Chapter 8. Securing Data Grid Connections

Encrypt connections between clients and Data Grid nodes with Red Hat OpenShift service certificates or custom TLS certificates.

8.1. Using Red Hat OpenShift Service Certificates

Data Grid Operator automatically generates TLS certificates signed by the Red Hat OpenShift service CA. You can use these certificates to encrypt remote client connections.

Procedure

  • Set the following spec.security.endpointEncryption configuration in your Infinispan CR and then apply the changes. 

    spec:
  ...
  security:
    endpointEncryption:
      type: service
      certServiceName: service.beta.openshift.io 1
      certSecretName: example-rhdatagrid-cert-secret 2
1
Specifies the Red Hat OpenShift Service.
2
Specifies the name of the secret where Data Grid Operator stores service certificates and keys.

Data Grid Operator stores in a secret named -cert-secret that is prefixed with the Data Grid cluster name, for example: 

metadata:
  name: example-rhdatagrid

The preceding cluster name results in a secret named example-rhdatagrid-cert-secret.

8.1.1. Red Hat OpenShift Service Certificates

If the Red Hat OpenShift service CA is available, Data Grid Operator automatically generates a certificate, tls.crt, and key, tls.key, in PEM format.

Note

Service certificates use the internal DNS name of the Data Grid cluster as the common name (CN), for example:

Subject: CN = example-infinispan.mynamespace.svc

For this reason, service certificates can be fully trusted only inside OpenShift. If you want to encrypt connections with clients running outside OpenShift, you should use custom TLS certificates.

Certificates are valid for one year and are automatically replaced before they expire.

8.1.2. Retrieving TLS Certificates

Get TLS certificates from encryption secrets to create client trust stores.

  • Retrieve tls.crt from encryption secrets as follows: 
$ oc get secret example-rhdatagrid-cert-secret \
-o jsonpath='{.data.tls\.crt}' | base64 -d > tls.crt

8.2. Using Custom TLS Certificates

Use custom PKCS12 keystore or TLS certificate/key pairs to encrypt connections between clients and Data Grid clusters.

Prerequisites

Create either a keystore or certificate secret. See:

Procedure

  1. Add the encryption secret to your OpenShift namespace, for example: 

    $ oc apply -f tls_secret.yaml

  2. Specify the encryption secret with spec.security.endpointEncryption in your Infinispan CR and then apply the changes. 

    spec:
  ...
  security:
    endpointEncryption: 1
            type: secret 2
            certSecretName: tls-secret 3
    1
    encrypts traffic to and from Data Grid endpoints.
    2
    configures Data Grid to use secrets that contain encryption certificates.
    3
    names the encryption secret.

8.2.1. Certificate Secrets

apiVersion: v1
kind: Secret
metadata:
  name: tls-secret
type: Opaque
data:
    tls.key:  "LS0tLS1CRUdJTiBQUk ..." 1
    tls.crt: "LS0tLS1CRUdJTiBDRVl ..." 2
1
Adds a base64 encoded TLS key.
2
Adds a base64 encoded TLS certificate.

8.2.2. Keystore Secrets

apiVersion: v1
kind: Secret
metadata:
  name: tls-secret
type: Opaque
stringData:
    alias: server 1
    password: password 2
data:
    keystore.p12:  "MIIKDgIBAzCCCdQGCSqGSIb3DQEHA..." 3
1
Specifies an alias for the keystore.
2
Specifies a password for the keystore.
3
Adds a base64 encoded keystore.