Configuring SSL/TLS for Ignite
You can configure SSL or TLS for Ignite when using ThingWorx HA Clustering:
Configuring Ignite
To run Ignite with SSL, we need to instantiate SslContextFactory in the Ignite configuration file, where you add the key store path and the password. In the following example our key store path is /ThingworxPlatform/ignite-keystore/ignite.pfx:
Run Ignite:
./ignite.sh config/default-config.xml
The following text should appear in the console when Ignite started: Security status [authentication=off, tls/ssl=on].
Configuring ThingWorx
Now you can configure Ignite in ThingWorx. Ignite can be run as client or embedded; this configuration works for either option.
1. Copy the Ignite certificates to your instance or make sure they are available on the machine where ThingWorx is running.
2. Modify the platform-settings.json file to active SSL. Also modifyigniteKeyStoreFilePath andigniteKeyStorePassword.
"cache": {
"init-timeout": "30 seconds",
"provider-type": "com.thingworx.cache.ignite.IgniteCacheProvider",
"cache-mappings": {},
"ignite": {
"instance-name": "twx-core-server",
"client-mode": false,
"address-resolver" : {
"type": "zookeeper",
"connection": "localhost:2181"
},
"ssl-active": true,
"igniteKeyStoreFilePath": "/ThingworxPlatform/ignite-keystore/ignite.pfx",
"igniteKeyStorePassword": "ptcptc"
}
Encrypting Passwords Using the ThingWorx Security Management Tool
If you want to avoid inserting the plain password into the platform-settings.json file, you can encrypt the password inside twx-keystore using the security tool. You must encrypt the password using the encrypt.ignite.keystore.password.
./security-common-cli keystore.conf set encrypt.ignite.keystore.password "ptcptc"
Then change the platform-settings.json file to have ThingWorx pick the password from the key store:
"ssl-active": true,
"igniteKeyStoreFilePath": "/ThingworxPlatform/ignite-keystore/ignite.pfx",
"igniteKeyStorePassword": "encrypt.ignite.keystore.password"