveryListener.discovered() going to discard the discoveryEvent: net.jini.discovery.DiscoveryEvent[source=net.jini.discovery.LookupLocatorDiscovery@32fcd3ee]; Caused by: java.rmi.ConnectException: Connect Failed to [NIO://10.130.92.202:44745/pid[24473]/627631519796649_2_-847292144520088972_details[class com.sun.jini.reggie.GigaRegistrar]]; nested exception is: java.rmi.ConnectException: Failed to perform communication filter handshake using com.gigaspaces.lrmi.nio.filters.SSLFilterFactory filter; nested exception is: com.gigaspaces.lrmi.nio.filters.IOFilterException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

Thoughts? Has anyone experienced this problem before?

more

Hi Pedro,

Please set -Djavax.net.debug=ssl in order to see detailed error messages. Also, we are looking to update our documentation with a complete example on how to do this.

Thanks,

Dixson

more

Hey guys,

Well, some progress on it, but not yet working. But let me share some things I learned during my hands-on.

1. in the property com.gs.lrmi.filter.security.keystore, I had to set the full path to my keystore.jks
2. both client and server certificates/keys must be saved into the same keystore.jks. I don't like it, personally.

What I have is, so far:

• each VM in the cluster has its own private key entry
• each VM in the cluster imports the self-signed (DEV) or CA-signed (DEV) certificate of all the other nodes

Following the 2 steps just above, I'm willing to establish the following scenario: I, server 1, know everybody who talks to me, and everybody knows me as well. TLS mutual authentication, this is what I want to achieve with this.

The properties added to EXT_JAVA_OPTIONS (in setenv.sh) and also as properties of my Java standalone clients that consume spaces/processing units of the solution are:

• -Dcom.gs.lrmi.filter.factory=com.gigaspaces.lrmi.nio.filters.SSLFilterFactory
• -Dcom.gs.lrmi.filter.security.protocol=TLSv1.2
• -Dcom.gs.lrmi.filter.security.keystore=/opt/myapp/keystore.jks
• -Dcom.gs.lrmi.filter.security.password=cant_tell_you

Right now, when I launch the solution, I'm getting some handshaking exceptions:

2016-12-21 11:44:01,723 GSM WARNING [net.jini.discovery.LookupLocatorDiscovery] - Exception in InternalDiscoveryListener.discovered() going to discard the discoveryEvent: net.jini.discovery.DiscoveryEvent[source=net.jini.discovery.LookupLocatorDiscovery@284cf033]; Caused by: java.rmi.ConnectException: Connect Failed to [NIO://10.130.92.202:45049/pid[11000]/536766251481395_2_-892083509427360108_details[class com.sun.jini.reggie.GigaRegistrar]]; nested exception is: java.rmi.ConnectException: Failed to perform communication filter handshake using com.gigaspaces.lrmi.nio.filters.SSLFilterFactory filter; nested exception is: com.gigaspaces.lrmi.nio.filters.IOFilterException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

Basically, the handshaking is failing when server 1 tries to communicate with the other servers. The only properties I found in the documentation are the ones that I used. So, the question at this point would be: with all that I've described above, what am I missing? Any ideas? Has somebody else faced similar issues when playing with this TLS thingy?

more

Hi Pedro,

JB is right that this is beyond the scope of just XAP. It sounds like what you're trying to do here is to formulate a transport-layer security policy for the part of your organization that deals with XAP and the services-tier components around it. This is a noble and necessary effort, and to get started, I'd ask yourself a few questions:

• Do you just want to ensure that point-to-point communications are encrypted or does your organization have a policy that all communications need to be encrypted using a particular corporate certificate that is validated by an issuing authority (and also usually refreshed regularly)?
• What protocol to you want to use? Since there are known vulnerabilities in SSL3, the best-practice choice now is TLS 1.2.
• What JVM version are you using? For example, JVM 1.6 alone doesn't support TLS 1.2 but can be made to with BouncyCastle.

Regarding the first point, if all you want to do is secure the transport layer, then you don't need a keystore at all. XAP supports server-generated, self-signed certificates. Just configure transport security on both the XAP server and client sides by following instructions in the documentation at the link you referenced in your post. You can then use the tlsprobe utility to verify that what cipher is in use.

If, however, your corporate policy is to use a particular certificate, then you will need a keystore. Regarding the keystore password, there are a number of ways to secure it. Keep in mind though that even if you secure it on-disk in an encrypted store and read it out at runtime into an environment variable or command-line argument, it can still be read on modern Linux systems be examining the process attributes in the /proc/pid/environ filesystem. So there's really nothing to be gained by not keeping it in a file on disk. So I'd keep in in a file on disk, ensure that machine access is as locked down as possible, and that you're using full-disk encryption.

Hope that helps.

Cheers,

Lucas

more

## Comments

Hi Lucas, thank you for your reply!

Actually, I'd say I need a secure transport, first of anything else. However, I'm allowing customers to come with their own certificates, CA-signed, and applying them to the solution.

Regarding the configuration without particular certificates, I have a question ... what if I have a standalone client, consuming some of the spaces in the solution ... this client would be anywhere in the network, any other server. Without keypairs/certificates/CAs configured in both ends, how'd the client be able to consume data from this space on top of TLS? I'm asking because when I set only the SSL filter in my solution, without specifying the keystore, the clients started to fail still in the launching. They were not even launched and I got some messages indicating the spaces couldn't be reached. Removing that property (the SSL filter), they were successfully launched again.

I'm gonna play with TLS1.2, we are on Java 7.

Well, thanks again for your attention. Hope my points above are clear enough, and we can keep talking.

Cheers, Pedro

( 2016-12-15 06:10:23 -0600 )edit

Pedro

Your questions are beyond the scope of XAP, as they involve other applications, some of which are not written in Java. I'm certain that you can find tutorials and examples for their use. However there are situations where you might encounter difficulty; one such is using JVMs from vendors other than Oracle. In such a case please do the following:

In case JVM other then sun is used it is possible to use BouncyCastle by adding those 2 jars to the classpath:

Use BouncyCastle to generate the certificate.

bcpkix-jdk15on-1.50.jar bcprov-jdk15on-1.50.jar

Or add this mvn dependency :

<dependency> <groupid>org.bouncycastle</groupid> <artifactid>bcpkix-jdk15on</artifactid> <version>1.50</version> </dependency>

more

## Comments

Hi, jb. Thanks for the reply.

Yes, this is not exactly something specific to XAP. I was just trying to understand whether there's a best practice that you guys use to follow when securing the transport layer of a solution that runs on top of XAP. We, for example, have a bunch of processing units and spaces deployed in 4 nodes, and applications consuming data that can be installed around these nodes. In this kind of scenario, I was thinking that the solution would be generating one certificate per server, installing all these certificates in all nodes (including the ones that have no XAP instance running, only clients) and the keystores of all these nodes mapped in the environment, through the arguments the documentation exposes. Sounds to me like the way to go. In clusters, is this the way you'd suggest me to proceed?

Also, the password to the keystore is exposed as plain text, per what the documentation suggests. Is there any alternative, so that it is obfuscated and becomes protected?

Thanks again for the attention. I really appreciate it. :)

( 2016-12-12 08:44:54 -0600 )edit

## Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

## Stats

Asked: 2016-12-05 07:10:34 -0600

Seen: 197 times

Last updated: Dec 22 '16