use of com.hazelcast.config.EncryptionAtRestConfig in project hazelcast by hazelcast.
the class TestPersistenceEncryptionKeyStoreApplicationContext method testPersistence.
@Test
public void testPersistence() {
File dir = new File("/mnt/persistence/");
File hotBackupDir = new File("/mnt/persistence-backup/");
PersistenceConfig persistenceConfig = config.getPersistenceConfig();
assertFalse(persistenceConfig.isEnabled());
assertEquals(dir.getAbsolutePath(), persistenceConfig.getBaseDir().getAbsolutePath());
assertEquals(hotBackupDir.getAbsolutePath(), persistenceConfig.getBackupDir().getAbsolutePath());
assertEquals(1111, persistenceConfig.getValidationTimeoutSeconds());
assertEquals(2222, persistenceConfig.getDataLoadTimeoutSeconds());
assertEquals(PARTIAL_RECOVERY_MOST_COMPLETE, persistenceConfig.getClusterDataRecoveryPolicy());
assertFalse(persistenceConfig.isAutoRemoveStaleData());
EncryptionAtRestConfig encryptionAtRestConfig = persistenceConfig.getEncryptionAtRestConfig();
assertNotNull(encryptionAtRestConfig);
assertTrue(encryptionAtRestConfig.isEnabled());
assertEquals("AES/CBC/PKCS5Padding", encryptionAtRestConfig.getAlgorithm());
assertEquals("sugar", encryptionAtRestConfig.getSalt());
assertEquals(16, encryptionAtRestConfig.getKeySize());
assertTrue(encryptionAtRestConfig.getSecureStoreConfig() instanceof JavaKeyStoreSecureStoreConfig);
JavaKeyStoreSecureStoreConfig keyStoreConfig = (JavaKeyStoreSecureStoreConfig) encryptionAtRestConfig.getSecureStoreConfig();
assertEquals(new File("/mnt/hot-restart/keystore.p12").getAbsolutePath(), keyStoreConfig.getPath().getAbsolutePath());
assertEquals("PKCS12", keyStoreConfig.getType());
assertEquals("password", keyStoreConfig.getPassword());
assertEquals(60, keyStoreConfig.getPollingInterval());
}
use of com.hazelcast.config.EncryptionAtRestConfig in project hazelcast by hazelcast.
the class NodeSecurityBanner method printSecurityFeaturesInfo.
@SuppressWarnings({ "checkstyle:CyclomaticComplexity", "checkstyle:MethodLength" })
private void printSecurityFeaturesInfo(Config config, Level logLevel) {
StringBuilder sb = new StringBuilder("\n").append(getLockEmo()).append("Security recommendations and their status:");
addSecurityFeatureCheck(sb, "Use a custom cluster name", !Config.DEFAULT_CLUSTER_NAME.equals(config.getClusterName()));
addSecurityFeatureCheck(sb, "Disable member multicast discovery/join method", !multicastUsed);
AdvancedNetworkConfig advancedNetworkConfig = config.getAdvancedNetworkConfig();
addSecurityFeatureCheck(sb, "Use advanced networking, separate client and member sockets", advancedNetworkConfig.isEnabled());
boolean bindAny = properties.getBoolean(SOCKET_SERVER_BIND_ANY);
addSecurityFeatureCheck(sb, "Bind Server sockets to a single network interface (disable " + SOCKET_SERVER_BIND_ANY.getName() + ")", !bindAny);
StringBuilder tlsSb = new StringBuilder();
boolean tlsUsed = true;
if (advancedNetworkConfig.isEnabled()) {
for (Map.Entry<EndpointQualifier, EndpointConfig> e : advancedNetworkConfig.getEndpointConfigs().entrySet()) {
tlsUsed = addAdvNetworkTlsInfo(tlsSb, e.getKey(), e.getValue().getSSLConfig()) && tlsUsed;
}
} else {
SSLConfig sslConfig = config.getNetworkConfig().getSSLConfig();
tlsUsed = addSecurityFeatureCheck(tlsSb, "Use TLS communication protection (Enterprise)", sslConfig != null && sslConfig.isEnabled());
}
boolean jetEnabled = config.getJetConfig().isEnabled();
if (jetEnabled) {
boolean trustedEnv = tlsUsed || !bindAny;
addSecurityFeatureCheck(sb, "Use Jet in trusted environments only (single network interface and/or TLS enabled)", trustedEnv);
if (config.getJetConfig().isResourceUploadEnabled()) {
addSecurityFeatureInfo(sb, "Jet resource upload is enabled. Any uploaded code can be executed within " + "Hazelcast. Use this in trusted environments only.");
}
}
if (config.getUserCodeDeploymentConfig().isEnabled()) {
addSecurityFeatureInfo(sb, "User code deployment is enabled. Any uploaded code can be executed within " + "Hazelcast. Use this in trusted environments only.");
}
addSecurityFeatureCheck(sb, "Disable scripting in the Management Center", !config.getManagementCenterConfig().isScriptingEnabled());
addSecurityFeatureCheck(sb, "Disable console in the Management Center", !config.getManagementCenterConfig().isConsoleEnabled());
SecurityConfig securityConfig = config.getSecurityConfig();
boolean securityEnabled = securityConfig != null && securityConfig.isEnabled();
addSecurityFeatureCheck(sb, "Enable Security (Enterprise)", securityEnabled);
if (securityEnabled) {
checkAuthnConfigured(sb, securityConfig, "member-authentication", securityConfig.getMemberRealm());
checkAuthnConfigured(sb, securityConfig, "client-authentication", securityConfig.getClientRealm());
}
// TLS here
sb.append(tlsSb.toString());
PersistenceConfig persistenceConfig = config.getPersistenceConfig();
if (persistenceConfig != null && persistenceConfig.isEnabled()) {
EncryptionAtRestConfig encryptionAtRestConfig = persistenceConfig.getEncryptionAtRestConfig();
addSecurityFeatureCheck(sb, "Enable encryption-at-rest in the Persistence config (Enterprise)", encryptionAtRestConfig != null && encryptionAtRestConfig.isEnabled());
}
AuditlogConfig auditlogConfig = config.getAuditlogConfig();
addSecurityFeatureCheck(sb, "Enable auditlog (Enterprise)", auditlogConfig != null && auditlogConfig.isEnabled());
sb.append("\nCheck the hazelcast-security-hardened.xml/yaml example config file to find why and how to configure" + " these security related settings.\n");
securityLogger.log(logLevel, sb.toString());
}
use of com.hazelcast.config.EncryptionAtRestConfig in project hazelcast by hazelcast.
the class TestFullApplicationContext method testPersistence.
@Test
public void testPersistence() {
File dir = new File("/mnt/persistence/");
File backupDir = new File("/mnt/persistence-backup/");
PersistenceConfig persistenceConfig = config.getPersistenceConfig();
assertFalse(persistenceConfig.isEnabled());
assertEquals(dir.getAbsolutePath(), persistenceConfig.getBaseDir().getAbsolutePath());
assertEquals(backupDir.getAbsolutePath(), persistenceConfig.getBackupDir().getAbsolutePath());
assertEquals(1111, persistenceConfig.getValidationTimeoutSeconds());
assertEquals(2222, persistenceConfig.getDataLoadTimeoutSeconds());
assertEquals(PARTIAL_RECOVERY_MOST_COMPLETE, persistenceConfig.getClusterDataRecoveryPolicy());
assertFalse(persistenceConfig.isAutoRemoveStaleData());
EncryptionAtRestConfig encryptionAtRestConfig = persistenceConfig.getEncryptionAtRestConfig();
assertNotNull(encryptionAtRestConfig);
assertTrue(encryptionAtRestConfig.isEnabled());
assertEquals("AES/CBC/PKCS5Padding", encryptionAtRestConfig.getAlgorithm());
assertEquals("sugar", encryptionAtRestConfig.getSalt());
assertEquals(16, encryptionAtRestConfig.getKeySize());
assertTrue(encryptionAtRestConfig.getSecureStoreConfig() instanceof VaultSecureStoreConfig);
VaultSecureStoreConfig vaultConfig = (VaultSecureStoreConfig) encryptionAtRestConfig.getSecureStoreConfig();
assertEquals("http://localhost:1234", vaultConfig.getAddress());
assertEquals("secret/path", vaultConfig.getSecretPath());
assertEquals("token", vaultConfig.getToken());
SSLConfig sslConfig = vaultConfig.getSSLConfig();
assertNotNull(sslConfig);
assertTrue(sslConfig.isEnabled());
assertEquals(sslContextFactory, sslConfig.getFactoryImplementation());
assertEquals(60, vaultConfig.getPollingInterval());
assertEquals(240, persistenceConfig.getRebalanceDelaySeconds());
}
use of com.hazelcast.config.EncryptionAtRestConfig in project hazelcast by hazelcast.
the class TestPersistenceEncryptionVaultApplicationContext method testPersistence.
@Test
public void testPersistence() {
File dir = new File("/mnt/persistence/");
File hotBackupDir = new File("/mnt/persistence-backup/");
PersistenceConfig persistenceConfig = config.getPersistenceConfig();
assertFalse(persistenceConfig.isEnabled());
assertEquals(dir.getAbsolutePath(), persistenceConfig.getBaseDir().getAbsolutePath());
assertEquals(hotBackupDir.getAbsolutePath(), persistenceConfig.getBackupDir().getAbsolutePath());
assertEquals(1111, persistenceConfig.getValidationTimeoutSeconds());
assertEquals(2222, persistenceConfig.getDataLoadTimeoutSeconds());
assertEquals(PARTIAL_RECOVERY_MOST_COMPLETE, persistenceConfig.getClusterDataRecoveryPolicy());
assertFalse(persistenceConfig.isAutoRemoveStaleData());
EncryptionAtRestConfig encryptionAtRestConfig = persistenceConfig.getEncryptionAtRestConfig();
assertNotNull(encryptionAtRestConfig);
assertTrue(encryptionAtRestConfig.isEnabled());
assertEquals("AES/CBC/PKCS5Padding", encryptionAtRestConfig.getAlgorithm());
assertEquals("sugar", encryptionAtRestConfig.getSalt());
assertEquals(16, encryptionAtRestConfig.getKeySize());
assertTrue(encryptionAtRestConfig.getSecureStoreConfig() instanceof VaultSecureStoreConfig);
VaultSecureStoreConfig vaultConfig = (VaultSecureStoreConfig) encryptionAtRestConfig.getSecureStoreConfig();
assertEquals("http://localhost:1234", vaultConfig.getAddress());
assertEquals("secret/path", vaultConfig.getSecretPath());
assertEquals("token", vaultConfig.getToken());
SSLConfig sslConfig = vaultConfig.getSSLConfig();
assertNotNull(sslConfig);
assertTrue(sslConfig.isEnabled());
assertEquals(sslContextFactory, sslConfig.getFactoryImplementation());
assertEquals(60, vaultConfig.getPollingInterval());
}
use of com.hazelcast.config.EncryptionAtRestConfig in project hazelcast by hazelcast.
the class MemberDomConfigProcessor method handleEncryptionAtRest.
private void handleEncryptionAtRest(Node encryptionAtRestRoot, PersistenceConfig prConfig) throws Exception {
EncryptionAtRestConfig encryptionAtRestConfig = new EncryptionAtRestConfig();
handleViaReflection(encryptionAtRestRoot, prConfig, encryptionAtRestConfig, "secure-store");
for (Node secureStore : childElementsWithName(encryptionAtRestRoot, "secure-store", strict)) {
handleSecureStore(secureStore, encryptionAtRestConfig);
}
prConfig.setEncryptionAtRestConfig(encryptionAtRestConfig);
}
Aggregations