Red Hat SummitChapter 3. Configuring Authentication and Encryption
You need to configure authentication and encryption only if you are using a custom template or want to use your own keystores with the Data Grid deployment configuration templates.
3.1. Adding Keystores to Secrets
To configure authentication and encryption:
Create a keystore (
.jks) with a trusted certificate.Both HTTPS and Hot Rod services can use the same keystore or you can create separate keystores.
Add the keystore as an OpenShift secret.
Create a secret. For example, to create a secret named
rhdg-https-secretfrom a keystore namedrhdg-https.jks:$ oc create secret generic rhdg-https-secret \ --from-file=rhdg-https.jksLink the secret to the default service account.
$ oc secrets link default rhdg-https-secret
3.2. Configuring Deployments
Instantiate one of the secure templates with following parameters:
Set up HTTP and HTTPS hostnames:
HOSTNAME_HTTP=my.example.hostnameHOSTNAME_HTTPS=secure-my.example.hostname-
Specify the name of the keystore:
HTTPS_KEYSTORE=keystore.jks -
Specify the path to the keystore:
HTTPS_KEYSTORE_DIR=/etc/datagrid-secret-volume -
Specify the name of the secret:
HTTPS_SECRET=rhdg-https-secret Specify credentials for the keystore:
HTTPS_NAME=${USERNAME}HTTPS_PASSWORD=${PASSWORD}-
Set the HTTP security domain for the user:
REST_SECURITY_DOMAIN=SecurityRealm -
Enforce client certificate authentication:
ENCRYPTION_REQUIRE_SSL_CLIENT_AUTH=true Enable authentication and encryption for the Hot Rod protocol:
HOTROD_AUTHENTICATION=trueNoteThe template automatically sets
HOTROD_ENCRYPTION=trueif you set a value forHOSTNAME_HTTPS.
3.3. Setting Unique Keystores for the Hot Rod Protocol
To use a unique keystore for the Hot Rod protocol:
-
Specify the path to the keystore:
SSL_KEYSTORE_PATH=hr_keystore.jks -
Specify the keystore password:
SSL_KEYSTORE_PASSWORD=${PASSWORD} If necessary, do the following:
-
Set a relative path to the keystore:
SSL_KEYSTORE_RELATIVE_TO=path/to/keystore/ -
Specify the private key password, if different to the keystore password:
SSL_KEY_PASSWORD=${PASSWORD} -
Set the correct alias in the keystore if it contains multiple entries:
SSL_KEYSTORE_ALIAS=cert_alias
-
Set a relative path to the keystore:
Specify authorization credentials if you have not already:
USERNAME=${USERNAME}PASSWORD=${PASSWORD}NoteThe Hot Rod endpoint always uses the
ApplicationRealmto authorize users. If you want to use separate keystores for the Hot Rod and REST endpoints, you must set credentials with theUSERNAMEandPASSWORDparameters. Templates then configure the REST endpoint to use thejdg-openshiftsecurity realm. In this case theREST_SECURITY_DOMAINenvironment variable does not take effect.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}