2 Replies Latest reply on Aug 5, 2016 5:01 AM by nadirx

Hot rod encryption(SSL)

stejas7 Aug 4, 2016 4:20 AM

Currently I am using Infinispan 8.2.3.i was successfully configure SSL.

but i have one question.

How to fetch trust store certificate from infinispan server without pass hard coded trust store certificate in client code?

Because in production environment we have a different servers there trust store certificate are different .

If i am pass hard code trust store certificate it is difficult to handle in production.

Thanks,

Tejas

1. Re: Hot rod encryption(SSL)

sebastian.laskawiec Aug 4, 2016 6:47 AM (in response to stejas7)

I believe you can not. You should rather use different keystore + trustore pair per deployment environment.
Actions
2. Re: Hot rod encryption(SSL)

nadirx Aug 5, 2016 5:01 AM (in response to stejas7)
Tejas,

the way you should setup a secure environment is as follows:

On the server
The Keystore contains the server's identities, which means the server's private key together with all required signing CAs (unless these are part of the global JDK CA Roots)
The Truststore contains all of the public keys of the certificates of the clients that will be connecting
On the client
The KeyStore contains the client's identity key. This is different for each client.
The TrustStore contains the necessary CA's (intermediate and root) needed to validate the server's certificate. This is common to all clients

With a large number of clients, managing all the certificates and files is going to be quite tricky, so you should probably opt for storing the certificates inside an LDAP directory and automate the generation of the stores.
I'll ask the WildFly team if the security realm authentication can be configured to check certs against an LDAP server directly.
Actions