TLS/SSL Client-Server Communication Encryption

This section describes how to implement TLS-based communication between your clients and servers using the OpenSSL encryption utility. When configuring TLS/SSL security for your client, you may find it helpful to refer to The SSL section of the GemFire User Guide.

Set Up OpenSSL

The open-source OpenSSL toolkit provides a full-strength general purpose cryptography library for encrypting client-server communications.

Download and install OpenSSL 1.1.1 for your specific operating system.

Notes for Windows users:

  • For Windows platforms, you can use either the regular or the “Light” version of SSL.

  • Use a 64-bit implementation of OpenSSL.

  • If you use Cygwin, do not use the OpenSSL library that comes with Cygwin, which is built with cygwin.dll as a dependency. Instead, download a fresh copy from OpenSSL.

  • For many Windows applications, the most convenient way to install OpenSSL is to use choco (see to install the “Light” version of OpenSSL.

Step 1. Create keystores

The GemFire server requires keys and keystores in the Java Key Store (JKS) format while the native client requires them in the clear PEM format. Thus you need to be able to generate private/public keypairs in either format and convert between the two using the keytool utility and the openssl command.

Step 2. Enable SSL on the server and on the client

  1. On the server, enable SSL for the locator and server components, as the SSL-enabled client must be able to communicate with both locator and server components.

  2. On the client, set ssl-enabled to true.

  3. On the client, set ssl-keystore and ssl-truststore to point to your keystore files. Paths to the keystore and truststore are local to the client. See Security Properties for a description of these properties.

Starting and stopping the client and server with SSL in place

Before you start and stop the client and server, make sure you configure the native client with the SSL properties as described and with the servers or locators specified as usual.

Specifically, ensure that:

  • The OpenSSL and GemFire DLLs are in the right environment variables for your system: PATH for Windows, and LD_LIBRARY_PATH for Unix.
  • You have generated the keys and keystores.
  • You have set the system properties.

For details on stopping and starting locators and cache servers with SSL, see Starting Up and Shutting Down Your System.

The GemFire Native’s libcryptoImpl found in /lib must be linked at compile time. This binary is used to interact with OpenSSL. Link libcryptoImpl, native client, and your application code. We highly recommend using cmake.

Example locator start command

Ensure that all required SSL properties are configured in your server’s file. Then start your locator as follows:

gfsh>start locator --name=my_locator --port=12345 --dir=. \

Example locator stop command

gfsh>stop locator --port=12345 \

Example server start command

Again, ensure that all required SSL properties are configured in Then start the server with:

gfsh>start server --name=my_server --locators=hostname[12345] \
--cache-xml-file=server.xml --log-level=fine \

Example server stop command

gfsh>stop server --name=my_server