This sections covers Security configuration for Apache Geode/Pivotal GemFire, which encompasses Authentication/Authorization (collectively, Auth) as well as Transport Layer Security (TLS) using SSL.
Apache Geode and Pivotal GemFire employ Username/Password-based Authentication along with Role-based Authorization to secure your client to server data exchanges and operations.
Spring Data for Apache Geode/Pivotal GemFire (SDG) provides first-class support for Apache Geode/Pivotal GemFire’s Security framework, which is rooted in the SecurityManager interface. Additionally, Apache Geode’s Security framework is integrated with Apache Shiro, making securing servers an even easier, more familiar task.
And, when you apply Spring Boot for Apache Geode/Pivotal GemFire, which builds on the bits provided in SDG, it makes short work of enabling auth in both your clients and servers.
The easiest and most standard way to enable auth on your servers is to simply define 1 or more Apache Shiro
Realms as beans in the Spring ApplicationContext.
For example:
Declaring an Apache Shiro Realm.
@Configuration class ApacheGeodeSecurityConfiguration { @Bean DefaultLdapRealm ldapRealm(..) { return new DefaultLdapRealm(); } ... }
When an Apache Shiro Realm (e.g. DefaultLdapRealm) is declared and registered in the Spring ApplicationContext,
then Spring Boot automatically detects this Realm bean (or Realm beans if more than 1) and the Apache Geode/Pivotal GemFire
servers in the cluster will automatically be configured with Authentication/Authorization enabled.
Alternatively, you can provide an custom, application-specific implementation of Apache Geode/Pivotal GemFire’s
SecurityManager interface,
declared and registered as a bean in the Spring ApplicationContext:
Declaring a custom Apache Geode/Pivotal GemFire SecurityManager.
@Configuration class ApacheGeodeSecurityConfiguration { @Bean CustomSecurityManager customSecurityManager(..) { return new CustomSecurityManager(); } ... }
Spring Boot will auto-detect your custom, application-specific SecurityManager implementation and also configure
the Apache Geode/Pivotal GemFire servers in the cluster with Authentication/Authorization enabled.
![[Tip]](images/tip.png) | Tip |
|---|---|
|
The Spring team recommends that you use Apache Shiro to manage the Authentication & Authorization
for your Apache Geode/Pivotal GemFire servers over implementing Apache Geode/Pivotal GemFire’s
|
When Apache Geode/Pivotal GemFire servers have been configured with Authentication/Authorization enabled, then clients must authenticate when connecting.
Spring Boot for Apache Geode/Pivotal GemFire makes this easy, regardless of whether you are running your Spring Boot,
ClientCache applications in a local, non-managed environment or when running in a managed environment,
like Pivotal CloudFoundry (PCF).
To enable auth for clients connecting to a secure Apache Geode/Pivotal GemFire cluster, you simply need to set
a username and password in your Spring Boot application.properties file:
# Spring Boot client application.properties spring.data.gemfire.security.username = jdoe spring.data.gemfire.security.password = p@55w0rd!
Spring Boot for Apache Geode/Pivotal GemFire will handle the rest.
To enable auth for clients connecting to a Pivotal Cloud Cache (PCC) service instance in Pivotal CloudFoundry (PCF) is even easier.
You do not need to do anything!
When your Spring Boot application using PCC is pushed (i.e. deployed) to PCF, Spring Boot for Apache Geode/Pivotal GemFire is smart enough to extract the necessary auth credentials from the environment you setup when you provisioned a PCC service instance in your PCF organization/space. PCC automatically assigns 2 users with roles "cluster_operator" and "developer", respectively, to any Spring Boot application bound to the PCC service instance.
See the PCC documentation for more details.
Securing data in motion is also essential to the integrity of your application.
For instance, it would not do much good to send usernames and passwords over plain text Socket connections between your clients and servers, nor send sensitive data over those same connections.
Therefore, Apache Geode and Pivotal GemFire support SSL between clients & servers, JMX clients (e.g. Gfsh, JConsole) and the Manager, HTTP clients when using the Developer REST API or Pulse, between peers in the cluster, and when using WAN Gateway components.
Spring Data for Apache Geode/Pivotal GemFire provides first-class support for enabling and configuring SSL as well. However, Spring Boot strives to make it even easier to configure and enable SSL, especially during development.
Apache Geode/Pivotal GemFire require certain properties to be configured, which translate to the appropriate
javax.net.ssl.* properties required by the JRE, to create Secure Socket Connections using
JSSE.
But, ensuring that you have set all the properties correctly is an error-prone and tedious task. So, Spring Boot for Apache Geode & Pivotal GemFire applies some basic conventions for you, out-of-the-box.
Simply create a trusted.keystore, JKS-based KeyStore file and place it in 1 of 3 well-known locations:
- In your Spring Boot application’s working directory.
-
In your user home directory (as defined by the
user.homeJava System property). - In your application JAR file at the root of the classpath.
When this file is named trusted.keystore and is placed in 1 of these 3 well-known locations, then Spring Boot
for Apache Geode/Pivotal GemFire can automatically configure your client to use SSL Socket connections.
If you are using Spring Boot to configure and bootstrap an Apache Geode or Pivotal GemFire server:
Spring Boot configured/bootstrapped Apache Geode/Pivotal GemFire server.
@SpringBootApplication @CacheServerApplication class SpringBootApacheGeodeCacheServerApplication { ... }
Then, Spring Boot applies the same procedure to SSL enable the servers as well.
During development it is convenient not to set a trusted.keystore password when accessing the keys in the file.
However, it is highly recommended that you do secure the trusted.keystore file when deploying your application
to a production environment. Therefore, when your your trusted.keystore file is secured by a password,
you will additionally need to specify the following property:
Accessing a secure trusted.keystore.
# Spring Boot application.properties spring.data.gemfire.security.ssl.keystore.password = p@55w0rd!
You can also configure the location of the keystore, and additionally truststore files, if they are separate and have not been placed in 1 of the default, well-known locations searched by Spring Boot:
Accessing a secure trusted.keystore.
# Spring Boot application.properties spring.data.gemfire.security.ssl.keystore = /absolute/file/system/path/to/keystore.jks spring.data.gemfire.security.ssl.keystore.password = keystorePassword spring.data.gemfire.security.ssl.truststore = /absolute/file/system/path/to/truststore.jks spring.data.gemfire.security.ssl.truststore.password = truststorePassword
See the SDG EnableSsl annotation for all the configuration options and their corresponding properties.
Currently, neither Apache Geode/Pivotal GemFire nor Spring Boot/Spring Data for Apache Geode/Pivotal GemFire offer any support for securing your data while at rest (e.g. when your data has been overflowed or persisted to disk).
To secure data at rest when using Apache Geode or Pivotal GemFire, with or without Spring, you must employ 3rd party solutions like disk encryption, which is usually highly contextual.
For instance, securing data at rest using Amazon EC2 Instance Store Encryption.