LATEST VERSION: 8.2.7 - CHANGELOG
Pivotal GemFire® v8.2

Using PKCS for Encrypted Authentication

Using PKCS for Encrypted Authentication

This section discusses the concepts and configurations for the sample UserPassword and PKCS implementations. Descriptions of their interfaces, classes, and methods are available in the online API.

Note: Native client samples are provided in source form only in the "templates" directory within the product directory.
Disclaimer: These security samples serve only as example implementations. The implementation and its source code is provided on an "as-is" basis, without warranties or conditions of any kind, either express or implied. You can modify these samples to suit your specific requirements and security providers. GemStone Systems, Inc. takes no responsibility and accepts no liability for any damage to computer equipment, companies or personnel that might arise from the use of these samples.

With PKCS, clients send encrypted authentication credentials in the form of standard PKCS signatures to a GemFire cache server when they connect to the server. The credentials consist of the alias name and digital signature created using the private key that is retrieved from the provided keystore. The server uses a corresponding public key to decrypt the credentials. If decryption is successful then the client is authenticated and it connects to the cache server. For unsuccessful decryption, the server sends an AuthenticationFailedException to the client, and the client connection to the cache server is closed.

When clients require authentication to connect to a cache server, they use the PKCSAuthInit class implementing the AuthInitialize interface to obtain their credentials. For the PKCS sample provided by GemFire, the credentials consist of an alias and an encrypted byte array. The private key is obtained from the PKCS#12 keystore file. To accomplish this, PKCSAuthInit gets the alias retrieved from the security-alias property, and the keystore path from the security-keystorepath property. PKCSAuthInit also gets the password for the password-protected keystore file from the security-keystorepass property so the keystore can be opened.

Building the securityImpl Library

To use the PKCS sample implementation, you need to build OpenSSL and then build the securityImpl library. In the gfcpp.properties file for the client, specify the PKCSAuthInit callback, the keystore path, the security alias, and the keystore password, like this:
security-client-auth-library=securityImpl
security-client-auth-factory=createPKCSAuthInitInstance
security-keystorepath=<PKCS#12 keystore path>
security-alias=<alias>
security-keystorepass=<keystore password>

For server side settings, see the description of PKCS sample in the Security chapter in the GemFire User's Guide.