The security measures implemented for a VMware Tanzu Application Service for VMs (TAS for VMs) foundation and for VMware Tanzu GemFire for VMs service instances within that foundation attempt to reduce harm from agents with foundation access. See Cloud Foundry Security for a general presentation on TAS for VMs security. Transport-Layer Security (TLS) encryption prevents easy access to communication between components, and role-based authentication and authorization limits access to data.
TLS Encryption for the Tanzu GemFire Service Instance
Without TLS encryption with and within the Tanzu GemFire service instance, the diagram below identifies via green dotted-and-dashed lines the unencrypted, plaintext communication that a bad agent with TAS for VMs foundation access could listen to without TLS encryption.
Each of these unencrypted communication paths may be TLS-encrypted. To encrypt these communications, follow the directions in Migrating to a TLS-Enabled Cluster and ensure that apps also use TLS as described in Developing an App Under TLS. Enabling TLS encryption implements a one-way authentication of apps, verifying the identity of cluster members.
You must also secure gfsh communication. Follow directions in Connect with gfsh over HTTPS.
To allow app access to the PCC network, create application security groups. Allow access on the following ports:
For more information, see TAS for VMs documentation on Restricting App Access to Internal PAS Components.
Tanzu GemFire works with the IPsec Add-on for TAS for VMs (see Securing Data in Transit with the IPsec Add-on).
Security within the Cluster
The cluster within a Tanzu GemFire service instance implements role-based authentication and authorizes cluster operations based upon the roles.
There are two sets of roles:
One set has four roles for users that integrate an external authentication such as LDAP via User Account and Authentication (UAA). See Configuring UAA Roles for a description of the roles and the configuration that completes the integration.
The other set of roles defaults when there is no external authentication integrated during the Tanzu GemFire tile installation. The identifiers assigned for these roles are detailed in Create Service Keys. Tanzu GemFire service instances are created with three default user roles for interacting with clusters:
- Cluster operator: manages the Apache Geode cluster and can access
region data. Has the permissions
- Developer: can access region data. Has the permissions
- Gateway sender: propagates region data to another Tanzu GemFire service instance. Has the permission
- Cluster operator: manages the Apache Geode cluster and can access region data. Has the permissions
Which set is used for a Tanzu GemFire service instance depends on the options chosen during Tanzu GemFire tile installation.
All gfsh and JMX clients must authenticate as one of these user roles to access the cluster. To authorize operations, each user role is given predefined permissions for cluster operations. To accomplish a cluster operation, the user authenticates using one of the roles. Prior to initiating the requested operation, there is a verification that the authenticated user role has permission to do the operation. Read more about these permissions in Implementing Authorization.