需要仅包含签名证书的信任存储,通常是证书颁发机构(CA)。任何提供 CA 签名的证书的客户端都可以连接到 Data Grid。
除了签名证书外,还需要包含所有客户端证书的信任存储。只有提供信任存储中存在的签名证书的客户端才能连接到 Data Grid。
提示
另外,您还可以提供信任存储,您可以使用共享系统证书。
前提条件
创建包含 CA 证书或所有公共证书的客户端信任存储。
为 Data Grid 服务器创建密钥存储并配置 SSL/TLS 身份。
流程
在您的 端点 配置中添加 require-ssl-client-auth="true" 参数。
将客户端信任存储添加到 $RHDG_HOME/server/conf 目录中。
在 Data Grid Server 安全域配置中指定 truststore 元素 的路径和密码 属性。
如果您希望 Data Grid 服务器验证每个客户端证书,请将 < truststore-realm /> 元素添加到安全域中。
Data Grid Server 信任存储域配置
<security xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:infinispan:server:12.1 https://infinispan.org/schemas/infinispan-server-12.1.xsd"
xmlns="urn:infinispan:server:12.1">
<security-realms>
<security-realm name="default">
<server-identities>
<ssl>
<!-- Provides an SSL/TLS identity with a keystore that
contains server certificates. -->
<keystore path="server.p12"
relative-to="infinispan.server.config.path"
keystore-password="secret"
alias="server"/>
<!-- Configures a trust store that contains client certificates
or part of a certificate chain. -->
<truststore path="trust.p12"
relative-to="infinispan.server.config.path"
password="secret"/>
</ssl>
</server-identities>
<!-- Authenticates client certificates against the trust store.
If you configure this, the trust store must contain
the public certificates for all clients. -->
<truststore-realm/>
</security-realm>
</security-realms>
</security>
<!-- Configures Data Grid Server to require client certificates
with the "require-ssl-client-auth" attribute. -->
<endpoints xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:infinispan:server:12.1 https://infinispan.org/schemas/infinispan-server-12.1.xsd"
xmlns="urn:infinispan:server:12.1"
socket-binding="default"
security-realm="default"
require-ssl-client-auth="true">
<hotrod-connector>
<!-- Configures the Hot Rod endpoint for client certificate authentication. -->
<authentication>
<sasl mechanisms="EXTERNAL"
server-name="infinispan"
qop="auth"/>
</authentication>
</hotrod-connector>
<rest-connector>
<!-- Configures the REST endpoint for client certificate authentication. -->
<authentication mechanisms="CLIENT_CERT"/>
</rest-connector>
</endpoints>
<security xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:infinispan:server:12.1 https://infinispan.org/schemas/infinispan-server-12.1.xsd"
xmlns="urn:infinispan:server:12.1">
<security-realms>
<security-realm name="default">
<server-identities>
<ssl>
<!-- Provides an SSL/TLS identity with a keystore that
contains server certificates. -->
<keystore path="server.p12"
relative-to="infinispan.server.config.path"
keystore-password="secret"
alias="server"/>
<!-- Configures a trust store that contains client certificates
or part of a certificate chain. -->
<truststore path="trust.p12"
relative-to="infinispan.server.config.path"
password="secret"/>
</ssl>
</server-identities>
<!-- Authenticates client certificates against the trust store.
If you configure this, the trust store must contain
the public certificates for all clients. -->
<truststore-realm/>
</security-realm>
</security-realms>
</security>
<!-- Configures Data Grid Server to require client certificates
with the "require-ssl-client-auth" attribute. -->
<endpoints xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:infinispan:server:12.1 https://infinispan.org/schemas/infinispan-server-12.1.xsd"
xmlns="urn:infinispan:server:12.1"
socket-binding="default"
security-realm="default"
require-ssl-client-auth="true">
<hotrod-connector>
<!-- Configures the Hot Rod endpoint for client certificate authentication. -->
<authentication>
<sasl mechanisms="EXTERNAL"
server-name="infinispan"
qop="auth"/>
</authentication>
</hotrod-connector>
<rest-connector>
<!-- Configures the REST endpoint for client certificate authentication. -->
<authentication mechanisms="CLIENT_CERT"/>
</rest-connector>
</endpoints>
Copy to ClipboardCopied!Toggle word wrapToggle overflow
后续步骤
如果使用安全角色和权限控制访问权限,请在 Data Grid Server configuration 中使用客户端证书设置授权。