Chapter 5. Configuring client certificate authentication
Add client trust stores to your project and configure Data Grid to allow connections only from clients that present valid certificates. This increases security of your deployment by ensuring that clients are trusted by a public certificate authority (CA).
5.1. Client certificate authentication
Client certificate authentication restricts in-bound connections based on the certificates that clients present.
You can configure Data Grid to use trust stores with either of the following strategies:
Validate
To validate client certificates, Data Grid requires a trust store that contains any part of the certificate chain for the signing authority, typically the root CA certificate. Any client that presents a certificate signed by the CA can connect to Data Grid.
If you use the Validate
strategy for verifying client certificates, you must also configure clients to provide valid Data Grid credentials if you enable authentication.
Authenticate
Requires a trust store that contains all public client certificates in addition to the root CA certificate. Only clients that present a signed certificate can connect to Data Grid.
If you use the Authenticate
strategy for verifying client certificates, you must ensure that certificates contain valid Data Grid credentials as part of the distinguished name (DN).
5.2. Enabling client certificate authentication
To enable client certificate authentication, you configure Data Grid to use trust stores with either the Validate
or Authenticate
strategy.
Procedure
Set either
Validate
orAuthenticate
as the value for thespec.security.endpointEncryption.clientCert
field in yourInfinispan
CR.NoteThe default value is
None
.Specify the secret that contains the client trust store with the
spec.security.endpointEncryption.clientCertSecretName
field.By default Data Grid Operator expects a trust store secret named
<cluster-name>-client-cert-secret
.NoteThe secret must be unique to each
Infinispan
CR instance in the OpenShift cluster. When you delete theInfinispan
CR, OpenShift also automatically deletes the associated secret.spec: security: endpointEncryption: type: Service certSecretName: tls-secret clientCert: Validate clientCertSecretName: example-infinispan-client-cert-secret
- Apply the changes.
Next steps
Provide Data Grid Operator with a trust store that contains all client certificates. Alternatively you can provide certificates in PEM format and let Data Grid generate a client trust store.
5.3. Providing client truststores
If you have a trust store that contains the required certificates you can make it available to Data Grid Operator.
Data Grid supports trust stores in PKCS12
format only.
Procedure
Specify the name of the secret that contains the client trust store as the value of the
metadata.name
field.NoteThe name must match the value of the
spec.security.endpointEncryption.clientCertSecretName
field.-
Provide the password for the trust store with the
stringData.truststore-password
field. Specify the trust store with the
data.truststore.p12
field.apiVersion: v1 kind: Secret metadata: name: example-infinispan-client-cert-secret type: Opaque stringData: truststore-password: changme data: truststore.p12: "<base64_encoded_PKCS12_trust_store>"
- Apply the changes.
5.4. Providing client certificates
Data Grid Operator can generate a trust store from certificates in PEM format.
Procedure
Specify the name of the secret that contains the client trust store as the value of the
metadata.name
field.NoteThe name must match the value of the
spec.security.endpointEncryption.clientCertSecretName
field.-
Specify the signing certificate, or CA certificate bundle, as the value of the
data.trust.ca
field. If you use the
Authenticate
strategy to verify client identities, add the certificate for each client that can connect to Data Grid endpoints with thedata.trust.cert.<name>
field.NoteData Grid Operator uses the
<name>
value as the alias for the certificate when it generates the trust store.Optionally provide a password for the trust store with the
stringData.truststore-password
field.If you do not provide one, Data Grid Operator sets "password" as the trust store password.
apiVersion: v1 kind: Secret metadata: name: example-infinispan-client-cert-secret type: Opaque stringData: truststore-password: changme data: trust.ca: "<base64_encoded_CA_certificate>" trust.cert.client1: "<base64_encoded_client_certificate>" trust.cert.client2: "<base64_encoded_client_certificate>"
- Apply the changes.