Galder Zamarreño updated ISPN-907:
Assignee: Tristan Tarrant (was: Galder Zamarreño)
Fix Version/s: 5.2.0.FINAL
SSL access to Hot Rod
Issue Type: Feature Request
Components: Cache Server
Reporter: Galder Zamarreño
Assignee: Tristan Tarrant
Labels: hotrod, ssl
Fix For: 5.2.0.FINAL
Attachments: ssl.patch, SSLEngineFactory.scala, SSLTest.java
Investigate and integrate Adrian's patch for Hot Rod server so that it can accessed
Email from Adrian:
"While I remember heres a patch to add ssl for infinispan clients.
I did it a couple of weeks ago, but I dont know when Ill have time
to finish it off/polish it. It was based on head a few weeks ago,
but I dont remember which version. :-(
The horrible part is the way I had to modify all the parameter lists.
It could really do with passing some config object instead.
I dont know how to make "git diff" include new uncommitted files so Ive
See the test for how to use it, but it is basically set the config properties
(with the relevant infinispan package prefixes)
key_store_file_name=jks file containing our key
trust_store_file_name=jks file containing public keys we trust for authentication
Optionally you can get the server to authenticate the client as well
which means the server will need a trust store.
I've also left it so if you dont set the properties it will use the default
But this doesnt work out of the box unless you enable the "anon" alogorithms
the server, they aren't enabled by default. Those dont authenticate, they just
encrypt the traffic.
The main thing left to do would be change the test to get maven to generate the
key/trust store in a well defined place in "target".
* The code on the serrver will also work for other protocols as well, e.g. memcached
if the client supports ssl
* The ssl context construction is pretty similar in the client/server
and could probably be shared if I knew where to put shared stuff in the codebase. :-)
* There is some commented out bits where I think the client/server should really
be adding socket timeouts. Otherwise network drops/splits could cause the connection
to hang forever. There should at least be a connection timeout on the socket
if you dont want to implement a full blown ping to continually test the connection rather
than just ping on start - which doesnt run until after the connection timeout is needed.
* I had to modify the system property handling so you can have a default of
I only did this for Strings, might not be relevant for others?
* Why doesnt the client side do system property replacement like the server?
* Theres a lot of places in the code doing
InputStream is = openStream();
but never close the stream. While this is probably ok in infinispans use cases
it is not good practice to leave files open for the gc to close - that could take a
to happen and you are hogging system resources.
Either useIt() should close the stream or the code should be
InputStream is = openStream();
Feel free to post whatever parts of this message you like in the infinispan forum.
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: