3.4. 信任存储域

信任存储域使用证书或证书链,在数据协商连接时验证数据网格服务器和客户端身份。

keystores
包含向客户端提供 Data Grid 服务器身份的服务器证书。如果您使用服务器证书配置密钥存储,则数据网格服务器使用行业标准 SSL/TLS 协议加密流量。
信任存储
包含数据网格服务器的客户端证书或证书链。客户端信任存储是可选的,并允许 Data Grid 服务器执行客户端证书身份验证。

客户端证书身份验证

如果您希望 Data Grid Server 验证或验证客户端证书,您必须将 require-ssl-client-auth="true" 属性添加到端点配置中。

端点身份验证机制

如果您只使用密钥存储配置 Data Grid 服务器,您可以将加密与任何身份验证机制结合使用。

当您将 Data Grid Server 配置为使用客户端信任存储时,您必须配置端点以使用以下身份验证机制:

  • hot Rod (SASL): EXTERNAL
  • REST (HTTP): CLIENT_CERT

信任存储域配置

<security xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="urn:infinispan:server:12.1 https://infinispan.org/schemas/infinispan-server-12.1.xsd"
          xmlns="urn:infinispan:server:12.1">
   <security-realms>
      <security-realm name="default">
         <server-identities>
            <ssl>
               <!-- Provides an SSL/TLS identity with a keystore that
                    contains server certificates. -->
               <keystore path="server.p12"
                         relative-to="infinispan.server.config.path"
                         keystore-password="secret"
                         alias="server"/>
               <!-- Configures a trust store that contains client certificates
                    or part of a certificate chain. -->
               <truststore path="trust.p12"
                           relative-to="infinispan.server.config.path"
                           password="secret"/>
            </ssl>
         </server-identities>
         <!-- Authenticates client certificates against the trust store.
              If you configure this, the trust store must contain
              the public certificates for all clients. -->
         <truststore-realm/>
      </security-realm>
   </security-realms>
</security>
<!-- Configures Data Grid Server to require client certificates
     with the "require-ssl-client-auth" attribute. -->
<endpoints xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:schemaLocation="urn:infinispan:server:12.1 https://infinispan.org/schemas/infinispan-server-12.1.xsd"
           xmlns="urn:infinispan:server:12.1"
           socket-binding="default"
           security-realm="default"
           require-ssl-client-auth="true">
   <hotrod-connector>
     <!-- Configures the Hot Rod endpoint for client certificate authentication. -->
     <authentication>
       <sasl mechanisms="EXTERNAL"
             server-name="infinispan"
             qop="auth"/>
     </authentication>
   </hotrod-connector>
   <rest-connector>
      <!-- Configures the REST endpoint for client certificate authentication. -->
      <authentication mechanisms="CLIENT_CERT"/>
   </rest-connector>
</endpoints>