2 Replies Latest reply on Aug 5, 2016 5:01 AM by Tristan Tarrant

    Hot rod encryption(SSL)

    Tejas Shah Novice

      Hello NadirX sebastian.laskawiec rvansa,

       

      Currently I am using Infinispan 8.2.3.i was successfully configure SSL.

       

      but i have one question.

       

      How to fetch trust store certificate from infinispan server without pass hard coded trust store certificate in client code?

       

      Because in production environment we have a different servers there trust store certificate are different .

      If i am pass hard code trust store certificate it is difficult to handle in production.

       

      Thanks,

      Tejas

        • 1. Re: Hot rod encryption(SSL)
          Sebastian Łaskawiec Apprentice

          I believe you can not. You should rather use different keystore + trustore pair per deployment environment.

          • 2. Re: Hot rod encryption(SSL)
            Tristan Tarrant Master

            Tejas,

             

            the way you should setup a secure environment is as follows:

             

            On the server

            • The Keystore contains the server's identities, which means the server's private key together with all required signing CAs (unless these are part of the global JDK CA Roots)
            • The Truststore contains all of the public keys of the certificates of the clients that will be connecting

            On the client

            • The KeyStore contains the client's identity key. This is different for each client.
            • The TrustStore contains the necessary CA's (intermediate and root) needed to validate the server's certificate. This is common to all clients

             

            With a large number of clients, managing all the certificates and files is going to be quite tricky, so you should probably opt for storing the certificates inside an LDAP directory and automate the generation of the stores.

            I'll ask the WildFly team if the security realm authentication can be configured to check certs against an LDAP server directly.