Version 2

    SSL is the best way to encrypt Teiid JDBC Transport, this article will demonstrate this in both Embedded mode and Server mode.

    Create private and truststore keystore

    To create a Private Public Key Pair, use java SDK tooks `keytool`, execute the below commands,

    $ keytool -genkey -alias teiid -keyalg RSA -validity 365 -keystore ssl-example.keystore -storetype JKS
    
    

    the `ssl-example.keystore` can be used as keystore based upon the newly created private key. With the `ssl-example.keystore` created above we can extract a public key for creating a trust store via

    $ keytool -export -alias teiid -keystore ssl-example.keystore -rfc -file public.cert
    
    

    This creates the `public.cert` file that contains the public key based on the private key in the `ssl-example.keystore`, continue to create a TrustStore via

    $ keytool -import -alias teiid -file public.cert -storetype JKS -keystore ssl-example.truststore

    Note that, `ssl-example.truststore` be created. All password in executing above commands should match with ssl properties, in this article, all password are use redhat.

    Embedded

    Embedded Server Setup

    SSL Configuration should be setup correctly before Embedded Server start, below is a example
    EmbeddedServer server = new EmbeddedServer();
    ...
    EmbeddedConfiguration config = new EmbeddedConfiguration();
    SocketConfiguration socketConfiguration = new SocketConfiguration();
    
    
    SSLConfiguration sslConfiguration = new SSLConfiguration();
    sslConfiguration.setMode(SSLConfiguration.ENABLED);
    sslConfiguration.setAuthenticationMode(SSLConfiguration.ONEWAY);
    sslConfiguration.setSslProtocol(SocketUtil.DEFAULT_PROTOCOL);
    sslConfiguration.setKeymanagementAlgorithm(KeyManagerFactory.getDefaultAlgorithm());
    sslConfiguration.setEnabledCipherSuites("SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA");
    sslConfiguration.setKeystoreFilename("ssl-example.keystore");
    sslConfiguration.setKeystorePassword("redhat");
    sslConfiguration.setKeystoreType("JKS");
    sslConfiguration.setKeystoreKeyAlias("teiid");
    sslConfiguration.setKeystoreKeyPassword("redhat");
    sslConfiguration.setTruststoreFilename("ssl-example.truststore");
    sslConfiguration.setTruststorePassword("redhat");
    socketConfiguration.setSSLConfiguration(sslConfiguration);
    config.addTransport(socketConfiguration);
    
    server.start(config);
    
    

    Embedded Client

    To enable SSL, mms should be used in JDBC URL, for example

    jdbc:teiid:Portfolio@mms://localhost:31000;version=1
    
    

    All the following SSL properties should be add as system properties, a easiest way to add SSL properties is add all properties to a file named teiid-client-settings.properties, and add this file to client classpath.

    org.teiid.ssl.keyStore=ssl-example.keystore
    org.teiid.ssl.keyStorePassword=redhat
    org.teiid.ssl.keyStoreType=JKS
    org.teiid.ssl.protocol=TLSv1
    org.teiid.ssl.algorithm=SunX509
    org.teiid.ssl.keyAlias=teiid
    org.teiid.ssl.keyPassword=redhat
    #org.teiid.ssl.trustAll=true
    org.teiid.ssl.trustStore=ssl-example.truststore
    org.teiid.ssl.trustStorePassword=redhat
    
    

    Server

    Server setup

    Once Teiid Server is runing, execute the following CLI commands to setup SSL

    /subsystem=teiid/transport=jdbc:write-attribute(name=ssl-mode,value=enabled)
    /subsystem=teiid/transport=jdbc:write-attribute(name=ssl-authentication-mode,value=1-way)
    /subsystem=teiid/transport=jdbc:write-attribute(name=ssl-ssl-protocol,value=TLSv1)
    /subsystem=teiid/transport=jdbc:write-attribute(name=ssl-keymanagement-algorithm,value=SunX509)
    /subsystem=teiid/transport=jdbc:write-attribute(name=ssl-enabled-cipher-suites,value="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA")
    /subsystem=teiid/transport=jdbc:write-attribute(name=keystore-name,value=ssl-example.keystore)
    /subsystem=teiid/transport=jdbc:write-attribute(name=keystore-password,value=redhat)
    /subsystem=teiid/transport=jdbc:write-attribute(name=keystore-type,value=JKS)
    /subsystem=teiid/transport=jdbc:write-attribute(name=keystore-key-alias,value=teiid)
    /subsystem=teiid/transport=jdbc:write-attribute(name=keystore-key-password,value=redhat)
    /subsystem=teiid/transport=jdbc:write-attribute(name=truststore-name,value=ssl-example.truststore)
    /subsystem=teiid/transport=jdbc:write-attribute(name=truststore-password,value=redhat)
    

    This will made the following ssl xml configuration in teiid transport section

    <ssl mode="enabled" keymanagement-algorithm="SunX509" enabled-cipher-suites="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA">
        <keystore name="ssl-example.keystore" password="redhat" key-alias="teiid" key-password="redhat"/>
        <truststore name="ssl-example.truststore" password="redhat"/>
    </ssl>
    

    Add keystore files to Teiid runtime classpath need 2 simple steps:

    • Add to keystore files to modules folder
    $ cd $JBOSS_HOME/modules/system/layers/dv/org/jboss/teiid/client/main
    $ cp /path/to/ssl-example.keystore ./
    $ cp /path/to/ssl-example.truststore ./
    
    • Edit client modules.xml, add resource-root to point to local folder
    <resources>
            ...
            <resource-root path="." />
    </resources>
    

    Client

    To enable SSL, mms should be used in JDBC URL, for example

     

    jdbc:teiid:Portfolio@mm://localhost:31000;version=1

     

    All the following SSL properties should be add as system properties, a easiest way to add SSL properties is add all properties to a file named teiid-client-settings.properties, and add this file to client classpath.

    org.teiid.ssl.keyStore=ssl-example.keystore
    org.teiid.ssl.keyStorePassword=redhat
    org.teiid.ssl.keyStoreType=JKS
    org.teiid.ssl.protocol=TLSv1
    org.teiid.ssl.algorithm=SunX509
    org.teiid.ssl.keyAlias=teiid
    org.teiid.ssl.keyPassword=redhat
    #org.teiid.ssl.trustAll=true
    org.teiid.ssl.trustStore=ssl-example.truststore
    org.teiid.ssl.trustStorePassword=redhat