Example 1 with DFLT_KEY_ALGORITHM
use of org.apache.ignite.ssl.SslContextFactory.DFLT_KEY_ALGORITHM in project ignite by apache.
the class SecurityTest method testEncryption.
/**
* Test SSL/TLS encryption.
*/
@Test
public void testEncryption() throws Exception {
// Server-side security configuration
IgniteConfiguration srvCfg = Config.getServerConfiguration();
SslContextFactory sslCfg = new SslContextFactory();
Function<String, String> rsrcPath = rsrc -> Paths.get(IGNITE_HOME == null ? "." : IGNITE_HOME, "modules", "core", "src", "test", "resources", rsrc).toString();
sslCfg.setKeyStoreFilePath(rsrcPath.apply("/server.jks"));
sslCfg.setKeyStorePassword("123456".toCharArray());
sslCfg.setTrustStoreFilePath(rsrcPath.apply("/trust.jks"));
sslCfg.setTrustStorePassword("123456".toCharArray());
srvCfg.setClientConnectorConfiguration(new ClientConnectorConfiguration().setSslEnabled(true).setSslClientAuth(true));
srvCfg.setSslContextFactory(sslCfg);
// Client-side security configuration
ClientConfiguration clientCfg = new ClientConfiguration().setAddresses(Config.SERVER);
try (Ignite ignored = Ignition.start(srvCfg)) {
boolean failed;
try (IgniteClient client = Ignition.startClient(clientCfg)) {
client.<Integer, String>cache(Config.DEFAULT_CACHE_NAME).put(1, "1");
failed = false;
} catch (Exception ex) {
failed = true;
}
assertTrue("Client connection without SSL must fail", failed);
// Not using user-supplied SSL Context Factory:
try (IgniteClient client = Ignition.startClient(clientCfg.setSslMode(SslMode.REQUIRED).setSslClientCertificateKeyStorePath(rsrcPath.apply("/client.jks")).setSslClientCertificateKeyStoreType(DFLT_STORE_TYPE).setSslClientCertificateKeyStorePassword("123456").setSslTrustCertificateKeyStorePath(rsrcPath.apply("/trust.jks")).setSslTrustCertificateKeyStoreType(DFLT_STORE_TYPE).setSslTrustCertificateKeyStorePassword("123456").setSslKeyAlgorithm(DFLT_KEY_ALGORITHM).setSslTrustAll(false).setSslProtocol(SslProtocol.TLS))) {
client.<Integer, String>cache(Config.DEFAULT_CACHE_NAME).put(1, "1");
}
// Using user-supplied SSL Context Factory
try (IgniteClient client = Ignition.startClient(clientCfg.setSslMode(SslMode.REQUIRED).setSslContextFactory(sslCfg))) {
client.<Integer, String>cache(Config.DEFAULT_CACHE_NAME).put(1, "1");
}
}
}
Also used :
SqlFieldsQuery(org.apache.ignite.cache.query.SqlFieldsQuery)
U(org.apache.ignite.internal.util.typedef.internal.U)
DFLT_STORE_TYPE(org.apache.ignite.ssl.SslContextFactory.DFLT_STORE_TYPE)
Function(java.util.function.Function)
SslContextFactory(org.apache.ignite.ssl.SslContextFactory)
Timeout(org.junit.rules.Timeout)
DataStorageConfiguration(org.apache.ignite.configuration.DataStorageConfiguration)
SimpleEntry(java.util.AbstractMap.SimpleEntry)
Before(org.junit.Before)
IgniteClientException(org.apache.ignite.internal.processors.platform.client.IgniteClientException)
Assert.assertNotNull(org.junit.Assert.assertNotNull)
IgniteCheckedException(org.apache.ignite.IgniteCheckedException)
DFLT_KEY_ALGORITHM(org.apache.ignite.ssl.SslContextFactory.DFLT_KEY_ALGORITHM)
Assert.assertTrue(org.junit.Assert.assertTrue)
Test(org.junit.Test)
Ignite(org.apache.ignite.Ignite)
GridTestUtils(org.apache.ignite.testframework.GridTestUtils)
ExecutionException(java.util.concurrent.ExecutionException)
Consumer(java.util.function.Consumer)
IgniteConfiguration(org.apache.ignite.configuration.IgniteConfiguration)
Ignition(org.apache.ignite.Ignition)
Rule(org.junit.Rule)
ClientConfiguration(org.apache.ignite.configuration.ClientConfiguration)
Paths(java.nio.file.Paths)
DataRegionConfiguration(org.apache.ignite.configuration.DataRegionConfiguration)
ClientConnectorConfiguration(org.apache.ignite.configuration.ClientConnectorConfiguration)
SslContextFactory(org.apache.ignite.ssl.SslContextFactory)
IgniteConfiguration(org.apache.ignite.configuration.IgniteConfiguration)
ClientConnectorConfiguration(org.apache.ignite.configuration.ClientConnectorConfiguration)
Ignite(org.apache.ignite.Ignite)
ClientConfiguration(org.apache.ignite.configuration.ClientConfiguration)
IgniteClientException(org.apache.ignite.internal.processors.platform.client.IgniteClientException)
IgniteCheckedException(org.apache.ignite.IgniteCheckedException)
ExecutionException(java.util.concurrent.ExecutionException)
Test(org.junit.Test)
Example 2 with DFLT_KEY_ALGORITHM
use of org.apache.ignite.ssl.SslContextFactory.DFLT_KEY_ALGORITHM in project ignite by apache.
the class ClientSslUtils method getSslContext.
/**
* Gets SSL context for the given client configuration.
*
* @param cfg Configuration.
* @return {@link SSLContext} when SSL is enabled in the configuration; null otherwise.
*/
public static SSLContext getSslContext(ClientConfiguration cfg) {
if (cfg.getSslMode() == SslMode.DISABLED)
return null;
Factory<SSLContext> sslCtxFactory = cfg.getSslContextFactory();
if (sslCtxFactory != null) {
try {
return sslCtxFactory.create();
} catch (Exception e) {
throw new ClientError("SSL Context Factory failed", e);
}
}
BiFunction<String, String, String> or = (val, dflt) -> val == null || val.isEmpty() ? dflt : val;
String keyStore = or.apply(cfg.getSslClientCertificateKeyStorePath(), System.getProperty("javax.net.ssl.keyStore"));
String keyStoreType = or.apply(cfg.getSslClientCertificateKeyStoreType(), or.apply(System.getProperty("javax.net.ssl.keyStoreType"), DFLT_STORE_TYPE));
String keyStorePwd = or.apply(cfg.getSslClientCertificateKeyStorePassword(), System.getProperty("javax.net.ssl.keyStorePassword"));
String trustStore = or.apply(cfg.getSslTrustCertificateKeyStorePath(), System.getProperty("javax.net.ssl.trustStore"));
String trustStoreType = or.apply(cfg.getSslTrustCertificateKeyStoreType(), or.apply(System.getProperty("javax.net.ssl.trustStoreType"), DFLT_STORE_TYPE));
String trustStorePwd = or.apply(cfg.getSslTrustCertificateKeyStorePassword(), System.getProperty("javax.net.ssl.trustStorePassword"));
String algorithm = or.apply(cfg.getSslKeyAlgorithm(), DFLT_KEY_ALGORITHM);
String proto = toString(cfg.getSslProtocol());
if (Stream.of(keyStore, keyStorePwd, keyStoreType, trustStore, trustStorePwd, trustStoreType).allMatch(s -> s == null || s.isEmpty())) {
try {
return SSLContext.getDefault();
} catch (NoSuchAlgorithmException e) {
throw new ClientError("Default SSL context cryptographic algorithm is not available", e);
}
}
KeyManager[] keyManagers = getKeyManagers(algorithm, keyStore, keyStoreType, keyStorePwd);
TrustManager[] trustManagers = cfg.isSslTrustAll() ? new TrustManager[] { ignoreErrorsTrustMgr } : getTrustManagers(algorithm, trustStore, trustStoreType, trustStorePwd);
try {
SSLContext sslCtx = SSLContext.getInstance(proto);
sslCtx.init(keyManagers, trustManagers, null);
return sslCtx;
} catch (NoSuchAlgorithmException e) {
throw new ClientError("SSL context cryptographic algorithm is not available", e);
} catch (KeyManagementException e) {
throw new ClientError("Failed to create SSL Context", e);
}
}
Also used :
X509Certificate(java.security.cert.X509Certificate)
SSLContext(javax.net.ssl.SSLContext)
BiFunction(java.util.function.BiFunction)
TrustManager(javax.net.ssl.TrustManager)
DFLT_STORE_TYPE(org.apache.ignite.ssl.SslContextFactory.DFLT_STORE_TYPE)
SslMode(org.apache.ignite.client.SslMode)
KeyStoreException(java.security.KeyStoreException)
UnrecoverableKeyException(java.security.UnrecoverableKeyException)
Factory(javax.cache.configuration.Factory)
TrustManagerFactory(javax.net.ssl.TrustManagerFactory)
Predicate(java.util.function.Predicate)
DFLT_KEY_ALGORITHM(org.apache.ignite.ssl.SslContextFactory.DFLT_KEY_ALGORITHM)
KeyManagerFactory(javax.net.ssl.KeyManagerFactory)
IOException(java.io.IOException)
KeyStore(java.security.KeyStore)
FileInputStream(java.io.FileInputStream)
KeyManagementException(java.security.KeyManagementException)
CertificateException(java.security.cert.CertificateException)
File(java.io.File)
FileNotFoundException(java.io.FileNotFoundException)
KeyManager(javax.net.ssl.KeyManager)
Stream(java.util.stream.Stream)
ClientConfiguration(org.apache.ignite.configuration.ClientConfiguration)
X509TrustManager(javax.net.ssl.X509TrustManager)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
SslProtocol(org.apache.ignite.client.SslProtocol)
InputStream(java.io.InputStream)
SSLContext(javax.net.ssl.SSLContext)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
KeyStoreException(java.security.KeyStoreException)
UnrecoverableKeyException(java.security.UnrecoverableKeyException)
IOException(java.io.IOException)
KeyManagementException(java.security.KeyManagementException)
CertificateException(java.security.cert.CertificateException)
FileNotFoundException(java.io.FileNotFoundException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
KeyManagementException(java.security.KeyManagementException)
TrustManager(javax.net.ssl.TrustManager)
X509TrustManager(javax.net.ssl.X509TrustManager)
KeyManager(javax.net.ssl.KeyManager)
Aggregations
ClientConfiguration (org.apache.ignite.configuration.ClientConfiguration)2
DFLT_KEY_ALGORITHM (org.apache.ignite.ssl.SslContextFactory.DFLT_KEY_ALGORITHM)2
DFLT_STORE_TYPE (org.apache.ignite.ssl.SslContextFactory.DFLT_STORE_TYPE)2
File (java.io.File)1
FileInputStream (java.io.FileInputStream)1
FileNotFoundException (java.io.FileNotFoundException)1
IOException (java.io.IOException)1
InputStream (java.io.InputStream)1
Paths (java.nio.file.Paths)1
KeyManagementException (java.security.KeyManagementException)1
KeyStore (java.security.KeyStore)1
KeyStoreException (java.security.KeyStoreException)1
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1
UnrecoverableKeyException (java.security.UnrecoverableKeyException)1
CertificateException (java.security.cert.CertificateException)1
X509Certificate (java.security.cert.X509Certificate)1
SimpleEntry (java.util.AbstractMap.SimpleEntry)1
ExecutionException (java.util.concurrent.ExecutionException)1
BiFunction (java.util.function.BiFunction)1
Consumer (java.util.function.Consumer)1
