Configuring client certificate authentication

Guide
  • Red Hat Data Grid 8.2
  • Updated 21 July 2021
  • Published 21 July 2021

Configuring client certificate authentication

Guide
Red Hat Data Grid 8.2
  • Updated 21 July 2021
  • Published 21 July 2021

Add client trust stores to your project and configure Data Grid to allow connections only from clients that present valid certificates. This increases security of your deployment by ensuring that clients are trusted by a public certificate authority (CA).

Client certificate authentication

Client certificate authentication restricts in-bound connections based on the certificates that clients present.

You can configure Data Grid to use trust stores with either of the following strategies:

Validate

To validate client certificates, Data Grid requires a trust store that contains any part of the certificate chain for the signing authority, typically the root CA certificate. Any client that presents a certificate signed by the CA can connect to Data Grid.

If you use the Validate strategy for verifying client certificates, you must also configure clients to provide valid Data Grid credentials if you enable authentication.

Authenticate

Requires a trust store that contains all public client certificates in addition to the root CA certificate. Only clients that present a signed certificate can connect to Data Grid.

If you use the Authenticate strategy for verifying client certificates, you must ensure that certificates contain valid Data Grid credentials as part of the distinguished name (DN).

Enabling client certificate authentication

To enable client certificate authentication, you configure Data Grid to use trust stores with either the Validate or Authenticate strategy.

Procedure
  1. Set either Validate or Authenticate as the value for the spec.security.endpointEncryption.clientCert field in your Infinispan CR.

    The default value is None.

  2. Specify the secret that contains the client trust store with the spec.security.endpointEncryption.clientCertSecretName field.

    By default Data Grid Operator expects a trust store secret named <cluster-name>-client-cert-secret.

    The secret must be unique to each Infinispan CR instance in the OpenShift cluster. When you delete the Infinispan CR, OpenShift also automatically deletes the associated secret.

    spec:
      security:
        endpointEncryption:
            type: Service
            certSecretName: tls-secret
            clientCert: Validate
            clientCertSecretName: example-infinispan-client-cert-secret
  3. Apply the changes.

Next steps

Provide Data Grid Operator with a trust store that contains all client certificates. Alternatively you can provide certificates in PEM format and let Data Grid generate a client trust store.

Providing client truststores

If you have a trust store that contains the required certificates you can make it available to Data Grid Operator.

Data Grid supports trust stores in PKCS12 format only.

Procedure
  1. Specify the name of the secret that contains the client trust store as the value of the metadata.name field.

    The name must match the value of the spec.security.endpointEncryption.clientCertSecretName field.

  2. Provide the password for the trust store with the stringData.truststore-password field.

  3. Specify the trust store with the data.truststore.p12 field.

    apiVersion: v1
    kind: Secret
    metadata:
      name: example-infinispan-client-cert-secret
    type: Opaque
    stringData:
        truststore-password: changme
    data:
        truststore.p12:  "<base64_encoded_PKCS12_trust_store>"
  4. Apply the changes.

Providing client certificates

Data Grid Operator can generate a trust store from certificates in PEM format.

Procedure
  1. Specify the name of the secret that contains the client trust store as the value of the metadata.name field.

    The name must match the value of the spec.security.endpointEncryption.clientCertSecretName field.

  2. Specify the signing certificate, or CA certificate bundle, as the value of the data.trust.ca field.

  3. If you use the Authenticate strategy to verify client identities, add the certificate for each client that can connect to Data Grid endpoints with the data.trust.cert.<name> field.

    Data Grid Operator uses the <name> value as the alias for the certificate when it generates the trust store.

  4. Optionally provide a password for the trust store with the stringData.truststore-password field.

    If you do not provide one, Data Grid Operator sets "password" as the trust store password.

    apiVersion: v1
    kind: Secret
    metadata:
      name: example-infinispan-client-cert-secret
    type: Opaque
    stringData:
        truststore-password: changme
    data:
        trust.ca: "<base64_encoded_CA_certificate>"
        trust.cert.client1: "<base64_encoded_client_certificate>"
        trust.cert.client2: "<base64_encoded_client_certificate>"
  5. Apply the changes.