3.4. 信任存储域
信任存储域使用证书或证书链,在数据协商连接时验证数据网格服务器和客户端身份。
- keystores
- 包含向客户端提供 Data Grid 服务器身份的服务器证书。如果您使用服务器证书配置密钥存储,则数据网格服务器使用行业标准 SSL/TLS 协议加密流量。
- 信任存储
- 包含数据网格服务器的客户端证书或证书链。客户端信任存储是可选的,并允许 Data Grid 服务器执行客户端证书身份验证。
客户端证书身份验证
如果您希望 Data Grid Server 验证或验证客户端证书,您必须将 require-ssl-client-auth="true"
属性添加到端点配置中。
端点身份验证机制
如果您只使用密钥存储配置 Data Grid 服务器,您可以将加密与任何身份验证机制结合使用。
当您将 Data Grid Server 配置为使用客户端信任存储时,您必须配置端点以使用以下身份验证机制:
-
hot Rod (SASL):
EXTERNAL
-
REST (HTTP):
CLIENT_CERT
信任存储域配置
<security xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:infinispan:server:12.1 https://infinispan.org/schemas/infinispan-server-12.1.xsd" xmlns="urn:infinispan:server:12.1"> <security-realms> <security-realm name="default"> <server-identities> <ssl> <!-- Provides an SSL/TLS identity with a keystore that contains server certificates. --> <keystore path="server.p12" relative-to="infinispan.server.config.path" keystore-password="secret" alias="server"/> <!-- Configures a trust store that contains client certificates or part of a certificate chain. --> <truststore path="trust.p12" relative-to="infinispan.server.config.path" password="secret"/> </ssl> </server-identities> <!-- Authenticates client certificates against the trust store. If you configure this, the trust store must contain the public certificates for all clients. --> <truststore-realm/> </security-realm> </security-realms> </security> <!-- Configures Data Grid Server to require client certificates with the "require-ssl-client-auth" attribute. --> <endpoints xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:infinispan:server:12.1 https://infinispan.org/schemas/infinispan-server-12.1.xsd" xmlns="urn:infinispan:server:12.1" socket-binding="default" security-realm="default" require-ssl-client-auth="true"> <hotrod-connector> <!-- Configures the Hot Rod endpoint for client certificate authentication. --> <authentication> <sasl mechanisms="EXTERNAL" server-name="infinispan" qop="auth"/> </authentication> </hotrod-connector> <rest-connector> <!-- Configures the REST endpoint for client certificate authentication. --> <authentication mechanisms="CLIENT_CERT"/> </rest-connector> </endpoints>