Chapter 5. Securing Network Traffic
Encrypt client to server and server to server traffic to secure network communication.
5.1. Encrypting Client to Server Communication
JBoss Data Grid for OpenShift uses JKS keystores that contain credentials and certificates to secure client-to-server traffic.
To encrypt client to server communication, do the following:
Create a JKS keystore (
.jks
) to encrypt traffic.You can use OpenSSL and the Java keytool to generate a JKS keystore. When you generate a TLS certificate for the keystore, specify the domain name for the deployment.
ImportantProduction environments should aways use TLS certificates signed by a verified certificate authority (CA).
Deploy the JKS keystore to OpenShift as a secret.
Log in as the developer user.
$ oc login -u developer
Create a secret for the JKS keystore. For example, to create a secret named
jdg-https-secret
from a keystore namedjdg-https.jks
, do the following:$ oc create secret generic jdg-https-secret --from-file=jdg-https.jks
Link the secret to the service account for your deployment. For example, to link a secret named
jdg-https-secret
to the default service account, do the following:$ oc secrets link default jdg-https-secret
Configure your deployment to use the JKS keystore with these environment variables:
HOSTNAME_HTTP
- Specifies the HTTP service route for the deployment. Required only if you are using a JBoss Data Grid for OpenShift template.
HOSTNAME_HTTPS
- Sets the HTTPS service route for the deployment. Required only if you are using a JBoss Data Grid for OpenShift template.
HTTPS_SECRET
- Matches the OpenShift secret for the keystore. Required only if you are using a JBoss Data Grid for OpenShift template.
HTTPS_KEYSTORE
- Specifies the JKS keystore for encrypting server to client traffic.
HTTPS_NAME
- Matches the username for the keystore.
HTTPS_PASSWORD
- Matches the keystore password.
HTTPS_KEYSTORE_DIR
Specifies the directory that contains the JKS keystore. You do not need to set this environment variable if you are using a JBoss Data Grid for OpenShift template. The templates set this environment variable by default.
TipUse the
HOTROD_ENCRYPTION
environment variable to configure the Hot Rod connector to use encryption. See Endpoint Configuration.
5.2. Encrypting Traffic Between Clustered Servers
JBoss Data Grid for OpenShift uses JGroups technology to secure traffic between clustered servers with the following options:
- Authentication
Uses the JGroups
AUTH
protocol that requires nodes to authenticate with a password when joining the cluster.You configure authentication with the
JGROUPS_CLUSTER_PASSWORD
environment variable. This environment variable sets a password for nodes to use when joining the cluster. The password must be the same across the cluster.- Symmetric encryption
Uses the JGroups
SYM_ENCRYPT
protocol to secure traffic with a JGroups keystore (.jceks
). This is the default encryption protocol.The JGroups
AUTH
protocol is optional with symmetric encryption.The JGroups keystore contains credentials that each node in the cluster uses to secure communication.
- Asymmetric encryption
Uses the JGroups
ASYM_ENCRYPT
protocol to secure traffic with public/private key encryption.The JGroups
AUTH
protocol is required with asymmetric encryption.The coordinator node generates a secret key. When a node joins the cluster, it requests the secret key from the coordinator and provides its public key. The coordinator encrypts the secret key with the public key and returns it to the node. The node then decrypts and installs the secret so that it can securely communicate with other nodes in the cluster.
5.2.1. Setting Up Symmetric Encryption
To use symmetric encryption, do the following:
Create a JGroups keystore (
.jceks
) that contains credentials to encrypt traffic.You can use the Java keytool to generate a JGroups keystore.
Deploy the JGroups keystore to OpenShift as a secret.
Log in as the developer user.
$ oc login -u developer
Create a secret for the JGroups keystore. For example, to create a secret named
jgroups-secret
from a keystore namedjgroups.jceks
, do the following:$ oc create secret generic jgroups-secret --from-file=jgroups.jceks
Link the secret to the default service account.
$ oc secrets link default jgroups-secret
Configure your deployment to use the JGroups keystore with these environment variables:
JGROUPS_ENCRYPT_KEYSTORE
- Specifes the JGroups keystore for encrypting cluster traffic.
JGROUPS_ENCRYPT_SECRET
- Matches the OpenShift secret for the keystore.
JGROUPS_ENCRYPT_NAME
- Matches the username for the keystore.
JGROUPS_ENCRYPT_PASSWORD
- Matches the keystore password.
JGROUPS_ENCRYPT_KEYSTORE_DIR
- Specifies the directory where the JGroups keystore resides. You do not need to set this environment variable if you are using a JBoss Data Grid for OpenShift template. The templates set this environment variable by default.
-
If required, set a password for nodes to use when joining the cluster. with the
JGROUPS_CLUSTER_PASSWORD
environment variable.
5.2.2. Setting Up Asymmetric Encryption
To use asymmetric encryption, do the following:
-
Configure authentication with the
JGROUPS_CLUSTER_PASSWORD
environment variable. -
Set the value of the
JGROUPS_ENCRYPT_PROTOCOL
environment variable toASYM_ENCRYPT
.