Application security has become a necessity for protecting sensitive data from malicious activity. Ignite provides the following mechanism to protect our sensitive data:
- Inter node communication: Ignite doesn't have a master node to communicate with other nodes. When a new node gets added or removed from the network, the cluster rebalances data transparently. Therefore, we need to secure the inter-node communication channel so that when a new node is added, it doesn't get our application data automatically. Ignite allows you to use SSL socket communication to provide a secure connection among all Ignite nodes. We can configure SSL context factory to use trusted certificates and passwords.
- Authentication: Ignite allows you to secure the cluster by configuring authentication, but authentication is only supported when persistence is enabled.
- Trusting serialized data: Serialized data can be compromised. If a malicious code snippet is injected into a node, then during deserialization it can cause undesired effects, security breaches, or damage the system. Ignite nodes can be configured to handle this data deserialization risk by setting the following two system properties.
IGNITE_MARSHALLER_WHITELIST: Create a whitelist file with a list of safe objects for deserialization such as com.packt.Player and com.packt.Club and set the path to the file to this system property. You can pass VM arguments or set the value programmatically. If an object is not listed in the whitelist file, then Ignite throws an exception during deserialization.
- Protecting the third-party data store: Your persistent data store can be compromised and data can be damaged. You can secure the third-party data store by enforcing IP security groups. AWS and other cloud providers offer IP security groups.
IGNITE_MARSHALLER_BLACKLIST: creates a blacklist file with a list of unsafe/compromised objects such as
com.packt.Admin and com.packt.Account and set the path to the file to this system property. You can pass VM arguments or set the value programmatically. If an object is listed in the blacklist file, then Ignite throws exception during deserialization.
com.packt.Admin and com.packt.Account and set the path to the file to this system property. You can pass VM arguments or set the value programmatically. If an object is listed in the blacklist file, then Ignite throws exception during deserialization.
Now we know the importance of securing Ignite cluster, the art of monitoring Ignite components, and how to configure memory and the cache to get metrics. Next, we'll look at performance improvement.