Chapter 4. Configuring encryption
Configure encryption for your Data Grid.
4.1. Enabling TLS encryption
Encryption can be independently enabled for endpoint and cluster transport.
Prerequisites
- A secret containing a certificate or a keystore. Endpoint and cluster should use different secrets.
- A credentials keystore containing any password needed to access the keystore. See Adding credentials keystore.
Procedure
Set the secret name in the deploy configuration.
Provide the name of the secret containing the keystore:
deploy: ssl: endpointSecretName: "tls-secret" transportSecretName: "tls-transport-secret"
Enable cluster transport TLS.
deploy: infinispan: cacheContainer: transport: urn:infinispan:server:15.0:securityRealm: > "cluster-transport" 1 server: security: securityRealms: - name: cluster-transport serverIdentities: ssl: keystore: 2 alias: "server" path: "/etc/encrypt/transport/cert.p12" credentialReference: 3 store: credentials alias: keystore truststore: 4 path: "/etc/encrypt/transport/cert.p12" credentialReference: 5 store: credentials alias: truststore
- 1
- Configures the transport stack to use the specified security-realm to provide cluster encryption.
- 2
- Configure the keystore path in the transport realm. The secret is mounted at
/etc/encrypt/transport
. - 3 5
- Configures the truststore with the same keystore allowing the nodes to authenticate each other.
- 4
- Alias and password must be provided in case the secret contains a keystore.
Enable endpoint TLS.
deploy: infinispan: server: security: securityRealms: - name: default serverIdentities: ssl: keystore: path: "/etc/encrypt/endpoint/keystore.p12" 1 alias: "server" 2 credentialReference: store: credentials 3 alias: keystore 4
Additional resources