11.13.2. SSL/TLS Authentication for Hot Rod

Procedure 11.2. Secure Hot Rod Using SSL/TLS

1. Generate a Keystore

   Create a Java Keystore using the keytool application distributed with the JDK and add your certificate to it. The certificate can be either self signed, or obtained from a trusted CA depending on your security policy.

2. Place the Keystore in the Configuration Directory

   Put the keystore in the ~/JDG_HOME/standalone/configuration directory with the standalone-hotrod-ssl.xml file from the ~/JDG_HOME/docs/examples/configs directory.

3. Declare an SSL Server Identity

   Declare an SSL server identity within a security realm in the management section of the configuration file. The SSL server identity must specify the path to a keystore and its secret key.

   <server-identities>
     <ssl protocol="...">
       <keystore path="..." relative-to="..." keystore-password="..." alias="..." key-password="..." />
     </ssl>
     <secret value="..." />
   </server-identities>
   

   Copy to Clipboard Toggle word wrap

4. Add the Security Element

   Add the security element to the Hot Rod connector as follows:

   <hotrod-connector socket-binding="hotrod" cache-container="local">
       <security ssl="true" security-realm="ApplicationRealm" require-ssl-client-auth="false" />
   </hotrod-connector>
   

   Copy to Clipboard Toggle word wrap

   1. Server Authentication of Certificate

      If you require the server to perform authentication of the client certificate, create a truststore that contains the valid client certificates and set the require-ssl-client-auth attribute to true.

5. Start the Server

   Start the server using the following:

   bin/standalone.sh -c standalone-hotrod-ssl.xml

   Copy to Clipboard Toggle word wrap

   This will start a server with a Hot Rod endpoint on port 11222. This endpoint will only accept SSL connections.