Configure SSL properties and JMX ports to secure sensitive
information that flows between WebSphere® eXtreme Scale and the Liberty profile.
About this task
When a data grid is deployed, the sensitive information it
contains flows over the network. Also, the credentials that data
grid clients use to authenticate to the data grid flow over the network.
To protect data and credentials as they flow, use transport-level
encryption using SSL to secure deployments.
The security of SSL
depends on protecting the keystores and the truststores, so that only
authorized users have access to the keystores and truststores. After
you enable SSL encryption, you must specify a JMXConnectorPort and
a JMXServicePort value in the server properties file to have SSL protection
for JMX traffic.
The transport between the JMX client and server
can be secured with transport layer security (TLS) or SSL. If the
transportType of catalog server or container server is set to SSL_Required
or SSL_Supported, then you must use SSL to connect to the JMX server.
- Specify SSL in the server properties file. Set the transportType property to SSL-Required;
for example:
transportType=SSL-Required
- Specify SSL properties in the server properties file.
alias=serverprivate
contextProvider=IBMJSSE2
protocol=SSL
keyStoreType=JKS
keyStore=etc/test/security/key.jks
keyStorePassword=serverpw
trustStoreType=JKS
trustStore=etc/test/security/trust.jks
trustStorePassword=public
clientAuthentication=false
Configure the truststore, truststore
type, and truststore password. It is not necessary to specify a keystore,
keystore type, and key store password for the client. The alias, keystore,
keystore password, and keystore type are not needed on the client
unless the server SSL properties includes clientAuthentication=true. This value is rarely used.The client truststore must trust the
server certificate. When the server certificate is self signed, as
in the tutorial, that certificate must be imported into the client
trust store. When the server certificate is issued by a local certificate
authority, the signer certificate for that certificate authority must
be imported into the client truststore. For more information about
creating keystore and truststore files, see Java SE security tutorial - Step 6.
- Specify SSL in the client properties file when SSL is required. Set the transportType property to SSL-Required or SSL-Supported; for example:
transportType=SSL-Required
- Specify SSL properties in the client properties file. For example, you can specify the following properties:
alias=clientprivate
contextProvider=IBMJSSE2
protocol=SSL
keyStoreType=JKS
keyStore=etc/test/security/client.private
keyStorePassword={xor}PDM2OjErLyg\=
trustStoreType=JKS
trustStore=etc/test/security/server.public
trustStorePassword={xor}Lyo9MzY8
Specify the client
properties file in the
jvm.options file; for
example:
-Dobjectgrid.client.props="D:\IDEs\wxsEnvi\wlp\usr\servers\sessionAppServer\objectGridClient.properties"
Remove the double quotation marks if you are using Linux operating
systems.
- Set the JMX service port in the server properties file.
The default value for the JMX service port on catalog servers
is 1099. You must use a different port number
for each JVM in your configuration. If you want to use JMX/RMI, explicitly
specify therver JMXServicePort option and port
number, even if you want to use the default port value.
- Set the JMX connector port in the server properties file.
Setting the JMX service port is required when you want to
display container server information from the catalog server. For
example, the port is required when you are using the xscmd
-c showMapSizes command. Set the JMX connector port to
avoid ephemeral port creation.