Chapter 7. Securing Data Grid Connections
Secure client connections with authentication and encryption to prevent network intrusion and protect your data.
7.1. Configuring Authentication
Application users need credentials to access Data Grid clusters. You can use default, generated credentials or add your own.
7.1.1. Default Credentials
Data Grid Operator generates base64-encoded default credentials stored in an authentication secret named example-infinispan-generated-secret
Username | Description |
---|---|
| Default application user. |
| Internal user that interacts with Data Grid clusters. |
7.1.2. Retrieving Credentials
Get credentials from authentication secrets to access Data Grid clusters.
Procedure
Retrieve credentials from authentication secrets, as in the following example:
$ oc get secret example-infinispan-generated-secret
Base64-decode credentials.
$ oc get secret example-infinispan-generated-secret \ -o jsonpath="{.data.identities\.yaml}" | base64 --decode credentials: - username: developer password: dIRs5cAAsHIeeRIL - username: operator password: uMBo9CmEdEduYk24
7.1.3. Adding Custom Credentials
Configure access to Data Grid cluster endpoints with custom credentials.
Procedure
Create an
identities.yaml
file with the credentials that you want to add.credentials: - username: testuser password: testpassword - username: operator password: supersecretoperatorpassword
Importantidentities.yaml
must include the operator user.Create an authentication secret from
identities.yaml
.$ oc create secret generic --from-file=identities.yaml connect-secret
Specify the authentication secret with
spec.security.endpointSecretName
in yourInfinispan
CR and then apply the changes.spec: ... security: endpointSecretName: connect-secret 1
- 1
- Specifies the name of the authentication secret that contains your credentials.
Modifying spec.security.endpointSecretName
triggers a cluster restart. You can watch the Data Grid cluster as Data Grid Operator applies changes:
$ oc get pods -w
7.2. Configuring Encryption
Encrypt connections between clients and Data Grid nodes with Red Hat OpenShift service certificates or custom TLS certificates.
7.2.1. Encryption with Red Hat OpenShift Service Certificates
Data Grid Operator automatically generates TLS certificates that are signed by the Red Hat OpenShift service CA. Data Grid Operator then stores the certificates and keys in a secret so you can retrieve them and use with remote clients.
If the Red Hat OpenShift service CA is available, Data Grid Operator adds the following spec.security.endpointEncryption
configuration to the Infinispan
CR:
spec: ... security: endpointEncryption: type: Service certServiceName: service.beta.openshift.io 1 certSecretName: example-infinispan-cert-secret 2
Service certificates use the internal DNS name of the Data Grid cluster as the common name (CN), for example:
Subject: CN = example-infinispan.mynamespace.svc
For this reason, service certificates can be fully trusted only inside OpenShift. If you want to encrypt connections with clients running outside OpenShift, you should use custom TLS certificates.
Service certificates are valid for one year and are automatically replaced before they expire.
7.2.2. Retrieving TLS Certificates
Get TLS certificates from encryption secrets to create client trust stores.
-
Retrieve
tls.crt
from encryption secrets as follows:
$ oc get secret example-infinispan-cert-secret \ -o jsonpath='{.data.tls\.crt}' | base64 --decode > tls.crt
7.2.3. Disabling Encryption
You can disable encryption so clients do not need TLS certificates to establish connections with Data Grid.
Data Grid does not recommend disabling encryption in production environments where endpoints are exposed outside the OpenShift cluster via spec.expose.type
.
Procedure
Set
None
as the value for thespec.security.endpointEncryption.type
field in yourInfinispan
CR and then apply the changes.spec: ... security: endpointEncryption: type: None 1
- 1
- Disables encryption for Data Grid endpoints.
7.2.4. Using Custom TLS Certificates
Use custom PKCS12 keystore or TLS certificate/key pairs to encrypt connections between clients and Data Grid clusters.
Prerequisites
- Create either a keystore or certificate secret. See:
- Certificate Secrets
- Keystore Secrets
Procedure
Add the encryption secret to your OpenShift namespace, for example:
$ oc apply -f tls_secret.yaml
Specify the encryption secret with
spec.security.endpointEncryption
in yourInfinispan
CR and then apply the changes.spec: ... security: endpointEncryption: 1 type: Secret 2 certSecretName: tls-secret 3
7.2.4.1. Certificate Secrets
apiVersion: v1 kind: Secret metadata: name: tls-secret type: Opaque data: tls.key: "LS0tLS1CRUdJTiBQUk ..." 1 tls.crt: "LS0tLS1CRUdJTiBDRVl ..." 2
7.2.4.2. Keystore Secrets
apiVersion: v1 kind: Secret metadata: name: tls-secret type: Opaque stringData: alias: server 1 password: password 2 data: keystore.p12: "MIIKDgIBAzCCCdQGCSqGSIb3DQEHA..." 3