Though, I've setup SSL between all Ignite Nodes and whole Ignite Cluster is secured, I'm able to access the data through JDBC thin client without passing any SSL configs. Does it mean though the cluster is secured we can connect without passing any ssl config/cert?
I want no one can connect to the Ignite Cluster until and unless required ssl certs provided, is that possible to achieve?
You need explicitly enable SSL for thin protocols:
https://www.gridgain.com/docs/latest/developers-guide/thin-clients/getting-started-with-thin-clients#enabling-ssltls-for-thin-clients
<property name="clientConnectorConfiguration">
<bean class="org.apache.ignite.configuration.ClientConnectorConfiguration">
<property name="sslEnabled" value="true"/>
</bean>
</property>
Related
I am trying to use Zookeeper for node discovery with Apache Ignite. I have configured Zookeeper to only accept SSL/TLS connections. How do I provide Zookeeper keystore detail to Apache Ignite ZookeeperDiscoverySpi? I have checked the documentation and source code of ignite-zookeeper.jar and I do not see any options to supply these details? Should I be providing these details elsewhere in the ignite config?
Solution:
replace inginite-zookeeper.jar dependency zookeeper-3.4.6.jar with latest zookeeper-3.5.x.jar for proper SSL/Netty support.
supply SSL config details as JVM arguments (no options for this in Ignize Spi API)
I am using service fabric sdk 2.5 with VS 2015. I have seen the article How to configure and enable Azure Service Fabric Reverse Proxy for an existing on-premises cluster? and tried to access my service via reverse proxy. But I am getting a message "Unable to connect". I have the below settings in FabricHostSettings.xml
<Parameter Name="HttpApplicationGatewayListenAddress" Value="19081" />
<Parameter Name="HttpApplicationGatewayProtocol" Value="http" />
Can anyone help to test reverse proxy setup in local dev cluster
Reverse proxy appears enabled by default now for local dev cluster. Check clusterManifest.xml and FabricHostSettings.xml in C:\SfDevCluster\Data for configured ports. Default is 19081.
I need to secure my zookeeper with SSL and then configure kafka broker to access to zookeeper with ssl.
Is it possible ?
And if yes, how ?
Thanks
Alain
I'm configured a node locally and can access via http://localhost:47100/ignite however when i execute a command like getting the node version to try read and write to a cache i get the following response ÿ|h2—Ÿ™Lá·šŠHpT«Ã
My setup is very basic - I have a single Ignite node running on a Windows machine. The node is using one of the sample cache examples when starting the node.
Should i be using a separate port or do i need to enable REST API?
Enter into your IGNITE_HOME folder
Copy folder IGNITE_HOME/lib/optional/ignite-rest-http into IGNITE_HOME/lib
Start-up one node
bin/ignite.sh -i
or
bin/ignite.bat -i
Check with netstat -tna ... listening port on 8080
Check on your browser http://localhost:8080/ignite?cmd=version
Ports 47100 and 47500 are used by Ignite for internal communication and discovery. By default REST API (when enabled) binds to port 8080.
If you need to change the port used for HTTP REST, you can do it by either setting IGNITE_JETTY_PORT system property or by providing a path to the Jetty configuration file in ConnectorConfiguration object which is set to IgniteConfiguration:
<bean id="ignite.cfg" class="org.apache.ignite.configuration.IgniteConfiguration">
<property name="connectorConfiguration">
<bean class="org.apache.ignite.configuration.ConnectorConfiguration">
<property name="jettyPath" value="/path/to/jetty/configuration.xml"/>
</bean>
</property>
...
Note that the system property overrides the port value set in Jetty XML configuration.
Our architecture is:
external users<---https--->web server(Apache HTTP server)<----->webapp server (tomcat)
We fail to pass the IBM AppScan, which is used to detect any security defects in webapp server, because it finds our tomcat server.xml file is not added the secure="yes" attribute in our port.
However the secure="yes" attribute should not be added to the tomcat server.xml file because we do not need a secure connection between web server and webapp server.
How can we fix the issue?
Are there any secure="yes" attribute can be added to the configuration file of web server(Apache HTTP server)?
Thanks & Regards,
Gordon
If your users are accessing Tomcat (indirectly) through Apache httpd using TLS (https:// URL) then it is entirely appropriate to set secure="true" in your <Connector>. This tells your web application that the request being received is secure even when it is not (e.g. you are using plain-HTTP between httpd and Tomcat).
So, if you have set scheme="https" on your <Connector> then you probably want to also set secure="true".
This is not a configuration change that you can make on the Apache httpd side... it must be done in Tomcat.