Call us: +1-415-738-4000

Cross-Language Connector SSL Security

Note: For a brief overview of Terracotta security with links to individual topics, see Security Overview.

SSL security for BigMemory Cross-Language Clients requires setup for two main connections:

  • Between the Terracotta Server Array (TSA) and the Cross-Language (CL) Connector
  • Between the CL Connector and the BigMemory .NET or C++ client

Because the CL Connector is a client of the TSA, security setup for this connection is the same as the setup between an application server (a client of the Terracotta server) and its Terracotta server. (The app server or CL Connector is referred to as the L1, and the Terracotta server is referred to as the L2.) For information about the security between the TSA and the CL Connector, go to the Securing Terracotta Clusters page.

Security between the CL Connector and the BigMemory Client

For setting up SSL security between the CL Connector and the BigMemory Client, ensure that the following configurations are in place:

  1. The CL Connector's tc-config.xml must contain the necessary security references:

    • An L2 keystore with the certificate
    • An L2 keychain to open the keystore
    • An authentication file, with the user for the CL Connector

    For an example tc-config.xml, refer to this configuration example.

  2. The TSA security files must be in the correct location.

    If your tc-config.xml file references relative paths, the security files must be located correctly. For example, if your path is <url>file:keys/keyChain-relative.key</url>, the files must be in the keys subdirectory under the Terracotta server installation.

  3. The CL Connector username and a password must be the same as those stored in the TSA's auth file.

    The username is stored in the CL Connector's ehcache.xml file, for example:

    //non-secured:
    <terracottaConfig url="localhost:9510"/>
    
    //secured:
    <terracottaConfig url="admin@localhost:9510"/>
    

    The password is stored in the CL Connector's keychain, and the keychain location can be given through a system property. For example:

    -Dcom.tc.security.keychain.url=file:/path/to/CrossLanguage/keys/l1keychain.key
    
  4. The cross-lang-config.xml file must indicate the truststore and keystore of the CL Connector:

      <?xml version="1.0"?>
      <xplatform xmlns="http://www.ehcache.org/xplatform"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://www.ehcache.org/xplatform ../../main/xsd/xplatform.xsd">
    
        <bind ip="*" port="8199" type="nirvana"/>
    
        <secureinterface>
          <keystore location="/path/to/CL-keystore.jks"/>
          <truststore location="/path/to/CL-truststore.jks" password="123"/>
        </secureinterface>
    
      </xplatform>
    

    The keystore contains the certificate for the security between the BigMemory Client and the CL Connector. The truststore contains the certificate of the TSA, that is, it holds the list of trusted parties you intend to communicate with.

  5. Depending upon your security setup, you may need to start the CL Connector with some of the following system properties:

    -Dcom.tc.security.keychain.url=file:/path/to/CrossLanguage/keys/l1keychain.key
    -DSecretProvider.secret=secret
    -Djavax.net.ssl.trustStore=keys/CL-truststore.jks
    -Djavax.net.ssl.trustStorePassword=password
    -Dtc.ssl.trustAllCerts=true
    -Dtc.ssl.disableHostnameVerifier=true  
    

Security for the BigMemory Client

  1. Provide the client keychain with an entry for the keystore location, for example:

    ..\..\tools\security\bin\keychain.bat keys/l1keychain.key keys/CL-keystore.jks
    
  2. Add self-signed certificates to the truststore.

    a. Add the client certificate.

    b. Add the truststore.

    To add the client certificate for Windows:

    1. Open the Start menu, click Run, and enter "certmgr.msc".
    2. In the new window, expand the "Personal" folder and right click on the "Certificates" folder.
    3. Select "All Tasks->Import...".
    4. Follow the instructions and import the client certificate, SelfSignedCert.crt

    To add the truststore for Windows:

    1. Open the Start menu, click Run, and enter "certmgr.msc".
    2. In the new window, expand the "Trusted Root Certification Authorities" folder and right-click the "Certificates" folder.
    3. Select "All Tasks->Import...".
    4. Follow the instructions and import the truststore, SelfSignedCert.crt

For more information about adding self-signed certificates to the client CA file, see: