Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 7. Securing Data Grid Connections

Secure client connections with authentication and encryption to prevent network intrusion and protect your data.

7.1. Configuring Authentication
Link kopieren

Application users need credentials to access Data Grid clusters. You can use default, generated credentials or add your own.

7.1.1. Default Credentials
Link kopieren

Data Grid Operator generates base64-encoded default credentials stored in an authentication secret named example-infinispan-generated-secret

Expand
UsernameDescription

developer

Default application user.

operator

Internal user that interacts with Data Grid clusters.

7.1.2. Retrieving Credentials
Link kopieren

Get credentials from authentication secrets to access Data Grid clusters.

Procedure

  • Retrieve credentials from authentication secrets, as in the following example: 

    $ oc get secret example-infinispan-generated-secret
    Copy to Clipboard Toggle word wrap

    Base64-decode credentials. 

    $ oc get secret example-infinispan-generated-secret \
-o jsonpath="{.data.identities\.yaml}" | base64 --decode

credentials:
- username: developer
  password: dIRs5cAAsHIeeRIL
- username: operator
  password: uMBo9CmEdEduYk24
    Copy to Clipboard Toggle word wrap

7.1.3. Adding Custom Credentials
Link kopieren

Configure access to Data Grid cluster endpoints with custom credentials.

Procedure

  1. Create an identities.yaml file with the credentials that you want to add. 

    credentials:
- username: testuser
  password: testpassword
- username: operator
  password: supersecretoperatorpassword
    Copy to Clipboard Toggle word wrap
    Important

    identities.yaml must include the operator user.

  2. Create an authentication secret from identities.yaml. 

    $ oc create secret generic --from-file=identities.yaml connect-secret
    Copy to Clipboard Toggle word wrap

  3. Specify the authentication secret with spec.security.endpointSecretName in your Infinispan CR and then apply the changes. 

    spec:
  ...
  security:
    endpointSecretName: connect-secret
    1
    Copy to Clipboard Toggle word wrap
    1
    Specifies the name of the authentication secret that contains your credentials.

Modifying spec.security.endpointSecretName triggers a cluster restart. You can watch the Data Grid cluster as Data Grid Operator applies changes: 

$ oc get pods -w
Copy to Clipboard Toggle word wrap

7.2. Configuring Encryption
Link kopieren

Encrypt connections between clients and Data Grid nodes with Red Hat OpenShift service certificates or custom TLS certificates.

7.2.1. Encryption with Red Hat OpenShift Service Certificates
Link kopieren

Data Grid Operator automatically generates TLS certificates that are signed by the Red Hat OpenShift service CA. Data Grid Operator then stores the certificates and keys in a secret so you can retrieve them and use with remote clients.

If the Red Hat OpenShift service CA is available, Data Grid Operator adds the following spec.security.endpointEncryption configuration to the Infinispan CR: 

spec:
  ...
  security:
    endpointEncryption:
      type: Service
      certServiceName: service.beta.openshift.io
1 

      certSecretName: example-infinispan-cert-secret
2
Copy to Clipboard Toggle word wrap
1
Specifies the Red Hat OpenShift Service.
2
Names the secret that contains a service certificate, tls.crt, and key, tls.key, in PEM format. If you do not specify a name, Data Grid Operator uses <cluster_name>-cert-secret.
Note

Service certificates use the internal DNS name of the Data Grid cluster as the common name (CN), for example:

Subject: CN = example-infinispan.mynamespace.svc

For this reason, service certificates can be fully trusted only inside OpenShift. If you want to encrypt connections with clients running outside OpenShift, you should use custom TLS certificates.

Service certificates are valid for one year and are automatically replaced before they expire.

7.2.2. Retrieving TLS Certificates
Link kopieren

Get TLS certificates from encryption secrets to create client trust stores.

  • Retrieve tls.crt from encryption secrets as follows: 
$ oc get secret example-infinispan-cert-secret \
-o jsonpath='{.data.tls\.crt}' | base64 --decode > tls.crt
Copy to Clipboard Toggle word wrap

7.2.3. Disabling Encryption
Link kopieren

You can disable encryption so clients do not need TLS certificates to establish connections with Data Grid.

Important

Data Grid does not recommend disabling encryption in production environments where endpoints are exposed outside the OpenShift cluster via spec.expose.type.

Procedure

  • Set None as the value for the spec.security.endpointEncryption.type field in your Infinispan CR and then apply the changes. 

    spec:
  ...
  security:
    endpointEncryption:
            type: None
    1
    Copy to Clipboard Toggle word wrap
    1
    Disables encryption for Data Grid endpoints.

7.2.4. Using Custom TLS Certificates
Link kopieren

Use custom PKCS12 keystore or TLS certificate/key pairs to encrypt connections between clients and Data Grid clusters.

Prerequisites

Procedure

  1. Add the encryption secret to your OpenShift namespace, for example: 

    $ oc apply -f tls_secret.yaml
    Copy to Clipboard Toggle word wrap

  2. Specify the encryption secret with spec.security.endpointEncryption in your Infinispan CR and then apply the changes. 

    spec:
  ...
  security:
    endpointEncryption:
    1 
    
            type: Secret
    2 
    
            certSecretName: tls-secret
    3
    Copy to Clipboard Toggle word wrap
    1
    Encrypts traffic to and from Data Grid endpoints.
    2
    Configures Data Grid to use secrets that contain encryption certificates.
    3
    Names the encryption secret.

7.2.4.1. Certificate Secrets
Link kopieren

apiVersion: v1
kind: Secret
metadata:
  name: tls-secret
type: Opaque
data:
    tls.key:  "LS0tLS1CRUdJTiBQUk ..."
1 

    tls.crt: "LS0tLS1CRUdJTiBDRVl ..."
2
Copy to Clipboard Toggle word wrap
1
Adds a base64-encoded TLS key.
2
Adds a base64-encoded TLS certificate.

7.2.4.2. Keystore Secrets
Link kopieren

apiVersion: v1
kind: Secret
metadata:
  name: tls-secret
type: Opaque
stringData:
    alias: server
1 

    password: password
2 

data:
    keystore.p12:  "MIIKDgIBAzCCCdQGCSqGSIb3DQEHA..."
3
Copy to Clipboard Toggle word wrap
1
Specifies an alias for the keystore.
2
Specifies a password for the keystore.
3
Adds a base64-encoded keystore.
Nach oben
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2025 Red Hat