Chapter 5. Securing Network Traffic

Encrypt client to server and server to server traffic to secure network communication.

5.1. Encrypting Client to Server Communication

JBoss Data Grid for OpenShift uses JKS keystores that contain credentials and certificates to secure client-to-server traffic.

To encrypt client to server communication, do the following:

  1. Create a JKS keystore (.jks) to encrypt traffic.

    You can use OpenSSL and the Java keytool to generate a JKS keystore. When you generate a TLS certificate for the keystore, specify the domain name for the deployment.

    Important

    Production environments should aways use TLS certificates signed by a verified certificate authority (CA).

  2. Deploy the JKS keystore to OpenShift as a secret.

    1. Log in as the developer user.

      $ oc login -u developer
    2. Create a secret for the JKS keystore. For example, to create a secret named jdg-https-secret from a keystore named jdg-https.jks, do the following:

      $ oc create secret generic jdg-https-secret --from-file=jdg-https.jks
    3. Link the secret to the service account for your deployment. For example, to link a secret named jdg-https-secret to the default service account, do the following:

      $ oc secrets link default jdg-https-secret
  3. Configure your deployment to use the JKS keystore with these environment variables:

    HOSTNAME_HTTP
    Specifies the HTTP service route for the deployment. Required only if you are using a JBoss Data Grid for OpenShift template.
    HOSTNAME_HTTPS
    Sets the HTTPS service route for the deployment. Required only if you are using a JBoss Data Grid for OpenShift template.
    HTTPS_SECRET
    Matches the OpenShift secret for the keystore. Required only if you are using a JBoss Data Grid for OpenShift template.
    HTTPS_KEYSTORE
    Specifies the JKS keystore for encrypting server to client traffic.
    HTTPS_NAME
    Matches the username for the keystore.
    HTTPS_PASSWORD
    Matches the keystore password.
    HTTPS_KEYSTORE_DIR

    Specifies the directory that contains the JKS keystore. You do not need to set this environment variable if you are using a JBoss Data Grid for OpenShift template. The templates set this environment variable by default.

    Tip

    Use the HOTROD_ENCRYPTION environment variable to configure the Hot Rod connector to use encryption. See Endpoint Configuration.

5.2. Encrypting Traffic Between Clustered Servers

JBoss Data Grid for OpenShift uses JGroups technology to secure traffic between clustered servers with the following options:

Authentication

Uses the JGroups AUTH protocol that requires nodes to authenticate with a password when joining the cluster.

You configure authentication with the JGROUPS_CLUSTER_PASSWORD environment variable. This environment variable sets a password for nodes to use when joining the cluster. The password must be the same across the cluster.

Symmetric encryption

Uses the JGroups SYM_ENCRYPT protocol to secure traffic with a JGroups keystore (.jceks). This is the default encryption protocol.

The JGroups AUTH protocol is optional with symmetric encryption.

The JGroups keystore contains credentials that each node in the cluster uses to secure communication.

Asymmetric encryption

Uses the JGroups ASYM_ENCRYPT protocol to secure traffic with public/private key encryption.

The JGroups AUTH protocol is required with asymmetric encryption.

The coordinator node generates a secret key. When a node joins the cluster, it requests the secret key from the coordinator and provides its public key. The coordinator encrypts the secret key with the public key and returns it to the node. The node then decrypts and installs the secret so that it can securely communicate with other nodes in the cluster.

5.2.1. Setting Up Symmetric Encryption

To use symmetric encryption, do the following:

  1. Create a JGroups keystore (.jceks) that contains credentials to encrypt traffic.

    You can use the Java keytool to generate a JGroups keystore.

  2. Deploy the JGroups keystore to OpenShift as a secret.

    1. Log in as the developer user.

      $ oc login -u developer
    2. Create a secret for the JGroups keystore. For example, to create a secret named jgroups-secret from a keystore named jgroups.jceks, do the following:

      $ oc create secret generic jgroups-secret --from-file=jgroups.jceks
    3. Link the secret to the default service account.

      $ oc secrets link default jgroups-secret
  3. Configure your deployment to use the JGroups keystore with these environment variables:

    JGROUPS_ENCRYPT_KEYSTORE
    Specifes the JGroups keystore for encrypting cluster traffic.
    JGROUPS_ENCRYPT_SECRET
    Matches the OpenShift secret for the keystore.
    JGROUPS_ENCRYPT_NAME
    Matches the username for the keystore.
    JGROUPS_ENCRYPT_PASSWORD
    Matches the keystore password.
    JGROUPS_ENCRYPT_KEYSTORE_DIR
    Specifies the directory where the JGroups keystore resides. You do not need to set this environment variable if you are using a JBoss Data Grid for OpenShift template. The templates set this environment variable by default.
  4. If required, set a password for nodes to use when joining the cluster. with the JGROUPS_CLUSTER_PASSWORD environment variable.

5.2.2. Setting Up Asymmetric Encryption

To use asymmetric encryption, do the following:

  1. Configure authentication with the JGROUPS_CLUSTER_PASSWORD environment variable.
  2. Set the value of the JGROUPS_ENCRYPT_PROTOCOL environment variable to ASYM_ENCRYPT.