PageRenderTime 36ms CodeModel.GetById 30ms app.highlight 2ms RepoModel.GetById 1ms app.codeStats 0ms

/hazelcast-documentation/src/main/docbook/manual/content/network/Encryption.xml

https://bitbucket.org/gabral6_gmailcom/hazelcast
XML | 136 lines | 87 code | 10 blank | 39 comment | 0 complexity | ebbfe7878611df3fc8a7caacca67fbaa MD5 | raw file
  1<?xml version='1.0' encoding='UTF-8'?>
  2
  3<!--
  4  ~ Copyright (c) 2008-2013, Hazelcast, Inc. All Rights Reserved.
  5  ~
  6  ~ Licensed under the Apache License, Version 2.0 (the "License");
  7  ~ you may not use this file except in compliance with the License.
  8  ~ You may obtain a copy of the License at
  9  ~
 10  ~ http://www.apache.org/licenses/LICENSE-2.0
 11  ~
 12  ~ Unless required by applicable law or agreed to in writing, software
 13  ~ distributed under the License is distributed on an "AS IS" BASIS,
 14  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 15  ~ See the License for the specific language governing permissions and
 16  ~ limitations under the License.
 17  -->
 18
 19<sect2 xml:id="Encryption" version='5.0' xmlns='http://docbook.org/ns/docbook'
 20       xmlns:xi="http://www.w3.org/2001/XInclude"
 21       xmlns:xlink="http://www.w3.org/1999/xlink"
 22       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 23       xsi:schemaLocation="http://docbook.org/ns/docbook http://www.docbook.org/xml/5.0/xsd/docbook.xsd
 24       http://www.w3.org/1999/xlink http://www.w3.org/1999/xlink.xsd">
 25    <title>Encryption</title>
 26    <para>
 27    Hazelcast allows you to encrypt entire socket level communication among all Hazelcast
 28    members. Encryption is based on
 29    <link xlink:href="http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html">Java
 30        Cryptography Architecture
 31    </link>
 32    and both symmetric and asymmetric encryption are supported.
 33    In symmetric encryption, each node uses the same key, so the key is shared.
 34    Here is a sample configuration for symmetric encryption:
 35    <programlisting language="xml"><![CDATA[<hazelcast>
 36    ...
 37    <network>
 38        ...
 39        <!--
 40            Make sure to set enabled=true
 41            Make sure this configuration is exactly the same on
 42            all members
 43        -->
 44        <symmetric-encryption enabled="true">
 45            <!--
 46               encryption algorithm such as
 47               DES/ECB/PKCS5Padding,
 48               PBEWithMD5AndDES,
 49               Blowfish,
 50               DESede
 51            -->
 52            <algorithm>PBEWithMD5AndDES</algorithm>
 53
 54            <!-- salt value to use when generating the secret key -->
 55            <salt>thesalt</salt>
 56
 57            <!-- pass phrase to use when generating the secret key -->
 58            <password>thepass</password>
 59
 60            <!-- iteration count to use when generating the secret key -->
 61            <iteration-count>19</iteration-count>
 62        </symmetric-encryption>
 63    </network>
 64    ...
 65</hazelcast>
 66]]></programlisting>
 67    In asymmetric encryption, public and private key pair is used. Data is encrypted with
 68    one of these keys and decrypted with the other.
 69    The idea is that each node has to have its own private key and other trusted members'
 70    public key. So that means, for each member, we should do the followings:
 71    <itemizedlist>
 72        <listitem>
 73            <para>Pick a unique name for the member. We will use the name as the key alias. Let's name them as member1,
 74                member2...memberN.
 75            </para>
 76        </listitem>
 77        <listitem>
 78            <para>Generate the keystore and the private key for the member1.
 79                <literal>keytool -genkey -alias member1 -keyalg RSA -keypass thekeypass -keystore keystore -storetype
 80                    JKS
 81                </literal>
 82                Remember all the parameters you used here because you will need this information when
 83                you configure asymmetric-encryption in your hazelcast.xml file.
 84            </para>
 85        </listitem>
 86        <listitem>
 87            <para>Create a public certificate file so that we can add it to the other members' keystore
 88                <literal>keytool -export -alias member1 -keypass thekeypass -storepass thestorepass -keystore keystore
 89                    -rfc -file member1.cer
 90                </literal>
 91            </para>
 92        </listitem>
 93        <listitem>
 94            <para>Now take all the other members' public certificates, and add (import) them into member1's keystore
 95                <programlisting language="java"><![CDATA[ keytool -import -alias member2 -file member2.cer -keystore keystore -storepass thestorepass
 96
 97 keytool -import -alias member3 -file member3.cer -keystore keystore -storepass thestorepass
 98
 99 ...
100
101 keytool -import -alias memberN -file memberN.cer -keystore keystore -storepass thestorepass
102
103]]></programlisting>
104            </para>
105        </listitem>
106    </itemizedlist>
107    You should repeat these steps for each trusted member in your cluster.
108    Here is a sample configuration for asymmetric encryption:
109    <programlisting language="xml"><![CDATA[<hazelcast>
110    ...
111    <network>
112        ...
113        <!--
114            Make sure to set enabled=true
115        -->
116        <asymmetric-encryption enabled="true">
117            <!-- encryption algorithm -->
118            <algorithm>RSA/NONE/PKCS1PADDING</algorithm>
119            <!-- private key password -->
120            <keyPassword>thekeypass</keyPassword>
121            <!-- private key alias -->
122            <keyAlias>member1</keyAlias>
123            <!-- key store type -->
124            <storeType>JKS</storeType>
125            <!-- key store password -->
126            <storePassword>thestorepass</storePassword>
127            <!-- path to the key store --> 
128            <storePath>keystore</storePath>
129        </asymmetric-encryption>
130    </network>
131    ...
132</hazelcast>
133]]></programlisting>
134
135</para>
136</sect2>