5.6. 信任存储域
信任存储域使用证书或证书链,验证数据网格服务器和客户端身份。
- 密钥存储
- 包含向客户端提供 Data Grid Server 身份的服务器证书。如果您使用服务器证书配置密钥存储,Data Grid 服务器使用行业标准 SSL/TLS 协议对流量进行加密。
- 信任存储
- 包含客户端提供给 Data Grid Server 的客户端证书或证书链。客户端信任存储是可选的,并允许数据网格服务器执行客户端证书身份验证。
客户端证书验证
如果您希望 Data Grid Server 来验证或验证客户端证书,您必须将 require-ssl-client-auth="true" 属性添加到端点配置。
信任存储域配置
XML
<server xmlns="urn:infinispan:server:14.0">
<security>
<security-realms>
<security-realm name="trust-store-realm">
<server-identities>
<ssl>
<!-- Provides an SSL/TLS identity with a keystore that contains server certificates. -->
<keystore path="server.p12"
relative-to="infinispan.server.config.path"
keystore-password="secret"
alias="server"/>
<!-- Configures a trust store that contains client certificates or part of a certificate chain. -->
<truststore path="trust.p12"
relative-to="infinispan.server.config.path"
password="secret"/>
</ssl>
</server-identities>
<!-- Authenticates client certificates against the trust store. If you configure this, the trust store must contain the public certificates for all clients. -->
<truststore-realm/>
</security-realm>
</security-realms>
</security>
</server>
JSON
{
"server": {
"security": {
"security-realms": [{
"name": "trust-store-realm",
"server-identities": {
"ssl": {
"keystore": {
"path": "server.p12",
"relative-to": "infinispan.server.config.path",
"keystore-password": "secret",
"alias": "server"
},
"truststore": {
"path": "trust.p12",
"relative-to": "infinispan.server.config.path",
"password": "secret"
}
}
},
"truststore-realm": {}
}]
}
}
}
YAML
server:
security:
securityRealms:
- name: "trust-store-realm"
serverIdentities:
ssl:
keystore:
path: "server.p12"
relative-to: "infinispan.server.config.path"
keystore-password: "secret"
alias: "server"
truststore:
path: "trust.p12"
relative-to: "infinispan.server.config.path"
password: "secret"
truststoreRealm: ~
