SSL is the best way to encrypt Teiid JDBC Transport, this article will demonstrate this in both Embedded mode and Server mode.
Create private and truststore keystore
To create a Private Public Key Pair, use java SDK tooks `keytool`, execute the below commands,
$ keytool -genkey -alias teiid -keyalg RSA -validity 365 -keystore ssl-example.keystore -storetype JKS
the `ssl-example.keystore` can be used as keystore based upon the newly created private key. With the `ssl-example.keystore` created above we can extract a public key for creating a trust store via
$ keytool -export -alias teiid -keystore ssl-example.keystore -rfc -file public.cert
This creates the `public.cert` file that contains the public key based on the private key in the `ssl-example.keystore`, continue to create a TrustStore via
$ keytool -import -alias teiid -file public.cert -storetype JKS -keystore ssl-example.truststore
Note that, `ssl-example.truststore` be created. All password in executing above commands should match with ssl properties, in this article, all password are use redhat.
Embedded
Embedded Server Setup
SSL Configuration should be setup correctly before Embedded Server start, below is a example EmbeddedServer server = new EmbeddedServer(); ... EmbeddedConfiguration config = new EmbeddedConfiguration(); SocketConfiguration socketConfiguration = new SocketConfiguration(); SSLConfiguration sslConfiguration = new SSLConfiguration(); sslConfiguration.setMode(SSLConfiguration.ENABLED); sslConfiguration.setAuthenticationMode(SSLConfiguration.ONEWAY); sslConfiguration.setSslProtocol(SocketUtil.DEFAULT_PROTOCOL); sslConfiguration.setKeymanagementAlgorithm(KeyManagerFactory.getDefaultAlgorithm()); sslConfiguration.setEnabledCipherSuites("SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA"); sslConfiguration.setKeystoreFilename("ssl-example.keystore"); sslConfiguration.setKeystorePassword("redhat"); sslConfiguration.setKeystoreType("JKS"); sslConfiguration.setKeystoreKeyAlias("teiid"); sslConfiguration.setKeystoreKeyPassword("redhat"); sslConfiguration.setTruststoreFilename("ssl-example.truststore"); sslConfiguration.setTruststorePassword("redhat"); socketConfiguration.setSSLConfiguration(sslConfiguration); config.addTransport(socketConfiguration); server.start(config);
Embedded Client
To enable SSL, mms should be used in JDBC URL, for example
jdbc:teiid:Portfolio@mms://localhost:31000;version=1
All the following SSL properties should be add as system properties, a easiest way to add SSL properties is add all properties to a file named teiid-client-settings.properties, and add this file to client classpath.
org.teiid.ssl.keyStore=ssl-example.keystore org.teiid.ssl.keyStorePassword=redhat org.teiid.ssl.keyStoreType=JKS org.teiid.ssl.protocol=TLSv1 org.teiid.ssl.algorithm=SunX509 org.teiid.ssl.keyAlias=teiid org.teiid.ssl.keyPassword=redhat #org.teiid.ssl.trustAll=true org.teiid.ssl.trustStore=ssl-example.truststore org.teiid.ssl.trustStorePassword=redhat
Server
Server setup
Once Teiid Server is runing, execute the following CLI commands to setup SSL
/subsystem=teiid/transport=jdbc:write-attribute(name=ssl-mode,value=enabled) /subsystem=teiid/transport=jdbc:write-attribute(name=ssl-authentication-mode,value=1-way) /subsystem=teiid/transport=jdbc:write-attribute(name=ssl-ssl-protocol,value=TLSv1) /subsystem=teiid/transport=jdbc:write-attribute(name=ssl-keymanagement-algorithm,value=SunX509) /subsystem=teiid/transport=jdbc:write-attribute(name=ssl-enabled-cipher-suites,value="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA") /subsystem=teiid/transport=jdbc:write-attribute(name=keystore-name,value=ssl-example.keystore) /subsystem=teiid/transport=jdbc:write-attribute(name=keystore-password,value=redhat) /subsystem=teiid/transport=jdbc:write-attribute(name=keystore-type,value=JKS) /subsystem=teiid/transport=jdbc:write-attribute(name=keystore-key-alias,value=teiid) /subsystem=teiid/transport=jdbc:write-attribute(name=keystore-key-password,value=redhat) /subsystem=teiid/transport=jdbc:write-attribute(name=truststore-name,value=ssl-example.truststore) /subsystem=teiid/transport=jdbc:write-attribute(name=truststore-password,value=redhat)
This will made the following ssl xml configuration in teiid transport section
<ssl mode="enabled" keymanagement-algorithm="SunX509" enabled-cipher-suites="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA"> <keystore name="ssl-example.keystore" password="redhat" key-alias="teiid" key-password="redhat"/> <truststore name="ssl-example.truststore" password="redhat"/> </ssl>
Add keystore files to Teiid runtime classpath need 2 simple steps:
- Add to keystore files to modules folder
$ cd $JBOSS_HOME/modules/system/layers/dv/org/jboss/teiid/client/main $ cp /path/to/ssl-example.keystore ./ $ cp /path/to/ssl-example.truststore ./
- Edit client modules.xml, add resource-root to point to local folder
<resources> ... <resource-root path="." /> </resources>
Client
To enable SSL, mms should be used in JDBC URL, for example
jdbc:teiid:Portfolio@mm://localhost:31000;version=1
All the following SSL properties should be add as system properties, a easiest way to add SSL properties is add all properties to a file named teiid-client-settings.properties, and add this file to client classpath.
org.teiid.ssl.keyStore=ssl-example.keystore org.teiid.ssl.keyStorePassword=redhat org.teiid.ssl.keyStoreType=JKS org.teiid.ssl.protocol=TLSv1 org.teiid.ssl.algorithm=SunX509 org.teiid.ssl.keyAlias=teiid org.teiid.ssl.keyPassword=redhat #org.teiid.ssl.trustAll=true org.teiid.ssl.trustStore=ssl-example.truststore org.teiid.ssl.trustStorePassword=redhat
Comments