Security Related Files
Each Terracotta server uses the following types of files to implement security:
Java keystore - Contains the server's
private key and public-key certificate. The keystore is protected by a keystore/certificate-entry password.
Truststore - A keystore file containing
only the public keys of the certificates. This file is needed only if you are using self-signed certificates rather than a Certificate Authority (CA).
Keychain - Stores passwords, including the passwords to the server's keystore and to entries in other files. The tools for creating and managing the Terracotta keychain file are provided with the Terracotta kit.
Authorization - A
.ini file with password-protected user accounts and their roles for servers and clients that connect to the server.
Note that Microsoft Active Directory and standard LDAP authentication/authorization are available options; see
Using LDAP or Active Directory for Authentication for related information.
Tip:
The standard Java cacerts file, located in ${JAVA_HOME}java.home/lib/security by default, is a system-wide repository for CA root certificates included with the JDK. These certificates can play a part in certificate chains.
Java documentation recommends that the cacerts file be protected by changing its default password and file permissions.
Each Terracotta client also has a keychain file that stores the password it uses to authenticate with the server.
All files are read on startup. Changes made to the files after startup cannot be read unless the cluster is restarted.