/hazelcast-documentation/src/main/docbook/manual/content/network/Encryption.xml
https://bitbucket.org/gabral6_gmailcom/hazelcast · XML · 136 lines · 87 code · 10 blank · 39 comment · 0 complexity · ebbfe7878611df3fc8a7caacca67fbaa MD5 · raw file
- <?xml version='1.0' encoding='UTF-8'?>
- <!--
- ~ Copyright (c) 2008-2013, Hazelcast, Inc. All Rights Reserved.
- ~
- ~ Licensed under the Apache License, Version 2.0 (the "License");
- ~ you may not use this file except in compliance with the License.
- ~ You may obtain a copy of the License at
- ~
- ~ http://www.apache.org/licenses/LICENSE-2.0
- ~
- ~ Unless required by applicable law or agreed to in writing, software
- ~ distributed under the License is distributed on an "AS IS" BASIS,
- ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- ~ See the License for the specific language governing permissions and
- ~ limitations under the License.
- -->
- <sect2 xml:id="Encryption" version='5.0' xmlns='http://docbook.org/ns/docbook'
- xmlns:xi="http://www.w3.org/2001/XInclude"
- xmlns:xlink="http://www.w3.org/1999/xlink"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://docbook.org/ns/docbook http://www.docbook.org/xml/5.0/xsd/docbook.xsd
- http://www.w3.org/1999/xlink http://www.w3.org/1999/xlink.xsd">
- <title>Encryption</title>
- <para>
- Hazelcast allows you to encrypt entire socket level communication among all Hazelcast
- members. Encryption is based on
- <link xlink:href="http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html">Java
- Cryptography Architecture
- </link>
- and both symmetric and asymmetric encryption are supported.
- In symmetric encryption, each node uses the same key, so the key is shared.
- Here is a sample configuration for symmetric encryption:
- <programlisting language="xml"><![CDATA[<hazelcast>
- ...
- <network>
- ...
- <!--
- Make sure to set enabled=true
- Make sure this configuration is exactly the same on
- all members
- -->
- <symmetric-encryption enabled="true">
- <!--
- encryption algorithm such as
- DES/ECB/PKCS5Padding,
- PBEWithMD5AndDES,
- Blowfish,
- DESede
- -->
- <algorithm>PBEWithMD5AndDES</algorithm>
- <!-- salt value to use when generating the secret key -->
- <salt>thesalt</salt>
- <!-- pass phrase to use when generating the secret key -->
- <password>thepass</password>
- <!-- iteration count to use when generating the secret key -->
- <iteration-count>19</iteration-count>
- </symmetric-encryption>
- </network>
- ...
- </hazelcast>
- ]]></programlisting>
- In asymmetric encryption, public and private key pair is used. Data is encrypted with
- one of these keys and decrypted with the other.
- The idea is that each node has to have its own private key and other trusted members'
- public key. So that means, for each member, we should do the followings:
- <itemizedlist>
- <listitem>
- <para>Pick a unique name for the member. We will use the name as the key alias. Let's name them as member1,
- member2...memberN.
- </para>
- </listitem>
- <listitem>
- <para>Generate the keystore and the private key for the member1.
- <literal>keytool -genkey -alias member1 -keyalg RSA -keypass thekeypass -keystore keystore -storetype
- JKS
- </literal>
- Remember all the parameters you used here because you will need this information when
- you configure asymmetric-encryption in your hazelcast.xml file.
- </para>
- </listitem>
- <listitem>
- <para>Create a public certificate file so that we can add it to the other members' keystore
- <literal>keytool -export -alias member1 -keypass thekeypass -storepass thestorepass -keystore keystore
- -rfc -file member1.cer
- </literal>
- </para>
- </listitem>
- <listitem>
- <para>Now take all the other members' public certificates, and add (import) them into member1's keystore
- <programlisting language="java"><![CDATA[ keytool -import -alias member2 -file member2.cer -keystore keystore -storepass thestorepass
- keytool -import -alias member3 -file member3.cer -keystore keystore -storepass thestorepass
- ...
- keytool -import -alias memberN -file memberN.cer -keystore keystore -storepass thestorepass
- ]]></programlisting>
- </para>
- </listitem>
- </itemizedlist>
- You should repeat these steps for each trusted member in your cluster.
- Here is a sample configuration for asymmetric encryption:
- <programlisting language="xml"><![CDATA[<hazelcast>
- ...
- <network>
- ...
- <!--
- Make sure to set enabled=true
- -->
- <asymmetric-encryption enabled="true">
- <!-- encryption algorithm -->
- <algorithm>RSA/NONE/PKCS1PADDING</algorithm>
- <!-- private key password -->
- <keyPassword>thekeypass</keyPassword>
- <!-- private key alias -->
- <keyAlias>member1</keyAlias>
- <!-- key store type -->
- <storeType>JKS</storeType>
- <!-- key store password -->
- <storePassword>thestorepass</storePassword>
- <!-- path to the key store -->
- <storePath>keystore</storePath>
- </asymmetric-encryption>
- </network>
- ...
- </hazelcast>
- ]]></programlisting>
- </para>
- </sect2>