How to connect TMC locally to a SSL secured TSA

Abstract #

This article desribes a local Setup Up to Enable Terracotta Server Array with SSL and connect a local TMC to this server. All is based on Terracotta 4.3.1.x .

Setting up SSL for TSA #

A detail description how to set up a Terrracotta Server Array (TSA) is in the documentation :

Terracotta Big Memory Max Security Set Up.

To enable Terracotta Management Console to connect to a Secured Cluster see : Terracotta Management Console Security

Set Up Keystore #

For self generated Certificates (for development or test) use “keytool” from Java. A keystore and a truststore are similar so it’s possible to use the same file for key and truststore. This was done in this example. The keystore is used for all Server Instances and one keystore for the Client (the Terracotta Management Console (TMC)).

 keytool -genkey -keystore server/keystore.jks -dname "CN=localhost, OU=Terracotta, O=SAG, L=Hamburg, S=Hamburg, C=US" -alias serveralias -storepass store1Pass! -keypass store1Pass!
keytool -genkey -keystore client/keystore.jks -dname "CN=localhost, OU=Terracotta, O=SAG, L=Hamburg, S=Hamburg, C=US" -alias clientalias -storepass store1Pass! -keypass store1Pass!

Export a Public Certificate #

Export from each keystore:

keytool -export -alias serveralias -keystore server/keystore.jks -file server/serverSignedCert.cert 
keytool -export -alias clientalias -keystore client/keystore.jks -file client/clientSignedCert.cert

Import Public Certificate #

Import these Certificates to the all truststores/keystores :

keytool -import -alias serveralias -file server/serverSignedCert.cert -keystore client/keystore.jks

keytool -import -alias clientalias -file client/clientSignedCert.cert -keystore server/keystore.jks

Set Up TSA Authentication #

A Secured TSA Cluster uses an internal Authentication mechanism. It’s possible to use LDAP (please refer to the Documentation). In this example the File Based user management is used. To set up the Users and roles use :

<TCInstallDir>/tools/security/bin/usermanagement.sh (or bat).

Create User #

This user will globally used to connect to TMC and TSA. (User Name = user).

tools/security/bin/usermanagement.sh -c /Terracotta/install/bigmemory-max-4.3.0.1.17/server/terracotta.ini user terracotta admin operator

If you have ini file, omit –c options (-c = create the file)

The Keychain File #

The Keychain stores all passwords (also to the key/truststore) in combination with the access URLs. Please refer to Security Related Files.

Create the Keychain File #

To create the File use <installDir>/tools/security/keychain.sh (bat).

In this setup, one Keychain File will be created for Client (TMC) and Server (TSA). Be sure to use the same Password used for the keystore.

To create the File use –c, after the creation omit –c !

tools/security/bin/keychain.sh -O -c /Terracotta/install/bigmemory-max-4.3.0.1.17/keychain/keychain jks:serveralias@/Terracotta/install/bigmemory-max-4.3.0.1.17/server/keystore.jks

tools/security/bin/keychain.sh –O /Terracotta/install/bigmemory-max-4.3.0.1.17/keychain/keychain [[https://localhost:9770/tc-management-api|https://localhost:9770/tc-management-api]]

Please add all access URL’s from Client , Servers (each Server in the cluster) etc. Please refer the DocumentaionAfter setting up the keychain , check the keychain :

tools/security/bin/keychain.sh –O /Terracotta/install/bigmemory-max-4.3.0.1.17/keychain/keychain -@ 

When starting the Servers, the Consol will point to the Entries missing !!! When starting TMC also see the TMC logs , they will also point to the url’s missing. Example Output for Stripes and TMC :

jmx://admin@localhost:9443 : store1Pass!//

jks:clientalias@/Users/rai/.tc/mgmt/client/keystore.jks : store1Pass!

tc://user@localhost:9570 : store1Pass!//

tc://user@localhost:9530 : store1Pass!//

tc://user@localhost:9541 : store1Pass!//

tc://user@localhost:9540 : store1Pass!//

tc://admin@localhost:9510 : store1Pass!//

jmx://user@localhost:9443 : store1Pass!//

user : store1Pass!

jks:serveralias@/Users/rai/.tc/mgmt/server/keystore.jks : store1Pass!

tc://user@localhost:9510 : store1Pass!//

tc://user@localhost:9740 : store1Pass!//

[[https://localhost:9541/tc-management-api|https://localhost:9541/tc-management-api]] : store1Pass!

[[https://localhost:9540/tc-management-api|https://localhost:9540/tc-management-api]] : store1Pass!\

Enable Self Signed Certificates and SSL #

To enable TSA to use SSL wit Self Signed Certificates and SSL Protocols edit <installDir/server/bin/start-tc-server.sh

Add these line :

java_opts="$JAVA_OPTS -Dtc.ssl.trustAllCerts=true -Dtc.ssl.disableHostnameVerifier=true -Ddeployment.security.TLSv1.1=true -Ddeployment.security.TLSv1.2=true"

and change :

${JAVA_COMMAND} -Xms2g -Xmx2g -XX:+HeapDumpOnOutOfMemoryError \

-Dcom.sun.management.jmxremote \ -Dtc.install-root="{TC_INSTALL_DIR}" \ -Dsun.rmi.dgc.server.gcInterval=31536000000\ {java_opts} \ -Djavax.net.debug=ssl\ ${JAVA_OPTS} \

Set UP TMC #

For Details refer to Terracotta Management Console Security

Configure Jetty #

The Terracotta Management Console per default run’s stand alone in a included jetty Web Server. If you use a different Server (Tomcat) please refer to the Documentation of your desired Server to configure SSL.

Edit : <installDir>/tools/management-console/etc/jetty.xml

<New id="sslContextFactory" class="org.eclipse.jetty.http.ssl.SslContextFactory">

<!–Set name=“KeyStore”><Property name=“root.dir” default="." />/etc/dev-keystore.jks</Set–>

<Set name=“KeyStore”>client\keystore.jks</Set>

<Set name=“KeyStorePassword”>store1Pass!</Set> <Set name=“KeyManagerPassword”>store1Pass! </Set> <Set name=“ExcludeProtocols”> <Array type=“java.lang.String”> <Item>SSLv3</Item> </Array> </Set> </New>

If you want to create a OBF Format for the Password use :

 java -cp lib/jetty-util-8.1.15.v20140411.jar org.eclipse.jetty.util.security.Password store1Pass! 

Change TMC Start Script #

Add this to /Terracotta/tools/management-console/bin/start-tmc.sh.

java_opts="$JAVA_OPTS -Xmx256m -XX:MaxPermSize=128m ${edg_opt} ${tmpdir_opt} ${license_opt} -DSTOP.PORT=$stop_port -DSTOP.KEY=secret -Dtc.ssl.trustAllCerts=true -Dtc.ssl.disableHostnameVerifier=true -Djavax.net.ssl.keyStore= /.tc/mgmt/client/keystore.jks -Djavax.net.ssl.keyStorePassword=store1Pass! -Djavax.net.ssl.trustStore= /.tc/mgmt/client/keystore.jks -Djavax.net.ssl.trustStorePassword=store1Pass! -Dsun.security.ssl.allowUnsafeRenegotiation=true" 

Bring all Together #

Clear all Data and Logs Foler.

Start Everything #

Start all Servers

start-tc-server.sh –f tc-config –n serverName -k If you want to stop the servers please use –u userName and –w password. Example :

./stop-tc-server-sh –f Terracotta/config/tc-config.xml –k –u user –w store1Pass! 

Start the TMC:/tools/management-console/bin/start-tmc.sh

After first start, enable Security.

Please use the same password as for the keystore/truststore.

Be sure to have the keychain file previous created in the folder :/Users/user/.tmc/mgmtAfter this, you can create a new Connection to:


\

and access the secured cluster.

Then verify the User to connect to the Servers :

Give a name for the Cluster :

After this the secured cluster should be seen :

Appendix #

Example tc-config.xml #

<?xml version="1.0" encoding="UTF-8"?>
<tc:tc-config xmlns:tc="http://www.terracotta.org/config">
<servers secure="true">
 <mirror-group group-name="StripeOne">                                    
  <server host="localhost" name="big1">                                                
   <data>/Terracotta/install/bigmemory-max-4.3.0.1.17/dataBig/server-
data</data>                                                
   <logs>/Terracotta/install/bigmemory-max-4.3.0.1.17/dataBig/server-
log</logs>
   <data-backup>/Terracotta/install/bigmemory-max-
     4.3.0.1.17/dataBig/server-data-backup</data-backup>                                                
   <tsa-port>9510</tsa-port>                                                
   <jmx-port>9520</jmx-port>                                                
   <tsa-group-port>9530</tsa-group-port>                                                
   <dataStorage size="1g">                                                            
    <offheap size="1g"/>                                                 
   </dataStorage>                                                
   <security>                                                            
    <ssl>                                                                        
<certificate>jks:serveralias@/.tc/mgmt/server/keystore.jks</certificate>                                                             
    </ssl>                                                            
    <keychain>                                                                        
     <class>com.terracotta.management.keychain.FileStoreKeyChain</class>                                                                        
     <url>file:////.tc/mgmt/keychain</url>                                                            
    </keychain>                                                            
    <auth>                                                                        
     <realm>com.tc.net.core.security.ShiroIniRealm</realm>                                                                        
     <url>file:////.tc/mgmt/terracotta.ini</url>                                                                        
     <user>user</user>                                                            
    </auth>                                                            
    <management>                                                                        
     <ia>https://localhost:9443/tmc/api/assertIdentity</ia>                                                                        
     <timeout>10000</timeout>                                                                        
     <hostname>localhost</hostname>                                                            
    </management>
   </security>
  </server>
 </mirror-group>
 <mirror-group group-name="StripeTwo">                                    
  <server host="localhost" name="big2">                                                
   <data>/Terracotta/install/bigmemory-max-4.3.0.1.17/dataBig2/server-
   data</data>                                                
   <logs>/Terracotta/install/bigmemory-max-4.3.0.1.17/dataBig2/server-
   log</logs>
   <tsa-port>9740</tsa-port>                                                
   <jmx-port>9750</jmx-port>                                                
   <tsa-group-port>9760</tsa-group-port>                                                
   <dataStorage size="1g">                                                            
    <offheap size="1g"/>                                                 
   </dataStorage>                                                
   <security>                                                            
    <ssl>                                                                        
<certificate>jks:serveralias@/.tc/mgmt/server/keystore.jks</certificate>                                                            
    </ssl>                                                            
    <keychain>                                                                        
     <class>com.terracotta.management.keychain.FileStoreKeyChain</class>                                                                        
     <url>file:////.tc/mgmt/keychain</url>                                                            
    </keychain>                                                            
    <auth>                                                                        
     <realm>com.tc.net.core.security.ShiroIniRealm</realm>                                                                        
     <url>file:////.tc/mgmt/terracotta.ini</url>                                                                        
     <user>user</user>                                                            
    </auth>                                                            
    <management>                                                                        
     <ia>https://localhost:9443/tmc/api/assertIdentity</ia>                                                                        
     <timeout>10000</timeout>                                                                        
     <hostname>localhost</hostname>                                                            
    </management>
   </security>
  </server>
</mirror-group>
<restartable enabled="true"/>
</servers>
</tc:tc-config>