Chapter 7. Securing Data Grid Connections

Secure client connections with authentication and encryption to prevent network intrusion and protect your data.

7.1. Configuring Authentication

Application users need credentials to access Data Grid clusters. You can use default, generated credentials or add your own.

7.1.1. Default Credentials

Data Grid Operator generates base64-encoded default credentials stored in an authentication secret named example-infinispan-generated-secret

UsernameDescription

developer

Default application user.

operator

Internal user that interacts with Data Grid clusters.

7.1.2. Retrieving Credentials

Get credentials from authentication secrets to access Data Grid clusters.

Procedure

  • Retrieve credentials from authentication secrets, as in the following example:

    $ oc get secret example-infinispan-generated-secret

    Base64-decode credentials.

    $ oc get secret example-infinispan-generated-secret \
    -o jsonpath="{.data.identities\.yaml}" | base64 --decode
    
    credentials:
    - username: developer
      password: dIRs5cAAsHIeeRIL
    - username: operator
      password: uMBo9CmEdEduYk24

7.1.3. Adding Custom Credentials

Configure access to Data Grid cluster endpoints with custom credentials.

Procedure

  1. Create an identities.yaml file with the credentials that you want to add.

    credentials:
    - username: testuser
      password: testpassword
    - username: operator
      password: supersecretoperatorpassword
    Important

    identities.yaml must include the operator user.

  2. Create an authentication secret from identities.yaml.

    $ oc create secret generic --from-file=identities.yaml connect-secret
  3. Specify the authentication secret with spec.security.endpointSecretName in your Infinispan CR and then apply the changes.

    spec:
      ...
      security:
        endpointSecretName: connect-secret 1
    1
    Specifies the name of the authentication secret that contains your credentials.

Modifying spec.security.endpointSecretName triggers a cluster restart. You can watch the Data Grid cluster as Data Grid Operator applies changes:

$ oc get pods -w

7.2. Configuring Encryption

Encrypt connections between clients and Data Grid nodes with Red Hat OpenShift service certificates or custom TLS certificates.

7.2.1. Encryption with Red Hat OpenShift Service Certificates

Data Grid Operator automatically generates TLS certificates that are signed by the Red Hat OpenShift service CA. Data Grid Operator then stores the certificates and keys in a secret so you can retrieve them and use with remote clients.

If the Red Hat OpenShift service CA is available, Data Grid Operator adds the following spec.security.endpointEncryption configuration to the Infinispan CR:

spec:
  ...
  security:
    endpointEncryption:
      type: Service
      certServiceName: service.beta.openshift.io 1
      certSecretName: example-infinispan-cert-secret 2
1
Specifies the Red Hat OpenShift Service.
2
Names the secret that contains a service certificate, tls.crt, and key, tls.key, in PEM format. If you do not specify a name, Data Grid Operator uses <cluster_name>-cert-secret.
Note

Service certificates use the internal DNS name of the Data Grid cluster as the common name (CN), for example:

Subject: CN = example-infinispan.mynamespace.svc

For this reason, service certificates can be fully trusted only inside OpenShift. If you want to encrypt connections with clients running outside OpenShift, you should use custom TLS certificates.

Service certificates are valid for one year and are automatically replaced before they expire.

7.2.2. Retrieving TLS Certificates

Get TLS certificates from encryption secrets to create client trust stores.

  • Retrieve tls.crt from encryption secrets as follows:
$ oc get secret example-infinispan-cert-secret \
-o jsonpath='{.data.tls\.crt}' | base64 --decode > tls.crt

7.2.3. Disabling Encryption

You can disable encryption so clients do not need TLS certificates to establish connections with Data Grid.

Important

Data Grid does not recommend disabling encryption in production environments where endpoints are exposed outside the OpenShift cluster via spec.expose.type.

Procedure

  • Set None as the value for the spec.security.endpointEncryption.type field in your Infinispan CR and then apply the changes.

    spec:
      ...
      security:
        endpointEncryption:
                type: None 1
    1
    Disables encryption for Data Grid endpoints.

7.2.4. Using Custom TLS Certificates

Use custom PKCS12 keystore or TLS certificate/key pairs to encrypt connections between clients and Data Grid clusters.

Prerequisites

Procedure

  1. Add the encryption secret to your OpenShift namespace, for example:

    $ oc apply -f tls_secret.yaml
  2. Specify the encryption secret with spec.security.endpointEncryption in your Infinispan CR and then apply the changes.

    spec:
      ...
      security:
        endpointEncryption: 1
                type: Secret 2
                certSecretName: tls-secret 3
    1
    Encrypts traffic to and from Data Grid endpoints.
    2
    Configures Data Grid to use secrets that contain encryption certificates.
    3
    Names the encryption secret.

7.2.4.1. Certificate Secrets

apiVersion: v1
kind: Secret
metadata:
  name: tls-secret
type: Opaque
data:
    tls.key:  "LS0tLS1CRUdJTiBQUk ..." 1
    tls.crt: "LS0tLS1CRUdJTiBDRVl ..." 2
1
Adds a base64-encoded TLS key.
2
Adds a base64-encoded TLS certificate.

7.2.4.2. Keystore Secrets

apiVersion: v1
kind: Secret
metadata:
  name: tls-secret
type: Opaque
stringData:
    alias: server 1
    password: password 2
data:
    keystore.p12:  "MIIKDgIBAzCCCdQGCSqGSIb3DQEHA..." 3
1
Specifies an alias for the keystore.
2
Specifies a password for the keystore.
3
Adds a base64-encoded keystore.