5.6. 信任存储域
信任存储域使用证书或证书链,验证数据网格服务器和客户端身份。
- 密钥存储
- 包含向客户端提供 Data Grid Server 身份的服务器证书。如果您使用服务器证书配置密钥存储,Data Grid 服务器使用行业标准 SSL/TLS 协议对流量进行加密。
- 信任存储
- 包含客户端提供给 Data Grid Server 的客户端证书或证书链。客户端信任存储是可选的,并允许数据网格服务器执行客户端证书身份验证。
客户端证书验证
如果您希望 Data Grid Server 来验证或验证客户端证书,您必须将 require-ssl-client-auth="true"
属性添加到端点配置。
信任存储域配置
XML
<server xmlns="urn:infinispan:server:14.0"> <security> <security-realms> <security-realm name="trust-store-realm"> <server-identities> <ssl> <!-- Provides an SSL/TLS identity with a keystore that contains server certificates. --> <keystore path="server.p12" relative-to="infinispan.server.config.path" keystore-password="secret" alias="server"/> <!-- Configures a trust store that contains client certificates or part of a certificate chain. --> <truststore path="trust.p12" relative-to="infinispan.server.config.path" password="secret"/> </ssl> </server-identities> <!-- Authenticates client certificates against the trust store. If you configure this, the trust store must contain the public certificates for all clients. --> <truststore-realm/> </security-realm> </security-realms> </security> </server>
JSON
{ "server": { "security": { "security-realms": [{ "name": "trust-store-realm", "server-identities": { "ssl": { "keystore": { "path": "server.p12", "relative-to": "infinispan.server.config.path", "keystore-password": "secret", "alias": "server" }, "truststore": { "path": "trust.p12", "relative-to": "infinispan.server.config.path", "password": "secret" } } }, "truststore-realm": {} }] } } }
YAML
server: security: securityRealms: - name: "trust-store-realm" serverIdentities: ssl: keystore: path: "server.p12" relative-to: "infinispan.server.config.path" keystore-password: "secret" alias: "server" truststore: path: "trust.p12" relative-to: "infinispan.server.config.path" password: "secret" truststoreRealm: ~