BigMemory 4.4.0 | Product Documentation | BigMemory Max Security Guide | Setting Up Server Security | Configuring Server Security
 
Configuring Server Security
Set up the security for the Terracotta Server Array in the Terracotta configuration file, which is named tc-config.xml by default. For example:
<tc:tc-config xmlns:tc="http://www.terracotta.org/config">
...
<servers secure="true">
<server host="172.16.254.1" name="server1">
...
<security>
<ssl>
<certificate>jks:server1alias@/the/path/keystore-file.jks</certificate>
</ssl>
<keychain>
<url>file:///%(user.dir)/server1keychain.tkc</url>
</keychain>
<auth>
<realm>com.tc.net.core.security.ShiroIniRealm</realm>
<url>file:///%(user.dir)/my_auth.ini</url>
<user>server1username</user>
</auth>
</security>
...
</server>
...
</servers>
...
</tc:tc-config>
Every server participating in an SSL-based secured cluster must have a <security> block in which the security-related information is encapsulated and defined. The keystore, keychain, and .ini files named in the configuration must be available to every server in the cluster. LDAP or Microsoft Active Directory can be configured in place of file-based authentication and authorization.
The following table defines some of the security-related elements and attributes shown in the configuration example.
Name
Definition
Notes
secure
Attribute in <servers> element. Enables SSL security for the cluster. DEFAULT: false.
Enables/disables SSL-based security globally.
certificate
Element specifying the location of the server's authentication certificate and its containing keystore file. The format for the certificate-keystore location is jks:alias@/path/to/ keystore. "alias" must match the value used to key the certificate in the keystore file.
Only the JKS type of keystore is supported.
url
The URI for the keychain file (when under <keychain>) or for the authentication/authorization mechanism (when under <auth>). These URIs are passed to the keychain or realm class to specify the keychain file or authentication/authorization source, respectively.
These files are created and managed with the
and
scripts. If using Microsoft Active Directory or LDAP, an LDAP or LDAPS connection is specified. The configured URL for locating the keychain file can be overridden with the property com.tc.security. keychain.url.
realm
The Shiro security realm that determines the type of authentication/authorization scheme being used: file-based (.ini), Microsoft Active Directory, or standard LDAP.
This element's value is specified in the section covering the setup for the chosen authentication/authorization scheme.
user
The username that represents this server and is authenticated by other servers. This name is part of the server's credentials. Default username is "terracotta"