9 Replies Latest reply on Mar 27, 2019 8:43 AM by akrepon

Access SSL enabled Hot rod protocol

jason513 May 29, 2017 8:06 PM

Hi,

We have an external Infinispan server deployed with SSL enabled hotrod protocol. I am trying to figure out, from wildfly Server how to connect to this remote cache.

In our Wildfly server, I have the following configuration

<subsystem xmlns="urn:jboss:domain:remoting:3.0">
    <endpoint/>
    <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
    <outbound-connections>
        <remote-outbound-connection name="infinissl" outbound-socket-binding-ref="remote-cache" protocol="https-remoting"/>
    </outbound-connections>
</subsystem>
<subsystem xmlns="urn:jboss:domain:infinispan:4.0">
    <cache-container name="keycloak" jndi-name="infinispan/app1" module="org.keycloak.keycloak-model-infinispan">
        <local-cache name="sessions">
            <remote-store passivation="false" fetch-state="false" purge="false" preload="false" shared="true" cache="sessions" remote-servers="remote-cache">   
                <property name="rawValues">true</property>
                <property name="marshaller">org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory</property>
            </remote-store>
        </local-cache>
    </cache-container>
</subsystem>
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
    ..............
    ...............
    <outbound-socket-binding name="remote-cache" >
        <remote-destination host="${env.INFINISPAN_HOST}" port="${env.INFINISPAN_PORT:11222}" >
        </remote-destination>
    </outbound-socket-binding>
</socket-binding-group>

In outbound connection, even though I mentioned it as a https-remoting it is still trying to connect as non-SSL. Any thoughts on this?

Thanks!

1. Re: Access SSL enabled Hot rod protocol

sebastian.laskawiec May 30, 2017 4:01 AM (in response to jason513)

Hey!

Have you looked into our server manual: Infinispan 9.0 Server Guide ?

Thanks,
Sebastian
Actions
2. Re: Access SSL enabled Hot rod protocol

nadirx May 30, 2017 4:13 AM (in response to jason513)

Unfortunately the Remote Store has not been extended to include configurations for encryption nor authentication.
I have created
[ISPN-7868] RemtoeStore support for encryption and authentication - JBoss Issue Tracker
to track this for Infinispan. In the case of WildFly this will have to be handled separately. Maybe pferraro can help.
Actions
3. Re: Access SSL enabled Hot rod protocol

jason513 Jun 1, 2017 12:39 AM (in response to sebastian.laskawiec)

Hi sebastian.laskawiec ,

I already looked into the server manual. The section you pointed talks about how to enable SSL at Infinispan server level. But it doesn't give examples/description about how can we consume SSL enabled hotrod protocol from an external wildfly server.

Thanks1
Actions
4. Re: Access SSL enabled Hot rod protocol

jason513 Jun 1, 2017 1:40 AM (in response to nadirx)

Hi nadirx ,

Thanks for your response. So are you saying it doesn't even support SSL ? I am surprise to know Infinispan doesn't support SSL for remote stores.

Thanks!
Actions
5. Re: Access SSL enabled Hot rod protocol

nadirx Jun 1, 2017 3:28 AM (in response to jason513)

It's just not exposed in the configuration. I'll try and whip up a patch as soon as possible.
Actions
6. Re: Access SSL enabled Hot rod protocol

akrepon Mar 26, 2019 2:14 PM (in response to nadirx)

We are currently trying to do something similar but using the infinispan server as a backup site. Can you please show us an example how to configure the hot rod client on a wildfly server using SSL to connect to the Infinispan server?

Thx in advance,
Yasin
Actions
7. Re: Access SSL enabled Hot rod protocol

pferraro Mar 26, 2019 3:17 PM (in response to akrepon)

akrepon Documentation for configuring a hotrod-based cache store with a secured transport can be found here:
https://github.com/wildfly/wildfly/blob/16.0.0.Final/docs/src/main/asciidoc/_high-availability/subsystem-support/Offload…
Actions

8. Re: Access SSL enabled Hot rod protocol

nadirx Mar 26, 2019 4:43 PM (in response to pferraro)

To complement Paul's reply, for Infinispan Server you configure the remote store's security as follows:

<remote-store cache="default" socket-timeout="60000" tcp-no-delay="true" fetch-state="false" passivation="false" preload="true" purge="false" shared="true" singleton="false" hotrod-wrapping="true" raw-values="true" protocol-version="2.4" name="remote-store">
   <write-behind modification-queue-size="2048" thread-pool-size="1" />
      <remote-server outbound-socket-binding="hotrod-server-1" />
      <remote-server outbound-socket-binding="hotrod-server-2" />
      <authentication>
        <digest username="username" password="password" realm="realm" server-name="server"/>
      </authentication>
      <encryption security-realm="myrealm" />
</remote-store>

9. Re: Access SSL enabled Hot rod protocol

akrepon Mar 27, 2019 8:43 AM (in response to nadirx)

Thx for the great answers. I've managed to use a hotrod-store instead of a remote-store since this last is deprecated. I've applied the changes but had a small question regarding the configuring the hotrod-store with a custom marshaller.

I need to take the KeycloakHotrodMarshallerFactory as one of the properties.

/subsystem=infinispan/cache-container=keycloak/distributed-cache=actionTokens/store=hotrod:add(remote-cache-container=sessions,fetch-state=false,purge=false,passivation=false,shared=true,preload=true, properties={rawValues=true, marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory})

But these properties in bold are not recognized. How can I configure the hotrod-store to use the KeycloakHotrodMarshaller?

Thx in advance,
Yasin
Actions

Go to original post