1

I am trying to prepare a secure Infinispan cluster using SimpleToken as described in here JGroup . Although I provided the required configuration, new nodes are able to join the cluster even if they have different 'auth_value' value.

Here is my configuration for the first node:

<config xmlns="urn:org:jgroups"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="urn:org:jgroups http://www.jgroups.org/schema/JGroups-3.6.xsd">


    ....
    ....

    <AUTH auth_class="org.jgroups.auth.SimpleToken" auth_value="cluster1"/>
</config>

for the second node, I am using the same configuration with different auth_value:

<AUTH auth_class="org.jgroups.auth.SimpleToken" auth_value="cluster2"/>
Radwan Nizam
  • 131
  • 2
  • 9

2 Answers2

1

It came that the order of configuration nodes in JGroup xml file is important. Base one RedHat support team here

For Asymmetric encryption (A shared keystore is not required): 1) Configure the jgroups subsystem:

  1. ASYM_ENCRYPT should be configured immediately before NAKACK, and AUTH should be immediately before GMS.
  2. Note that the other protocols shown here for context will differ slightly depending on the JGroups version.

Which means my JGroup file should looks like the following :

<AUTH auth_class="org.jgroups.auth.SimpleToken" auth_value="cluster1"/>
<pbcast.GMS print_local_addr="false"join_timeout="15000"/>

Now, when I start the second node which has auth_value="cluster2" I receive the following warnings and errors :

node 1:

[WARN] AUTH: failed to validate AuthHeader token from xxxx, token: auth_value=cluster1

node 2:

Caused by: java.lang.SecurityException: authentication failed at org.jgroups.protocols.pbcast.ClientGmsImpl.isJoinResponseValid(ClientGmsImpl.java:188) at

Radwan Nizam
  • 131
  • 2
  • 9
0

Note that the latest version of ASYM_ENCRYPT does not require AUTH anymore; if you use a certificate based key exchange such as SSL_KEY_EXCHANGE. Details can be found at [1].

The previous answer is correct: the order of protocols matter much.

[1] http://www.jgroups.org/manual4/index.html#Security

Bela Ban
  • 2,186
  • 13
  • 12