Red Hat SummitChapter 7. Securing Data Grid Connections
Secure client connections with authentication and encryption to prevent network intrusion and protect your data.
7.1. Configuring Authentication
Application users need credentials to access Data Grid clusters. You can use default, generated credentials or add your own.
7.1.1. Default Credentials
Data Grid Operator generates base64-encoded default credentials stored in an authentication secret named example-infinispan-generated-secret
| Username | Description |
|---|---|
|
| Default application user. |
|
| Internal user that interacts with Data Grid clusters. |
7.1.2. Retrieving Credentials
Get credentials from authentication secrets to access Data Grid clusters.
Procedure
Retrieve credentials from authentication secrets, as in the following example:
$ oc get secret example-infinispan-generated-secretBase64-decode credentials.
$ oc get secret example-infinispan-generated-secret \ -o jsonpath="{.data.identities\.yaml}" | base64 --decode credentials: - username: developer password: dIRs5cAAsHIeeRIL - username: operator password: uMBo9CmEdEduYk24
7.1.3. Adding Custom Credentials
Configure access to Data Grid cluster endpoints with custom credentials.
Procedure
Create an
identities.yamlfile with the credentials that you want to add.credentials: - username: testuser password: testpassword - username: operator password: supersecretoperatorpasswordImportantidentities.yamlmust include the operator user.Create an authentication secret from
identities.yaml.$ oc create secret generic --from-file=identities.yaml connect-secretSpecify the authentication secret with
spec.security.endpointSecretNamein yourInfinispanCR and then apply the changes.spec: ... security: endpointSecretName: connect-secret1 - 1
- Specifies the name of the authentication secret that contains your credentials.
Modifying spec.security.endpointSecretName triggers a cluster restart. You can watch the Data Grid cluster as Data Grid Operator applies changes:
$ oc get pods -w7.2. Configuring Encryption
Encrypt connections between clients and Data Grid nodes with Red Hat OpenShift service certificates or custom TLS certificates.
7.2.1. Encryption with Red Hat OpenShift Service Certificates
Data Grid Operator automatically generates TLS certificates that are signed by the Red Hat OpenShift service CA. Data Grid Operator then stores the certificates and keys in a secret so you can retrieve them and use with remote clients.
If the Red Hat OpenShift service CA is available, Data Grid Operator adds the following spec.security.endpointEncryption configuration to the Infinispan CR:
spec:
...
security:
endpointEncryption:
type: Service
certServiceName: service.beta.openshift.io
certSecretName: example-infinispan-cert-secret Service certificates use the internal DNS name of the Data Grid cluster as the common name (CN), for example:
Subject: CN = example-infinispan.mynamespace.svc
For this reason, service certificates can be fully trusted only inside OpenShift. If you want to encrypt connections with clients running outside OpenShift, you should use custom TLS certificates.
Service certificates are valid for one year and are automatically replaced before they expire.
7.2.2. Retrieving TLS Certificates
Get TLS certificates from encryption secrets to create client trust stores.
-
Retrieve
tls.crtfrom encryption secrets as follows:
$ oc get secret example-infinispan-cert-secret \
-o jsonpath='{.data.tls\.crt}' | base64 --decode > tls.crt7.2.3. Disabling Encryption
You can disable encryption so clients do not need TLS certificates to establish connections with Data Grid.
Data Grid does not recommend disabling encryption in production environments where endpoints are exposed outside the OpenShift cluster via spec.expose.type.
Procedure
Set
Noneas the value for thespec.security.endpointEncryption.typefield in yourInfinispanCR and then apply the changes.spec: ... security: endpointEncryption: type: None1 - 1
- Disables encryption for Data Grid endpoints.
7.2.4. Using Custom TLS Certificates
Use custom PKCS12 keystore or TLS certificate/key pairs to encrypt connections between clients and Data Grid clusters.
Prerequisites
- Create either a keystore or certificate secret. See:
- Certificate Secrets
- Keystore Secrets
Procedure
Add the encryption secret to your OpenShift namespace, for example:
$ oc apply -f tls_secret.yamlSpecify the encryption secret with
spec.security.endpointEncryptionin yourInfinispanCR and then apply the changes.spec: ... security: endpointEncryption:1 type: Secret2 certSecretName: tls-secret3
7.2.4.1. Certificate Secrets
apiVersion: v1
kind: Secret
metadata:
name: tls-secret
type: Opaque
data:
tls.key: "LS0tLS1CRUdJTiBQUk ..."
tls.crt: "LS0tLS1CRUdJTiBDRVl ..." 7.2.4.2. Keystore Secrets
apiVersion: v1
kind: Secret
metadata:
name: tls-secret
type: Opaque
stringData:
alias: server
password: password
data:
keystore.p12: "MIIKDgIBAzCCCdQGCSqGSIb3DQEHA..." 
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}