Implement Security

GemFire can authenticate peer system members, clients, and remote gateways. GemFire can also authorize cache operations on a server from clients. A distributed system using authentication bars malicious peers or clients, and deters inadvertent access to its cache. Client operations on a cache server can be restricted or completely blocked based on the roles and permissions assigned to the credentials submitted by the client.

You can use GemFire security for secure communication, to authorize system membership, and to authorize specific activities in the cache:
  1. Use locators for peer discovery within the distributed systems and for client discovery of servers. See Configuring Peer-to-Peer Discovery and Configuring a Client/Server System.
  2. Use consistent security settings between similar processes in a single distributed system. For example, configure all servers in a system with the same client authentication settings.
  3. Implement membership authentication. Depending on your installation and security requirements, you may use a combination of peer-to-peer, client/server, and multi-site settings.
  4. If you have a client/server system, implement any authorized access control your servers will use for clients attempting to access or modify the cache.
  5. If you want to use secure socket layer (SSL) protocol for your peer-to-peer and client/server connections, implement that.

Where to Place Security Configuration Settings

Any security-related (properties that begin with security-*) configuration properties that are normally configured in gemfire.properties can be moved to a separate gfsecurity.properties file. Placing these configuration settings in a separate file allows you to restrict access to security configuration data. This way, you can still allow read or write access for your gemfire.properties file.

Upon startup, GemFire processes will look for the gfsecurity.properties file in the following locations in order:
  • current working directory
  • user's home directory
  • classpath

If any password-related security properties are listed in the file but have a blank value, the process will prompt the user to enter a password upon startup.

Related Topics
com.gemstone.gemfire.security