이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 9. Configuring client certificate authentication


Add client trust stores to your project and configure Data Grid to allow connections only from clients that present valid certificates. This increases security of your deployment by ensuring that clients are trusted by a public certificate authority (CA).

9.1. Client certificate authentication

Client certificate authentication restricts in-bound connections based on the certificates that clients present.

You can configure Data Grid to use trust stores with either of the following strategies:

Validate

To validate client certificates, Data Grid requires a trust store that contains any part of the certificate chain for the signing authority, typically the root CA certificate. Any client that presents a certificate signed by the CA can connect to Data Grid.

If you use the Validate strategy for verifying client certificates, you must also configure clients to provide valid Data Grid credentials if you enable authentication.

Authenticate

Requires a trust store that contains all public client certificates in addition to the root CA certificate. Only clients that present a signed certificate can connect to Data Grid.

If you use the Authenticate strategy for verifying client certificates, you must ensure that certificates contain valid Data Grid credentials as part of the distinguished name (DN).

9.2. Enabling client certificate authentication

To enable client certificate authentication, you configure Data Grid to use trust stores with either the Validate or Authenticate strategy.

Procedure

  1. Set either Validate or Authenticate as the value for the spec.security.endpointEncryption.clientCert field in your Infinispan CR.

    Note

    The default value is None.

  2. Specify the secret that contains the client trust store with the spec.security.endpointEncryption.clientCertSecretName field.

    By default Data Grid Operator expects a trust store secret named <cluster-name>-client-cert-secret.

    Note

    The secret must be unique to each Infinispan CR instance in the OpenShift cluster. When you delete the Infinispan CR, OpenShift also automatically deletes the associated secret.

    spec:
      security:
        endpointEncryption:
            type: Secret
            certSecretName: tls-secret
            clientCert: Validate
            clientCertSecretName: infinispan-client-cert-secret
  3. Apply the changes.

Next steps

Provide Data Grid Operator with a trust store that contains all client certificates. Alternatively you can provide certificates in PEM format and let Data Grid generate a client trust store.

9.3. Providing client truststores

If you have a trust store that contains the required certificates you can make it available to Data Grid Operator.

Data Grid supports trust stores in PKCS12 format only.

Procedure

  1. Specify the name of the secret that contains the client trust store as the value of the metadata.name field.

    Note

    The name must match the value of the spec.security.endpointEncryption.clientCertSecretName field.

  2. Provide the password for the trust store with the stringData.truststore-password field.
  3. Specify the trust store with the data.truststore.p12 field.

    apiVersion: v1
    kind: Secret
    metadata:
      name: infinispan-client-cert-secret
    type: Opaque
    stringData:
        truststore-password: changme
    data:
        truststore.p12:  "<base64_encoded_PKCS12_trust_store>"
  4. Apply the changes.

9.4. Providing client certificates

Data Grid Operator can generate a trust store from certificates in PEM format.

Procedure

  1. Specify the name of the secret that contains the client trust store as the value of the metadata.name field.

    Note

    The name must match the value of the spec.security.endpointEncryption.clientCertSecretName field.

  2. Specify the signing certificate, or CA certificate bundle, as the value of the data.trust.ca field.
  3. If you use the Authenticate strategy to verify client identities, add the certificate for each client that can connect to Data Grid endpoints with the data.trust.cert.<name> field.

    Note

    Data Grid Operator uses the <name> value as the alias for the certificate when it generates the trust store.

  4. Optionally provide a password for the trust store with the stringData.truststore-password field.

    If you do not provide one, Data Grid Operator sets "password" as the trust store password.

    apiVersion: v1
    kind: Secret
    metadata:
      name: infinispan-client-cert-secret
    type: Opaque
    stringData:
        truststore-password: changme
    data:
        trust.ca: "<base64_encoded_CA_certificate>"
        trust.cert.client1: "<base64_encoded_client_certificate>"
        trust.cert.client2: "<base64_encoded_client_certificate>"
  5. Apply the changes.
Red Hat logoGithubRedditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

© 2024 Red Hat, Inc.