diff --git a/akka-docs/rst/java/remoting.rst b/akka-docs/rst/java/remoting.rst index fa994a359d..90dbf1c9ef 100644 --- a/akka-docs/rst/java/remoting.rst +++ b/akka-docs/rst/java/remoting.rst @@ -318,7 +318,7 @@ An example of setting up the default Netty based SSL driver as default:: remote { enabled-transports = [akka.remote.netty.ssl] - netty.ssl { + netty.ssl.security { key-store = "mykeystore" trust-store = "mytruststore" key-store-password = "changeme" @@ -326,7 +326,6 @@ An example of setting up the default Netty based SSL driver as default:: protocol = "TLSv1" random-number-generator = "AES128CounterSecureRNG" enabled-algorithms = [TLS_RSA_WITH_AES_128_CBC_SHA] - sha1prng-random-source = "/dev/./urandom" } } } diff --git a/akka-docs/rst/scala/remoting.rst b/akka-docs/rst/scala/remoting.rst index 6c16711d8c..42100e814c 100644 --- a/akka-docs/rst/scala/remoting.rst +++ b/akka-docs/rst/scala/remoting.rst @@ -320,7 +320,7 @@ An example of setting up the default Netty based SSL driver as default:: remote { enabled-transports = [akka.remote.netty.ssl] - netty.ssl { + netty.ssl.security { key-store = "mykeystore" trust-store = "mytruststore" key-store-password = "changeme" @@ -328,7 +328,6 @@ An example of setting up the default Netty based SSL driver as default:: protocol = "TLSv1" random-number-generator = "AES128CounterSecureRNG" enabled-algorithms = [TLS_RSA_WITH_AES_128_CBC_SHA] - sha1prng-random-source = "/dev/./urandom" } } } diff --git a/akka-remote/src/main/resources/reference.conf b/akka-remote/src/main/resources/reference.conf index 00050a3967..1835d02173 100644 --- a/akka-remote/src/main/resources/reference.conf +++ b/akka-remote/src/main/resources/reference.conf @@ -301,6 +301,8 @@ akka { # Max number of threads to cap factor-based number to pool-size-max = 8 } + + } netty.udp = ${akka.remote.netty.tcp} @@ -310,7 +312,52 @@ akka { netty.ssl = ${akka.remote.netty.tcp} netty.ssl = { + # Enable SSL/TLS encryption. + # This must be enabled on both the client and server to work. enable-ssl = true + + security { + # This is the Java Key Store used by the server connection + key-store = "keystore" + + # This password is used for decrypting the key store + key-store-password = "changeme" + + # This is the Java Key Store used by the client connection + trust-store = "truststore" + + # This password is used for decrypting the trust store + trust-store-password = "changeme" + + # Protocol to use for SSL encryption, choose from: + # Java 6 & 7: + # 'SSLv3', 'TLSv1' + # Java 7: + # 'TLSv1.1', 'TLSv1.2' + protocol = "TLSv1" + + # Example: ["TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA"] + # You need to install the JCE Unlimited Strength Jurisdiction Policy + # Files to use AES 256. + # More info here: + # http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJCEProvider + enabled-algorithms = ["TLS_RSA_WITH_AES_128_CBC_SHA"] + + # There are three options, in increasing order of security: + # "" or SecureRandom => (default) + # "SHA1PRNG" => Can be slow because of blocking issues on Linux + # "AES128CounterSecureRNG" => fastest startup and based on AES encryption + # algorithm + # "AES256CounterSecureRNG" + # The following use one of 3 possible seed sources, depending on + # availability: /dev/random, random.org and SecureRandom (provided by Java) + # "AES128CounterInetRNG" + # "AES256CounterInetRNG" (Install JCE Unlimited Strength Jurisdiction + # Policy Files first) + # Setting a value here may require you to supply the appropriate cipher + # suite (see enabled-algorithms section above) + random-number-generator = "" + } } } diff --git a/akka-remote/src/main/scala/akka/remote/transport/netty/NettySSLSupport.scala b/akka-remote/src/main/scala/akka/remote/transport/netty/NettySSLSupport.scala index f8645b8f8e..65e4fd702a 100644 --- a/akka-remote/src/main/scala/akka/remote/transport/netty/NettySSLSupport.scala +++ b/akka-remote/src/main/scala/akka/remote/transport/netty/NettySSLSupport.scala @@ -36,13 +36,13 @@ private[akka] class SSLSettings(config: Config) { // FIXME: Change messages to reflect new configuration if (SSLProtocol.isEmpty) throw new ConfigurationException( - "Configuration option 'akka.remote.netty.ssl.enable is turned on but no protocol is defined in 'akka.remote.netty.ssl.protocol'.") + "Configuration option 'akka.remote.netty.ssl.enable-ssl is turned on but no protocol is defined in 'akka.remote.netty.ssl.security.protocol'.") if (SSLKeyStore.isEmpty && SSLTrustStore.isEmpty) throw new ConfigurationException( - "Configuration option 'akka.remote.netty.ssl.enable is turned on but no key/trust store is defined in 'akka.remote.netty.ssl.key-store' / 'akka.remote.netty.ssl.trust-store'.") + "Configuration option 'akka.remote.netty.ssl.enable-ssl is turned on but no key/trust store is defined in 'akka.remote.netty.ssl.security.key-store' / 'akka.remote.netty.ssl.security.trust-store'.") if (SSLKeyStore.isDefined && SSLKeyStorePassword.isEmpty) throw new ConfigurationException( - "Configuration option 'akka.remote.netty.ssl.key-store' is defined but no key-store password is defined in 'akka.remote.netty.ssl.key-store-password'.") + "Configuration option 'akka.remote.netty.ssl.security.key-store' is defined but no key-store password is defined in 'akka.remote.netty.ssl.security.key-store-password'.") if (SSLTrustStore.isDefined && SSLTrustStorePassword.isEmpty) throw new ConfigurationException( - "Configuration option 'akka.remote.netty.ssl.trust-store' is defined but no trust-store password is defined in 'akka.remote.netty.ssl.trust-store-password'.") + "Configuration option 'akka.remote.netty.ssl.security.trust-store' is defined but no trust-store password is defined in 'akka.remote.netty.ssl.security.trust-store-password'.") } /** diff --git a/akka-remote/src/main/scala/akka/remote/transport/netty/NettyTransport.scala b/akka-remote/src/main/scala/akka/remote/transport/netty/NettyTransport.scala index b85cf8a0a7..d1ce2a265d 100644 --- a/akka-remote/src/main/scala/akka/remote/transport/netty/NettyTransport.scala +++ b/akka-remote/src/main/scala/akka/remote/transport/netty/NettyTransport.scala @@ -110,7 +110,7 @@ class NettyTransportSettings(config: Config) { @deprecated("WARNING: This should only be used by professionals.", "2.0") val PortSelector: Int = getInt("port") - val SslSettings: Option[SSLSettings] = if (EnableSsl) Some(new SSLSettings(config.getConfig("ssl"))) else None + val SslSettings: Option[SSLSettings] = if (EnableSsl) Some(new SSLSettings(config.getConfig("security"))) else None val ServerSocketWorkerPoolSize: Int = computeWPS(config.getConfig("server-socket-worker-pool")) diff --git a/akka-remote/src/test/scala/akka/remote/RemoteConfigSpec.scala b/akka-remote/src/test/scala/akka/remote/RemoteConfigSpec.scala index 5525af3200..afdaa0ce2e 100644 --- a/akka-remote/src/test/scala/akka/remote/RemoteConfigSpec.scala +++ b/akka-remote/src/test/scala/akka/remote/RemoteConfigSpec.scala @@ -4,12 +4,12 @@ package akka.remote import language.postfixOps - import akka.testkit.AkkaSpec import akka.actor.ExtendedActorSystem import scala.concurrent.duration._ import akka.remote.transport.AkkaProtocolSettings import akka.util.{ Timeout, Helpers } +import akka.remote.transport.netty.SSLSettings @org.junit.runner.RunWith(classOf[org.scalatest.junit.JUnitRunner]) class RemoteConfigSpec extends AkkaSpec( @@ -59,13 +59,41 @@ class RemoteConfigSpec extends AkkaSpec( } - "contain correct configuration values in reference.conf" ignore { + "contain correct configuration values in reference.conf" in { + val remoteSettings = RARP(system).provider.remoteSettings + import remoteSettings._ + + LogReceive must be(false) + LogSend must be(false) + UntrustedMode must be(false) + LogRemoteLifecycleEvents must be(false) + ShutdownTimeout.duration must be(10 seconds) + FlushWait must be(2 seconds) + StartupTimeout.duration must be(10 seconds) + RetryGateClosedFor must be(Duration.Zero) + UnknownAddressGateClosedFor must be(1 minute) + UsePassiveConnections must be(true) + MaximumRetriesInWindow must be(5) + RetryWindow must be(3 seconds) + BackoffPeriod must be(10 millis) + CommandAckTimeout.duration must be(30 seconds) + Transports.size must be(1) + Transports.head._1 must be(classOf[akka.remote.transport.netty.NettyTransport].getName) + Transports.head._2 must be(Nil) + Adapters must be(Map( + "gremlin" -> classOf[akka.remote.transport.FailureInjectorProvider].getName, + "trttl" -> classOf[akka.remote.transport.ThrottlerProvider].getName)) + + } + + "contain correct socket worker pool configuration values in reference.conf" in { val c = RARP(system).provider.remoteSettings.config.getConfig("akka.remote.netty.tcp") // server-socket-worker-pool { val pool = c.getConfig("server-socket-worker-pool") pool.getInt("pool-size-min") must equal(2) + pool.getDouble("pool-size-factor") must equal(1.0) pool.getInt("pool-size-max") must equal(8) } @@ -78,9 +106,17 @@ class RemoteConfigSpec extends AkkaSpec( pool.getInt("pool-size-max") must equal(8) } - { - c.getString("reuse-address") must be("off-for-windows") - } + } + + "contain correct ssl configuration values in reference.conf" in { + val sslSettings = new SSLSettings(system.settings.config.getConfig("akka.remote.netty.ssl.security")) + sslSettings.SSLKeyStore must be(Some("keystore")) + sslSettings.SSLKeyStorePassword must be(Some("changeme")) + sslSettings.SSLTrustStore must be(Some("truststore")) + sslSettings.SSLTrustStorePassword must be(Some("changeme")) + sslSettings.SSLProtocol must be(Some("TLSv1")) + sslSettings.SSLEnabledAlgorithms must be(Set("TLS_RSA_WITH_AES_128_CBC_SHA")) + sslSettings.SSLRandomNumberGenerator must be(None) } } } diff --git a/akka-remote/src/test/scala/akka/remote/RemotingSpec.scala b/akka-remote/src/test/scala/akka/remote/RemotingSpec.scala index 7ea21adc52..6284eb0780 100644 --- a/akka-remote/src/test/scala/akka/remote/RemotingSpec.scala +++ b/akka-remote/src/test/scala/akka/remote/RemotingSpec.scala @@ -70,7 +70,7 @@ object RemotingSpec { remote.netty.udp.hostname = "localhost" remote.netty.ssl.port = 0 remote.netty.ssl.hostname = "localhost" - remote.netty.ssl.ssl = ${common-ssl-settings} + remote.netty.ssl.security = ${common-ssl-settings} remote.test { transport-class = "akka.remote.transport.TestTransport" diff --git a/akka-remote/src/test/scala/akka/remote/Ticket1978CommunicationSpec.scala b/akka-remote/src/test/scala/akka/remote/Ticket1978CommunicationSpec.scala index 4af6c53f6e..173301879c 100644 --- a/akka-remote/src/test/scala/akka/remote/Ticket1978CommunicationSpec.scala +++ b/akka-remote/src/test/scala/akka/remote/Ticket1978CommunicationSpec.scala @@ -39,7 +39,7 @@ object Configuration { remote.netty.ssl { hostname = localhost port = %d - ssl { + security { enable = on trust-store = "%s" key-store = "%s" @@ -61,7 +61,7 @@ object Configuration { //if (true) throw new IllegalArgumentException("Ticket1978*Spec isn't enabled") val config = ConfigFactory.parseString(conf.format(localPort, trustStore, keyStore, cipher, enabled.mkString(", "))) - val fullConfig = config.withFallback(AkkaSpec.testConf).withFallback(ConfigFactory.load).getConfig("akka.remote.netty.ssl.ssl") + val fullConfig = config.withFallback(AkkaSpec.testConf).withFallback(ConfigFactory.load).getConfig("akka.remote.netty.ssl.security") val settings = new SSLSettings(fullConfig) val rng = NettySSLSupport.initializeCustomSecureRandom(settings.SSLRandomNumberGenerator, NoLogging) diff --git a/akka-remote/src/test/scala/akka/remote/Ticket1978ConfigSpec.scala b/akka-remote/src/test/scala/akka/remote/Ticket1978ConfigSpec.scala index 1e530556b6..be4cf6fce5 100644 --- a/akka-remote/src/test/scala/akka/remote/Ticket1978ConfigSpec.scala +++ b/akka-remote/src/test/scala/akka/remote/Ticket1978ConfigSpec.scala @@ -8,22 +8,15 @@ import java.util.ArrayList import akka.remote.transport.netty.SSLSettings @org.junit.runner.RunWith(classOf[org.scalatest.junit.JUnitRunner]) -class Ticket1978ConfigSpec extends AkkaSpec with ImplicitSender with DefaultTimeout { - - val cfg = ConfigFactory.parseString(""" - ssl-settings { - key-store = "keystore" - trust-store = "truststore" - key-store-password = "changeme" - trust-store-password = "changeme" - protocol = "TLSv1" +class Ticket1978ConfigSpec extends AkkaSpec(""" + akka.remote.netty.ssl.security { random-number-generator = "AES128CounterSecureRNG" - enabled-algorithms = [TLS_RSA_WITH_AES_128_CBC_SHA] - }""") + } + """) with ImplicitSender with DefaultTimeout { "SSL Remoting" must { "be able to parse these extra Netty config elements" in { - val settings = new SSLSettings(cfg.getConfig("ssl-settings")) + val settings = new SSLSettings(system.settings.config.getConfig("akka.remote.netty.ssl.security")) settings.SSLKeyStore must be(Some("keystore")) settings.SSLKeyStorePassword must be(Some("changeme"))