Red Hat Summitこのコンテンツは選択した言語では利用できません。
Chapter 5. Securing Network Traffic
Encrypt client to server and server to server traffic to secure network communication.
5.1. Encrypting Client to Server Communication
JBoss Data Grid for OpenShift uses JKS keystores that contain credentials and certificates to secure client-to-server traffic.
To encrypt client to server communication, do the following:
Create a JKS keystore (
.jks) to encrypt traffic.You can use OpenSSL and the Java keytool to generate a JKS keystore. When you generate a TLS certificate for the keystore, specify the domain name for the deployment.
ImportantProduction environments should aways use TLS certificates signed by a verified certificate authority (CA).
Deploy the JKS keystore to OpenShift as a secret.
Log in as the developer user.
oc login -u developer
$ oc login -u developerCopy to Clipboard Copied! Toggle word wrap Toggle overflow Create a secret for the JKS keystore. For example, to create a secret named
jdg-https-secretfrom a keystore namedjdg-https.jks, do the following:oc create secret generic jdg-https-secret --from-file=jdg-https.jks
$ oc create secret generic jdg-https-secret --from-file=jdg-https.jksCopy to Clipboard Copied! Toggle word wrap Toggle overflow Link the secret to the service account for your deployment. For example, to link a secret named
jdg-https-secretto the default service account, do the following:oc secrets link default jdg-https-secret
$ oc secrets link default jdg-https-secretCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Configure your deployment to use the JKS keystore with these environment variables:
HOSTNAME_HTTP- Specifies the HTTP service route for the deployment. Required only if you are using a JBoss Data Grid for OpenShift template.
HOSTNAME_HTTPS- Sets the HTTPS service route for the deployment. Required only if you are using a JBoss Data Grid for OpenShift template.
HTTPS_SECRET- Matches the OpenShift secret for the keystore. Required only if you are using a JBoss Data Grid for OpenShift template.
HTTPS_KEYSTORE- Specifies the JKS keystore for encrypting server to client traffic.
HTTPS_NAME- Matches the username for the keystore.
HTTPS_PASSWORD- Matches the keystore password.
HTTPS_KEYSTORE_DIRSpecifies the directory that contains the JKS keystore. You do not need to set this environment variable if you are using a JBoss Data Grid for OpenShift template. The templates set this environment variable by default.
TipUse the
HOTROD_ENCRYPTIONenvironment variable to configure the Hot Rod connector to use encryption. See Endpoint Configuration.
5.2. Encrypting Traffic Between Clustered Servers
JBoss Data Grid for OpenShift uses JGroups technology to secure traffic between clustered servers with the following options:
- Authentication
Uses the JGroups
AUTHprotocol that requires nodes to authenticate with a password when joining the cluster.You configure authentication with the
JGROUPS_CLUSTER_PASSWORDenvironment variable. This environment variable sets a password for nodes to use when joining the cluster. The password must be the same across the cluster.- Symmetric encryption
Uses the JGroups
SYM_ENCRYPTprotocol to secure traffic with a JGroups keystore (.jceks). This is the default encryption protocol.The JGroups
AUTHprotocol is optional with symmetric encryption.The JGroups keystore contains credentials that each node in the cluster uses to secure communication.
- Asymmetric encryption
Uses the JGroups
ASYM_ENCRYPTprotocol to secure traffic with public/private key encryption.The JGroups
AUTHprotocol is required with asymmetric encryption.The coordinator node generates a secret key. When a node joins the cluster, it requests the secret key from the coordinator and provides its public key. The coordinator encrypts the secret key with the public key and returns it to the node. The node then decrypts and installs the secret so that it can securely communicate with other nodes in the cluster.
5.2.1. Setting Up Symmetric Encryption
To use symmetric encryption, do the following:
Create a JGroups keystore (
.jceks) that contains credentials to encrypt traffic.You can use the Java keytool to generate a JGroups keystore.
Deploy the JGroups keystore to OpenShift as a secret.
Log in as the developer user.
oc login -u developer
$ oc login -u developerCopy to Clipboard Copied! Toggle word wrap Toggle overflow Create a secret for the JGroups keystore. For example, to create a secret named
jgroups-secretfrom a keystore namedjgroups.jceks, do the following:oc create secret generic jgroups-secret --from-file=jgroups.jceks
$ oc create secret generic jgroups-secret --from-file=jgroups.jceksCopy to Clipboard Copied! Toggle word wrap Toggle overflow Link the secret to the default service account.
oc secrets link default jgroups-secret
$ oc secrets link default jgroups-secretCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Configure your deployment to use the JGroups keystore with these environment variables:
JGROUPS_ENCRYPT_KEYSTORE- Specifes the JGroups keystore for encrypting cluster traffic.
JGROUPS_ENCRYPT_SECRET- Matches the OpenShift secret for the keystore.
JGROUPS_ENCRYPT_NAME- Matches the username for the keystore.
JGROUPS_ENCRYPT_PASSWORD- Matches the keystore password.
JGROUPS_ENCRYPT_KEYSTORE_DIR- Specifies the directory where the JGroups keystore resides. You do not need to set this environment variable if you are using a JBoss Data Grid for OpenShift template. The templates set this environment variable by default.
-
If required, set a password for nodes to use when joining the cluster. with the
JGROUPS_CLUSTER_PASSWORDenvironment variable.
5.2.2. Setting Up Asymmetric Encryption
To use asymmetric encryption, do the following:
-
Configure authentication with the
JGROUPS_CLUSTER_PASSWORDenvironment variable. -
Set the value of the
JGROUPS_ENCRYPT_PROTOCOLenvironment variable toASYM_ENCRYPT.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}