4.3. 配置客户端证书身份验证
配置 Data Grid 服务器以使用 mutual TLS 来保护客户端连接。
您可以通过两种方式配置 Data Grid,以两种方式验证来自证书的客户端身份:
- 需要仅包含签名证书的信任存储,通常是证书颁发机构(CA)。显示 CA 签名的证书的任何客户端都可以连接到 Data Grid。
- 需要包含签名证书外的所有客户端证书的信任存储。只有存在信任存储中签名的证书的客户端才能连接到 Data Grid。
提示
另外,要提供信任存储,您可以使用共享系统证书。
先决条件
- 创建包含 CA 证书或所有公共证书的客户端信任存储。
- 为 Data Grid Server 创建密钥存储并配置 SSL/TLS 身份。
注意
PEM 文件可用作其包含一个或多个证书的信任存储。这些信任存储应配置为使用空密码: password=""。
流程
- 打开 Data Grid Server 配置进行编辑。
-
将
require-ssl-client-auth="true"参数添加到您的端点配置中。 -
将客户端信任存储添加到
$RHDG_HOME/server/conf目录中。 -
在 Data Grid Server security realm 配置中指定
truststore元素的路径和密码属性。 -
如果您希望 Data Grid Server 验证每个
客户端证书,请将 <truststore-realm/> 元素添加到安全域中。 - 保存对您的配置的更改。
后续步骤
- 如果您使用安全角色和权限控制访问,请在 Data Grid Server 配置中使用客户端证书设置授权。
- 将客户端配置为与 Data Grid Server 协商 SSL/TLS 连接。
客户端证书验证配置
XML
<server xmlns="urn:infinispan:server:13.0">
<security>
<security-realms>
<security-realm name="TrustStoreRealm">
<server-identities>
<ssl>
<!-- Provides an SSL/TLS identity with a keystore that
contains server certificates. -->
<keystore path="server.p12"
relative-to="infinispan.server.config.path"
keystore-password="secret"
alias="server"/>
<!-- Configures a trust store that contains client certificates
or part of a certificate chain. -->
<truststore path="trust.p12"
relative-to="infinispan.server.config.path"
password="secret"/>
</ssl>
</server-identities>
<!-- Authenticates client certificates against the trust store. If you configure this, the trust store must contain the public certificates for all clients. -->
<truststore-realm/>
</security-realm>
</security-realms>
</security>
<endpoints>
<endpoint socket-binding="default"
security-realm="trust-store-realm"
require-ssl-client-auth="true">
<hotrod-connector>
<authentication>
<sasl mechanisms="EXTERNAL"
server-name="infinispan"
qop="auth"/>
</authentication>
</hotrod-connector>
<rest-connector>
<authentication mechanisms="CLIENT_CERT"/>
</rest-connector>
</endpoint>
</endpoints>
</server>
JSON
{
"server": {
"security": {
"security-realms": [{
"name": "TrustStoreRealm",
"server-identities": {
"ssl": {
"keystore": {
"path": "server.p12",
"relative-to": "infinispan.server.config.path",
"keystore-password": "secret",
"alias": "server"
},
"truststore": {
"path": "trust.p12",
"relative-to": "infinispan.server.config.path",
"password": "secret"
}
}
},
"truststore-realm": {}
}]
},
"endpoints": [{
"socket-binding": "default",
"security-realm": "TrustStoreRealm",
"require-ssl-client-auth": "true",
"connectors": {
"hotrod": {
"hotrod-connector": {
"authentication": {
"sasl": {
"mechanisms": "EXTERNAL",
"server-name": "infinispan",
"qop": "auth"
}
}
},
"rest": {
"rest-connector": {
"authentication": {
"mechanisms": "CLIENT_CERT"
}
}
}
}
}
}]
}
}
YAML
server:
security:
securityRealms:
- name: "TrustStoreRealm"
serverIdentities:
ssl:
keystore:
path: "server.p12"
relative-to: "infinispan.server.config.path"
keystore-password: "secret"
alias: "server"
truststore:
path: "trust.p12"
relative-to: "infinispan.server.config.path"
password: "secret"
truststoreRealm: ~
endpoints:
socketBinding: "default"
securityRealm: "trust-store-realm"
requireSslClientAuth: "true"
connectors:
- hotrod:
hotrodConnector:
authentication:
sasl:
mechanisms: "EXTERNAL"
serverName: "infinispan"
qop: "auth"
- rest:
restConnector:
authentication:
mechanisms: "CLIENT_CERT"
其他资源
- 配置 Hot Rod 客户端加密
- 使用共享系统证书 (Red Hat Enterprise Linux 7 安全指南)
