6.3. 使用非对称加密保护集群传输

流程

1. 创建具有证书链的密钥存储，使 Data Grid 能够验证节点身份。

2. 将密钥存储放在集群中的每个节点的类路径上。

   对于 Data Grid Server，您可以将密钥存储放在 $RHDG_HOME 目录中。

3. 将 SSL_KEY_EXCHANGE 和 ASYM_ENCRYPT 协议添加到数据网格配置中的 JGroups 堆栈，如下例所示：

   <infinispan>
     <jgroups>
       <!-- Creates a secure JGroups stack named "encrypt-tcp" that extends the default TCP stack. -->
       <stack name="encrypt-tcp" extends="tcp">
         <!-- Adds a keystore that nodes use to perform certificate authentication. -->
         <!-- Uses the stack.combine and stack.position attributes to insert SSL_KEY_EXCHANGE into the default TCP stack after VERIFY_SUSPECT. -->
         <SSL_KEY_EXCHANGE keystore_name="mykeystore.jks"
                           keystore_password="changeit"
                           stack.combine="INSERT_AFTER"
                           stack.position="VERIFY_SUSPECT"/>
         <!-- Configures ASYM_ENCRYPT -->
         <!-- Uses the stack.combine and stack.position attributes to insert ASYM_ENCRYPT into the default TCP stack before pbcast.NAKACK2. -->
         <!-- The use_external_key_exchange = "true" attribute configures nodes to use the `SSL_KEY_EXCHANGE` protocol for certificate authentication. -->
         <ASYM_ENCRYPT asym_keylength="2048"
                       asym_algorithm="RSA"
                       change_key_on_coord_leave = "false"
                       change_key_on_leave = "false"
                       use_external_key_exchange = "true"
                       stack.combine="INSERT_BEFORE"
                       stack.position="pbcast.NAKACK2"/>
       </stack>
     </jgroups>
     <cache-container name="default" statistics="true">
       <!-- Configures the cluster to use the JGroups stack. -->
       <transport cluster="${infinispan.cluster.name}"
                  stack="encrypt-tcp"
                  node-name="${infinispan.node.name:}"/>
     </cache-container>
   </infinispan>

   Copy to Clipboard Toggle word wrap