Chapter 10. Configuring Authentication and Encryption

You need to configure authentication and encryption only if you are using a custom template or want to use your own keystores with the Data Grid deployment configuration templates.

10.1. Adding Keystores to Secrets

To configure authentication and encryption:

  1. Create a keystore (.jks) with a trusted certificate.

    Both HTTPS and Hot Rod services can use the same keystore or you can create separate keystores.

  2. Add the keystore as an OpenShift secret.

    1. Create a secret. For example, to create a secret named rhdg-https-secret from a keystore named rhdg-https.jks:

      $ oc create secret generic rhdg-https-secret \
    2. Link the secret to the default service account.

      $ oc secrets link default rhdg-https-secret

10.2. Configuring Deployments

Instantiate one of the secure templates with following parameters:

  1. Set up HTTP and HTTPS hostnames:



  2. Specify the name of the keystore: HTTPS_KEYSTORE=keystore.jks
  3. Specify the path to the keystore: HTTPS_KEYSTORE_DIR=/etc/datagrid-secret-volume
  4. Specify the name of the secret: HTTPS_SECRET=rhdg-https-secret
  5. Specify credentials for the keystore:



  6. Set the HTTP security domain for the user: REST_SECURITY_DOMAIN=SecurityRealm
  7. Enforce client certificate authentication: ENCRYPTION_REQUIRE_SSL_CLIENT_AUTH=true
  8. Enable authentication and encryption for the Hot Rod protocol: HOTROD_AUTHENTICATION=true


    The template automatically sets HOTROD_ENCRYPTION=true if you set a value for HOSTNAME_HTTPS.

10.3. Setting Unique Keystores for the Hot Rod Protocol

To use a unique keystore for the Hot Rod protocol:

  1. Specify the path to the keystore: SSL_KEYSTORE_PATH=hr_keystore.jks
  2. Specify the keystore password: SSL_KEYSTORE_PASSWORD=${PASSWORD}
  3. If necessary, do the following:

    1. Set a relative path to the keystore: SSL_KEYSTORE_RELATIVE_TO=path/to/keystore/
    2. Specify the private key password, if different to the keystore password: SSL_KEY_PASSWORD=${PASSWORD}
    3. Set the correct alias in the keystore if it contains multiple entries: SSL_KEYSTORE_ALIAS=cert_alias
  4. Specify authorization credentials if you have not already:




    The Hot Rod endpoint always uses the ApplicationRealm to authorize users. If you want to use separate keystores for the Hot Rod and REST endpoints, you must set credentials with the USERNAME and PASSWORD parameters. Templates then configure the REST endpoint to use the jdg-openshift security realm. In this case the REST_SECURITY_DOMAIN environment variable does not take effect.