Forum Stats

  • 3,783,718 Users
  • 2,254,822 Discussions
  • 7,880,518 Comments

Discussions

Coherence password-provider interface example anyone?

4299113
4299113 Member Posts: 3
edited Sep 1, 2020 9:27AM in Coherence Support

Hi All,

   I've attempted to follow the documentation for implementing a custom passwrod-provider to securely supply the passwords for the keystore and key for an SSL secured extend-proxy.  The docs I've attempted to follow are:

  If I try to cut and paste from example I get xml processing errors and class case exceptions.  Without going in to details I wonder if anyone has actually used this successfully and could give an example config?   Certainly I've not been able to use the ones in the docs.

your help will be greatly appreciated.

thanks + kind regards,

Kaveh.

Best Answer

  • 4299113
    4299113 Member Posts: 3
    edited Sep 1, 2020 9:27AM Accepted Answer

    So in case it's of use to anyone else my mistake was to try to put the configurationin the cache config xml.  What I needed to do was to put the socket-provider configuration in the tangosol-coherence-override.xml and then reference the socket provider by name in the cache config xml file.

    so  tangosol-coherence-override.xml


               <cluster-config>                <socket-providers>                <socket-provider id="OneWaySSL">                     <ssl>                          <protocol>TLS</protocol>                          <!-- identity manager results in Cluster Side SSL -->                          <identity-manager>                               <algorithm>SunX509</algorithm>                               <!-- keystore where the cluster side SSL Certificate is Stored -->                               <key-store>                                    <url>file:server.jks</url>                                    <password-provider>                                         <name>ssl_key_store_pass</name>                                    </password-provider>                                    <type>JKS</type>                               </key-store>                               <!-- cluster side SSL Private Key Password -->                               <password-provider>                                         <name>ssl_key_pass</name>                                    </password-provider>                     </identity-manager>                     <socket-provider>tcp</socket-provider>                     </ssl>                </socket-provider>                       </socket-providers>           <password-providers>                <password-provider id="ssl_key_store_pass">                     <class-name>com.company.security.coherence.PasswordProvider</class-name>                     <init-params>                          <init-param>                               <param-type>String</param-type>                               <param-value>changeit</param-value>                          </init-param>                     </init-params>                </password-provider>                <password-provider id="ssl_key_pass">                     <class-name>com.company.security.coherence.PasswordProvider</class-name>                     <init-params>                          <init-param>                               <param-type>String</param-type>                               <param-value>PrivateKeySecret</param-value>                          </init-param>                     </init-params>                </password-provider>                          </password-providers>      </cluster-config>                                                                                     

    and then in your cache config


    <proxy-scheme>           <!-- name of the the extend proxy service - this must match client side -->           <service-name>ExtendTcpCacheService</service-name>          <acceptor-config>             <tcp-acceptor>                     <socket-provider>OneWaySSL</socket-provider>             ...  </proxy-scheme> 

Answers

  • 4299113
    4299113 Member Posts: 3
    edited Sep 1, 2020 9:27AM Accepted Answer

    So in case it's of use to anyone else my mistake was to try to put the configurationin the cache config xml.  What I needed to do was to put the socket-provider configuration in the tangosol-coherence-override.xml and then reference the socket provider by name in the cache config xml file.

    so  tangosol-coherence-override.xml


               <cluster-config>                <socket-providers>                <socket-provider id="OneWaySSL">                     <ssl>                          <protocol>TLS</protocol>                          <!-- identity manager results in Cluster Side SSL -->                          <identity-manager>                               <algorithm>SunX509</algorithm>                               <!-- keystore where the cluster side SSL Certificate is Stored -->                               <key-store>                                    <url>file:server.jks</url>                                    <password-provider>                                         <name>ssl_key_store_pass</name>                                    </password-provider>                                    <type>JKS</type>                               </key-store>                               <!-- cluster side SSL Private Key Password -->                               <password-provider>                                         <name>ssl_key_pass</name>                                    </password-provider>                     </identity-manager>                     <socket-provider>tcp</socket-provider>                     </ssl>                </socket-provider>                       </socket-providers>           <password-providers>                <password-provider id="ssl_key_store_pass">                     <class-name>com.company.security.coherence.PasswordProvider</class-name>                     <init-params>                          <init-param>                               <param-type>String</param-type>                               <param-value>changeit</param-value>                          </init-param>                     </init-params>                </password-provider>                <password-provider id="ssl_key_pass">                     <class-name>com.company.security.coherence.PasswordProvider</class-name>                     <init-params>                          <init-param>                               <param-type>String</param-type>                               <param-value>PrivateKeySecret</param-value>                          </init-param>                     </init-params>                </password-provider>                          </password-providers>      </cluster-config>                                                                                     

    and then in your cache config


    <proxy-scheme>           <!-- name of the the extend proxy service - this must match client side -->           <service-name>ExtendTcpCacheService</service-name>          <acceptor-config>             <tcp-acceptor>                     <socket-provider>OneWaySSL</socket-provider>             ...  </proxy-scheme>