Red Hat Summit Red Hat Summit지원콘솔개발자평가판 시작연락처

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 5. Encrypting Data Grid Server Connections

You can secure Data Grid Server connections using SSL/TLS encryption by configuring a keystore that contains public and private keys for Data Grid. You can also configure client certificate authentication if you require mutual TLS.

5.1. Configuring Data Grid Server Keystores
링크 복사

Add keystores to Data Grid Server and configure it to present SSL/TLS certificates that verify its identity to clients. If a security realm contains TLS/SSL identities, it encrypts any connections to Data Grid Server endpoints that use that security realm.

Prerequisites

  • Create a keystore that contains certificates, or certificate chains, for Data Grid Server.

Data Grid Server supports the following keystore formats: JKS, JCEKS, PKCS12, BKS, BCFKS, and UBER.

Important

In production environments, server certificates should be signed by a trusted Certificate Authority, either Root or Intermediate CA.

Procedure

  1. Add the keystore that contains SSL/TLS identities for Data Grid Server to the $RHDG_HOME/server/conf directory.
  2. Add a server-identities definition to the Data Grid Server security realm.
  3. Specify the keystore file name with the path attribute.
  4. Provide the keystore password and certificate alias with the keystore-password and alias attributes.

Data Grid Server keystore configuration

<security xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="urn:infinispan:server:12.1 https://infinispan.org/schemas/infinispan-server-12.1.xsd"
          xmlns="urn:infinispan:server:12.1">
   <security-realms>
      <security-realm name="default">
         <server-identities>
            <ssl>
               <!-- Adds a keystore that contains server certificates
                    that provide SSL/TLS identities to clients. -->
               <keystore path="server.pfx"
                         relative-to="infinispan.server.config.path"
                         keystore-password="secret"
                         alias="rhdg-server"/>
            </ssl>
         </server-identities>
      </security-realm>
   </security-realms>
</security>
Copy to Clipboard Toggle word wrap

Next steps

Configure clients with a trust store so they can verify SSL/TLS identities for Data Grid Server.

5.1.1. Automatically Generating Keystores
링크 복사

Configure Data Grid servers to automatically generate keystores at startup.

Important

Automatically generated keystores:

  • Should not be used in production environments.
  • Are generated whenever necessary; for example, while obtaining the first connection from a client.
  • Contain certificates that you can use directly in Hot Rod clients.

Procedure

  1. Include the generate-self-signed-certificate-host attribute for the keystore element in the server configuration.
  2. Specify a hostname for the server certificate as the value.

SSL server identity with a generated keystore

<security xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="urn:infinispan:server:12.1 https://infinispan.org/schemas/infinispan-server-12.1.xsd"
          xmlns="urn:infinispan:server:12.1">
   <security-realms>
      <security-realm name="default">
         <server-identities>
            <ssl>
               <!-- Generates a keystore that includes a self-signed certificate with the specified hostname. -->
               <keystore path="server.p12"
                         relative-to="infinispan.server.config.path"
                         keystore-password="secret"
                         alias="server"
                         generate-self-signed-certificate-host="localhost"/>
            </ssl>
         </server-identities>
      </security-realm>
   </security-realms>
</security>
Copy to Clipboard Toggle word wrap

5.1.2. Configuring TLS versions and cipher suites
링크 복사

When using SSL/TLS encryption to secure your deployment, you can configure Data Grid Server to use specific versions of the TLS protocol as well as specific cipher suites within the protocol.

Procedure

  1. Add the engine element to the SSL configuration for Data Grid Server.

  2. Configure Data Grid to use one or more TLS versions with the enabled-protocols attribute.

    Data Grid Server supports TLS version 1.2 and 1.3 by default. If appropriate you can set TLSv1.3 only to restrict the security protocol for client connections. Data Grid does not recommend enabling TLSv1.1 because it is an older protocol with limited support and provides weak security. You should never enable any version of TLS older than 1.1.

    Warning

    If you modify the SSL engine configuration for Data Grid Server you must explicitly configure TLS versions with the enabled-protocols attribute. Omitting the enabled-protocols attribute allows any TLS version. 

    <engine enabled-protocols="TLSv1.3 TLSv1.2" />
    Copy to Clipboard Toggle word wrap

  3. Configure Data Grid to use one or more cipher suites with the enabled-ciphersuites attribute.

    You must ensure that you set a cipher suite that supports any protocol features you plan to use; for example HTTP/2 ALPN.

SSL engine configuration

<security xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="urn:infinispan:server:12.1
          https://infinispan.org/schemas/infinispan-server-12.1.xsd"
          xmlns="urn:infinispan:server:12.1">
   <security-realms>
      <security-realm name="default">
         <server-identities>
            <ssl>
               <keystore path="server.p12"
                         relative-to="infinispan.server.config.path"
                         keystore-password="secret" alias="server"/>
               <!-- Configures Data Grid Server to use specific TLS versions and cipher suites. -->
               <engine enabled-protocols="TLSv1.3"
                       enabled-ciphersuites="TLS_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256 TLS_AES_128_CCM_8_SHA256"/>
            </ssl>
         </server-identities>
      </security-realm>
   </security-realms>
</security>
Copy to Clipboard Toggle word wrap

5.2. Configuring Client Certificate Authentication
링크 복사

Configure Data Grid Server to use mutual TLS to secure client connections.

You can configure Data Grid to verify client identities from certificates in a trust store in two ways:

  • Require a trust store that contains only the signing certificate, which is typically a Certificate Authority (CA). Any client that presents a certificate signed by the CA can connect to Data Grid.
  • Require a trust store that contains all client certificates in addition to the signing certificate. Only clients that present a signed certificate that is present in the trust store can connect to Data Grid.
Tip

Alternatively to providing trust stores you can use shared system certificates.

Prerequisites

  • Create a client trust store that contains either the CA certificate or all public certificates.
  • Create a keystore for Data Grid Server and configure an SSL/TLS identity.

Procedure

  1. Add the require-ssl-client-auth="true" parameter to your endpoints configuration.
  2. Add the client trust store to the $RHDG_HOME/server/conf directory.
  3. Specify the path and password attributes for the truststore element in the Data Grid Server security realm configuration.
  4. Add the <truststore-realm/> element to the security realm if you want Data Grid Server to authenticate each client certificate.

Data Grid Server trust store realm configuration

<security xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="urn:infinispan:server:12.1 https://infinispan.org/schemas/infinispan-server-12.1.xsd"
          xmlns="urn:infinispan:server:12.1">
   <security-realms>
      <security-realm name="default">
         <server-identities>
            <ssl>
               <!-- Provides an SSL/TLS identity with a keystore that
                    contains server certificates. -->
               <keystore path="server.p12"
                         relative-to="infinispan.server.config.path"
                         keystore-password="secret"
                         alias="server"/>
               <!-- Configures a trust store that contains client certificates
                    or part of a certificate chain. -->
               <truststore path="trust.p12"
                           relative-to="infinispan.server.config.path"
                           password="secret"/>
            </ssl>
         </server-identities>
         <!-- Authenticates client certificates against the trust store.
              If you configure this, the trust store must contain
              the public certificates for all clients. -->
         <truststore-realm/>
      </security-realm>
   </security-realms>
</security>
<!-- Configures Data Grid Server to require client certificates
     with the "require-ssl-client-auth" attribute. -->
<endpoints xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:schemaLocation="urn:infinispan:server:12.1 https://infinispan.org/schemas/infinispan-server-12.1.xsd"
           xmlns="urn:infinispan:server:12.1"
           socket-binding="default"
           security-realm="default"
           require-ssl-client-auth="true">
   <hotrod-connector>
     <!-- Configures the Hot Rod endpoint for client certificate authentication. -->
     <authentication>
       <sasl mechanisms="EXTERNAL"
             server-name="infinispan"
             qop="auth"/>
     </authentication>
   </hotrod-connector>
   <rest-connector>
      <!-- Configures the REST endpoint for client certificate authentication. -->
      <authentication mechanisms="CLIENT_CERT"/>
   </rest-connector>
</endpoints>
Copy to Clipboard Toggle word wrap

Next steps

  • Set up authorization with client certificates in the Data Grid Server configuration if you control access with security roles and permissions.
  • Configure clients to negotiate SSL/TLS connections with Data Grid Server.

5.3. Configuring Authorization with Client Certificates
링크 복사

Enabling client certificate authentication means you do not need to specify Data Grid user credentials in client configuration, which means you must associate roles with the Common Name (CN) field in the client certificate(s).

Prerequisites

  • Provide clients with a Java keystore that contains either their public certificates or part of the certificate chain, typically a public CA certificate.
  • Configure Data Grid Server to perform client certificate authentication.

Procedure

  1. Enable the common-name-role-mapper in the security authorization configuration.

  2. Assign the Common Name (CN) from the client certificate a role with the appropriate permissions. 

    <cache-container name="certificate-authentication" statistics="true">
   <security>
     <authorization>
       <!-- Declare a role mapper that associates the common name (CN) field
            in client certificate trust stores with authorization roles. -->
       <common-name-role-mapper/>
       <!-- In this example, if a client certificate contains `CN=Client1` then
            clients with matching certificates get ALL permissions. -->
       <role name="Client1" permissions="ALL"/>
     </authorization>
   </security>
</cache-container>
    Copy to Clipboard Toggle word wrap
맨 위로 이동
Red Hat logoGithubredditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다. 최신 업데이트를 확인하세요.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

Theme

© 2025 Red Hat