KowalczykBartek/how to setup secure Dynomite

## how to setup secure Dynomite
what ?
- As we know Dynomite doesn't support any kind of authentication, so, to make security teams happy, we need to obey this somehow.
 One of possibilities is SSL Termination, our Redis client (Jedis for java) will not talk with Dynomite directly but will request NGINX,
 NGINX will check client's certificate and if cert is valid, request will be forwarded to Dynomite.

technically how ?
- In normal setup Dynomite requires (for each instance) Dynomite and Redis, in secure setup you will need additionally NGINX,
 and this will be only one open port.

With this sample configuration, both Client and Server needs to trust themselves.

1. Generate keys and certs
 - generate all keys according to this tutorial:
 -- http://nategood.com/client-side-certificate-authentication-in-ngi


2. Setup NGNIX
 - install ngnix
 {
    - you need stream SSL/TLS support in NGINX
  	-- on OSX this should work : brew install nginx-full --with-stream
 }

 - start redis

 - configure your NGNIX as follows :

  - don;t forget include error_log - YOU WILL LOVE THAT !
  ------------------------------------------- config.file
	error_log /XXXXX/logs.log debug;

	stream {

	  upstream redis {
	    server localhost:6379;
	  }

	  server {
	    listen                8080 ssl;
	    proxy_pass            redis;

	    ssl_certificate      /XXXXX/server.crt;
	    ssl_certificate_key  /XXXXX/server.key;
	    ssl_client_certificate /XXXXX/ca.crt;

	    ssl_verify_client on;

	  }
	}
  -------------------------------------------


3. Client(java here) side

For java client, we need

PKCS12 - both private key and cert included there (with only client certificate imported(with no key),
client will log "Warning: no suitable certificate found - continuing without client authentication" and will not be able to authenticate to NGINX,
and because of that, NGINX will reject us)

How to configure Dyno client, please refer to tests cases from https://github.com/Netflix/dyno/pull/184

and in JKS store we need server cert also (we need to turst NGNIX)

openssl pkcs12 -export -out client.p12 -inkey client.key -in client.crt -certfile ca.crt
keytool -importkeystore -srckeystore client.p12 -srcstoretype pkcs12 -destkeystore client.jks -deststoretype JKS
keytool -importcert -file server.crt -keystore client.jks -alias "somealiast"

now, using client.jks you can request NGINX with properly configured java truststore and keystore.
how to import it in java look at my sample project https://github.com/KowalczykBartek/netty-securechat

4. links
https://pubs.vmware.com/view-51/index.jsp?topic=%2Fcom.vmware.view.certificates.doc%2FGUID-17AD1631-E6D6-4853-8D9B-8E481BE2CC68.html
http://www.webfarmr.eu/2010/04/import-pkcs12-private-keys-into-jks-keystores-using-java-keytool/
http://nategood.com/client-side-certificate-authentication-in-ngi
	what ?
	- As we know Dynomite doesn't support any kind of authentication, so, to make security teams happy, we need to obey this somehow.
	One of possibilities is SSL Termination, our Redis client (Jedis for java) will not talk with Dynomite directly but will request NGINX,
	NGINX will check client's certificate and if cert is valid, request will be forwarded to Dynomite.

	technically how ?
	- In normal setup Dynomite requires (for each instance) Dynomite and Redis, in secure setup you will need additionally NGINX,
	and this will be only one open port.

	With this sample configuration, both Client and Server needs to trust themselves.

	1. Generate keys and certs
	- generate all keys according to this tutorial:
	-- http://nategood.com/client-side-certificate-authentication-in-ngi


	2. Setup NGNIX
	- install ngnix
	{
	- you need stream SSL/TLS support in NGINX
	-- on OSX this should work : brew install nginx-full --with-stream
	}

	- start redis

	- configure your NGNIX as follows :

	- don;t forget include error_log - YOU WILL LOVE THAT !
	------------------------------------------- config.file
	error_log /XXXXX/logs.log debug;

	stream {

	upstream redis {
	server localhost:6379;
	}

	server {
	listen 8080 ssl;
	proxy_pass redis;

	ssl_certificate /XXXXX/server.crt;
	ssl_certificate_key /XXXXX/server.key;
	ssl_client_certificate /XXXXX/ca.crt;

	ssl_verify_client on;

	}
	}
	-------------------------------------------


	3. Client(java here) side

	For java client, we need

	PKCS12 - both private key and cert included there (with only client certificate imported(with no key),
	client will log "Warning: no suitable certificate found - continuing without client authentication" and will not be able to authenticate to NGINX,
	and because of that, NGINX will reject us)

	How to configure Dyno client, please refer to tests cases from https://github.com/Netflix/dyno/pull/184

	and in JKS store we need server cert also (we need to turst NGNIX)

	openssl pkcs12 -export -out client.p12 -inkey client.key -in client.crt -certfile ca.crt
	keytool -importkeystore -srckeystore client.p12 -srcstoretype pkcs12 -destkeystore client.jks -deststoretype JKS
	keytool -importcert -file server.crt -keystore client.jks -alias "somealiast"

	now, using client.jks you can request NGINX with properly configured java truststore and keystore.
	how to import it in java look at my sample project https://github.com/KowalczykBartek/netty-securechat

	4. links
	https://pubs.vmware.com/view-51/index.jsp?topic=%2Fcom.vmware.view.certificates.doc%2FGUID-17AD1631-E6D6-4853-8D9B-8E481BE2CC68.html
	http://www.webfarmr.eu/2010/04/import-pkcs12-private-keys-into-jks-keystores-using-java-keytool/
	http://nategood.com/client-side-certificate-authentication-in-ngi