This site hosts historical documentation. Visit www.terracotta.org for recent product information.
Note: For a brief overview of Terracotta security with links to individual topics, see Security Overview.
SSL security for BigMemory Cross-Language Clients requires setup for two main connections:
Because the CL Connector is a client of the TSA, security setup for this connection is the same as the setup between an application server (a client of the Terracotta server) and its Terracotta server. (The app server or CL Connector is referred to as the L1, and the Terracotta server is referred to as the L2.) For information about the security between the TSA and the CL Connector, go to the Securing Terracotta Clusters page.
For setting up SSL security between the CL Connector and the BigMemory Client, ensure that the following configurations are in place:
The CL Connector's tc-config.xml
must contain the necessary security references:
For an example tc-config.xml
, refer to this configuration example.
The TSA security files must be in the correct location.
If your tc-config.xml
file references relative paths, the security files must be located correctly. For example, if your path is <url>file:keys/keyChain-relative.key</url>
, the files must be in the keys
subdirectory under the Terracotta server installation.
The CL Connector username and a password must be the same as those stored in the TSA's auth file.
The username is stored in the CL Connector's ehcache.xml
file, for example:
//non-secured:
<terracottaConfig url="localhost:9510"/>
//secured:
<terracottaConfig url="admin@localhost:9510"/>
The password is stored in the CL Connector's keychain, and the keychain location can be given through a system property. For example:
-Dcom.tc.security.keychain.url=file:/path/to/CrossLanguage/keys/l1keychain.key
The cross-lang-config.xml
file must indicate the truststore and keystore of the CL Connector:
<?xml version="1.0"?>
<xplatform xmlns="http://www.ehcache.org/xplatform"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.ehcache.org/xplatform ../../main/xsd/xplatform.xsd">
<bind ip="*" port="8199" type="nirvana"/>
<secureinterface>
<keystore location="/path/to/CL-keystore.jks"/>
<truststore location="/path/to/CL-truststore.jks" password="123"/>
</secureinterface>
</xplatform>
The keystore contains the certificate for the security between the BigMemory Client and the CL Connector. The truststore contains the certificate of the TSA, that is, it holds the list of trusted parties you intend to communicate with.
Depending upon your security setup, you may need to start the CL Connector with some of the following system properties:
-Dcom.tc.security.keychain.url=file:/path/to/CrossLanguage/keys/l1keychain.key
-DSecretProvider.secret=secret
-Djavax.net.ssl.trustStore=keys/CL-truststore.jks
-Djavax.net.ssl.trustStorePassword=password
-Dtc.ssl.trustAllCerts=true
-Dtc.ssl.disableHostnameVerifier=true
Provide the client keychain with an entry for the keystore location, for example:
..\..\tools\security\bin\keychain.bat keys/l1keychain.key keys/CL-keystore.jks
Add self-signed certificates to the truststore.
a. Add the client certificate.
b. Add the truststore.
To add the client certificate for Windows:
SelfSignedCert.crt
To add the truststore for Windows:
SelfSignedCert.crt
For more information about adding self-signed certificates to the client CA file, see: