Configuring SSL/TLS for Ignite

Installation and Upgrade > Installing ThingWorx > Security Configuration > TLS Configuration > Configuring SSL/TLS for Ignite

You can configure SSL or TLS for Ignite when using ThingWorx HA Clustering:

Configuring Ignite

To run Ignite with SSL, perform the following steps:

1. Create the Ignite keystore.

2. Instantiate SslContextFactory in the Ignite configuration file, specifying the keystore path and password. In the following example, the keystore path is /ThingworxPlatform/ignite-keystore/ignite.pfx:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="
         http://www.springframework.org/schema/beans
         http://www.springframework.org/schema/beans/spring-beans.xsd">
  <!-- Define Ignite configuration bean -->
  <bean id="grid.cfg" class="org.apache.ignite.configuration.IgniteConfiguration">
    <property name="peerClassLoadingEnabled" value="false"/>
    <!-- SSL Context Factory -->
    <property name="sslContextFactory">
      <bean class="org.apache.ignite.ssl.SslContextFactory">
        <property name="keyStoreFilePath" value="/ThingworxPlatform/ignite-keystore/ignite.pfx"/>
        <property name="keyStorePassword" value="ptcptc"/>
        <property name="keyStoreType" value="PKCS12"/>
        <property name="trustStoreFilePath" value="/ThingworxPlatform/ignite-keystore/truststore.pfx"/>
        <property name="trustStorePassword" value="ptcptc"/>
        <property name="trustStoreType" value="PKCS12"/>
        <property name="protocol" value="TLS"/>
      </bean>
    </property>
    <!-- Other Ignite properties can go here -->
  </bean>
</beans>

Run Ignite:

./ignite.sh -v -J"${JVM_XOPTS}"  config/default-config.xml

The following text should appear in the console when Ignite started: Security status [authentication=off, tls/ssl=on].

Configuring ThingWorx

Now you can configure Ignite in ThingWorx. Ignite can be run as client or embedded; this configuration works for either option.

1. Copy the Ignite certificates to your instance or make sure they are available on the machine where ThingWorx is running.

Tomcat users must have access to the certificates or copy them into the ThingworxPlatform directory.

2. Modify the platform-settings.json file to active SSL. Also modifyigniteKeyStoreFilePath andigniteKeyStorePassword.

"cache": {
    "init-timeout": "30 seconds",
    "provider-type": "com.thingworx.cache.ignite.IgniteCacheProvider",
    "cache-mappings": {},
    "ignite": {
      "instance-name": "twx-core-server",
      "client-mode": false,
      "address-resolver" : {
        "type": "zookeeper",
        "connection": "localhost:2181"
      },
      "ssl-active": true,
      "igniteKeyStoreFilePath": "/ThingworxPlatform/ignite-keystore/ignite.pfx",
      "igniteKeyStorePassword": "ptcptc"
    }

See the Cache Settings and Example section in Platform Settings for ThingWorx HA.

Encrypting Passwords Using the ThingWorx Security Management Tool

If you want to avoid inserting the plain password into the platform-settings.json file, you can encrypt the password inside twx-keystore using the security tool. You must encrypt the password using the encrypt.ignite.keystore.password.

./security-common-cli keystore.conf set encrypt.ignite.keystore.password "ptcptc"

Then change the platform-settings.json file to have ThingWorx pick the password from the key store:

"ssl-active": true,
"igniteKeyStoreFilePath": "/ThingworxPlatform/ignite-keystore/ignite.pfx",
"igniteKeyStorePassword": "encrypt.ignite.keystore.password"

Configuring SSL/TLS for ZooKeeper

To configure SSL/TLS for ZooKeeper, see Configuring SSL/TLS for ZooKeeper.

Was this helpful?