SSL Encryption Support

Added by Uri Cohen, last edited by Shay Hassidim on Apr 04, 2010  (view change)
Search XAP 7.0
Searching XAP 7.0.X Documentation
Browse XAP 7.0
Quick Start Guide
Product Overview
Programmer's Guide
Administrator's Guide
Offline Documentation

Download latest offline documentation in HTML format:
xap-7.0.2-documentation.zip (12.3MB)

                                                              
Summary: GigaSpaces provides a generic network filter that also provides SSL support, through an SSL communication filter.

Overview

Secure Sockets Layer (SSL), is a cryptographic protocol that provide security for communications over networks such as the Internet. SSL encrypt the segments of network connections at the Transport Layer end-to-end.

GigaSpaces provides two types of SSL communication filter:

  • Stream-based filter - for a protocol like ZIP. This type of filter does not support a handshake phase.
  • Block-based filter - for encryption network filters. These filters support a handshake phase.

GigaSpaces supports only one communication filter per JVM, and this filter is applied to all the connections within the JVM.

Usage

To enable the SSL communication filter, set the system property com.gs.lrmi.filter.factory. The value should be the communication filter factory class name.

For example, to use an SSL communication filter, run GigaSpaces Container with:

export EXT_JAVA_OPTIONS=-Dcom.gs.lrmi.filter.factory=com.gigaspaces.lrmi.nio.filters.SSLFilterFactory

Default SSLFilterFactory Implementation

Since some types of communication filters are not symmetric regarding the client and server, the class SSLFilterFactory has 2 methods: one to create the communication filter for the client side, and the other for the server side.

If the communication filter needs its own parameters, it can acquire them by directly reading system properties. For example, the supplied SSLFilter needs to get the keystore file, and the password to this file.

It uses the following system properties to get them:

-Dcom.gs.lrmi.filter.security.keystore=keystore.ks
-Dcom.gs.lrmi.filter.security.password=password

The keystore file is loaded from somewhere in the classpath.

The provided SSLFilter uses keystore type JKS, with key management method SunX509.

Please refer to the JavaDocs for more details about the reference classes:

Code snippet of the space server.

public class SSLServer {
	public static void main(String [] args) throws Exception{
		SpaceFinder.find("/./SSLSpace?schema=cache&groups=ssl_example_group"); 
	}
}

Code snippet of the space client. 

public class SSLClient {
	public static void main(String [] args) throws Exception{
		IJSpace space = (IJSpace) SpaceFinder.find("jini://localhost/*/SSLSpace?groups=ssl_example_group");
		AnEntry entry = new AnEntry();
		entry.key = "first";
		entry.payload = "first value";
		space.write(entry, null, Lease.FOREVER);
		AnEntry value = (AnEntry)space.read(new AnEntry(), null, 0);
		System.out.println(value.payload);
	}
	
	public static class AnEntry implements Entry{
		private static final long serialVersionUID = 1L;
		
		public AnEntry() {
		}
		public String key;
		public String payload;
	}
}

As you can see, until now there is nothing special in the code – it is the same code as if the SSL was not used.
However, when you wish to run this code with SSL encryption, you should run it with the following system properties (both server and client), and have the keystore anywere in the classpath (both server and client).

-Dcom.gs.lrmi.filter.factory=com.gigaspaces.lrmi.nio.filters.SSLFilterFactory
-Dcom.gs.lrmi.filter.security.keystore=keystore.ks
-Dcom.gs.lrmi.filter.security.password=password

The indication that SSL is used is the message: 

Communication Filters Information:
		 CommunicationFilterFactory: com.gigaspaces.lrmi.nio.filters.SSLFilterFactory
IMPORTANT: This is an old version of GigaSpaces XAP. Click here for the latest version.

Labels

 
(None)