WildFly to Infinispan Encryption

tommaso borgatotommaso borgato
3 min read

Introduction

When using Infinispan as an external cache for WildFly, we might want to:

  • Encrypt communication
  • Use a client certificate to authenticate to Infinispan

Generate Keystores

The first thing we need is keys and certificates to:

  • encrypt communication
  • use client certificate to authentication; to get certificates, you can use some certificate authority; in this guide, to keep it simple, we are creating and using our own certificate authority;

Create a certificate authority certificate

keytool -validity 36500 -keyalg RSA -keysize 2048 -noprompt -storepass 123PIPPOBAUDO -storetype pkcs12 -genkeypair -alias ca -keystore ca-keystore.p12 -ext bc:c -dname 'CN=CA,OU=Infinispan,O=JBoss,L=My Company'
keytool -validity 36500 -keyalg RSA -keysize 2048 -noprompt -storepass 123PIPPOBAUDO -storetype pkcs12 -exportcert -alias ca -keystore ca-keystore.p12 -file ca.cer

Infinispan keystore

keytool -validity 36500 -keyalg RSA -keysize 2048 -noprompt -storepass 123PIPPOBAUDO -storetype pkcs12 -genkeypair -alias infinispan -dname 'CN=Infinispan,OU=Infinispan,O=JBoss,L=My Company' -keystore infinispan-keystore.p12
keytool -validity 36500 -keyalg RSA -keysize 2048 -noprompt -storepass 123PIPPOBAUDO -storetype pkcs12 -certreq -alias infinispan -dname 'CN=Infinispan,OU=Infinispan,O=JBoss,L=My Company' -keystore infinispan-keystore.p12 -file infinispan.csr
keytool -validity 36500 -keyalg RSA -keysize 2048 -noprompt -storepass 123PIPPOBAUDO -storetype pkcs12 -gencert -alias ca -keystore ca-keystore.p12 -infile infinispan.csr -outfile infinispan.cer -ext "san=dns:localhost"
keytool -validity 36500 -keyalg RSA -keysize 2048 -noprompt -storepass 123PIPPOBAUDO -storetype pkcs12 -importcert -alias ca -keystore infinispan-keystore.p12 -file ca.cer
keytool -validity 36500 -keyalg RSA -keysize 2048 -noprompt -storepass 123PIPPOBAUDO -storetype pkcs12 -importcert -alias infinispan -keystore infinispan-keystore.p12 -file infinispan.cer

WildFly keystore

keytool -validity 36500 -keyalg RSA -keysize 2048 -noprompt -storepass 123PIPPOBAUDO -storetype pkcs12 -genkeypair -alias wildfly -dname 'CN=wildfly,OU=My Dept,DC=My Company' -keystore wildfly-keystore.p12
keytool -validity 36500 -keyalg RSA -keysize 2048 -noprompt -storepass 123PIPPOBAUDO -storetype pkcs12 -certreq -alias wildfly -dname 'CN=wildfly,OU=My Dept,DC=My Company' -keystore wildfly-keystore.p12 -file wildfly.csr
keytool -validity 36500 -keyalg RSA -keysize 2048 -noprompt -storepass 123PIPPOBAUDO -storetype pkcs12 -gencert -alias ca -keystore ca-keystore.p12 -infile wildfly.csr -outfile wildfly.cer -ext "san=dns:localhost"
keytool -validity 36500 -keyalg RSA -keysize 2048 -noprompt -storepass 123PIPPOBAUDO -storetype pkcs12 -importcert -alias ca -keystore wildfly-keystore.p12 -file ca.cer
keytool -validity 36500 -keyalg RSA -keysize 2048 -noprompt -storepass 123PIPPOBAUDO -storetype pkcs12 -importcert -alias wildfly -keystore wildfly-keystore.p12 -file wildfly.cer

Infinispan truststore

keytool -validity 36500 -keyalg RSA -keysize 2048 -noprompt -storepass 123PIPPOBAUDO -storetype pkcs12 -importcert -alias ca -keystore infinispan-truststore.p12 -file ca.cer
keytool -validity 36500 -keyalg RSA -keysize 2048 -noprompt -storepass 123PIPPOBAUDO -storetype pkcs12 -importcert -alias wildfly -keystore infinispan-truststore.p12 -file wildfly.cer

WildFly truststore

keytool -validity 36500 -keyalg RSA -keysize 2048 -noprompt -storepass 123PIPPOBAUDO -storetype pkcs12 -importcert -alias ca -keystore wildfly-truststore.p12 -file ca.cer
keytool -validity 36500 -keyalg RSA -keysize 2048 -noprompt -storepass 123PIPPOBAUDO -storetype pkcs12 -importcert -alias infinispan -keystore wildfly-truststore.p12 -file infinispan.cer

Infinispan

Copy Keystores to Infinispan

export INFINISPAN_HOME=infinispan-server-15.0.10.Final
cp infinispan-keystore.p12 $INFINISPAN_HOME/server/conf/
cp infinispan-truststore.p12 $INFINISPAN_HOME/server/conf/

Configure Infinispan

Optionally create an admin user for debugging purposes:

$INFINISPAN_HOME/bin/cli.sh user create admin -p pass.1234 --groups=admin

As described in the Inifinispan documentation, configure the necessary key-stores:

sed -i '/./{H;$!d} ; x ; s#<[^>]*server-identities>.*</server-identities[^>]*>#<server-identities>\n<ssl>\n<keystore path="infinispan-keystore.p12" keystore-password="123PIPPOBAUDO" alias="infinispan" relative-to="infinispan.server.config.path"/>\n<truststore path="infinispan-truststore.p12" password="123PIPPOBAUDO" relative-to="infinispan.server.config.path"/>\n</ssl>\n</server-identities>\n<truststore-realm/>#' $INFINISPAN_HOME/server/conf/infinispan.xml
sed -i 's#<authorization/>#<authorization group-only-mapping="false">\n<common-name-role-mapper/>\n<role name="wildfly" permissions="ALL"/>\n</authorization>#' $INFINISPAN_HOME/server/conf/infinispan.xml

Start Infinispan

$INFINISPAN_HOME/bin/server.sh --server-config=infinispan.xml

Wildfly

Copy Keystores to WildFly

export WILDFLY_HOME=wildfly-34.0.0.Beta1
cp wildfly-keystore.p12 $WILDFLY_HOME/
cp wildfly-truststore.p12 $WILDFLY_HOME/

Configure Wildfly

Option 1: use elytron

$WILDFLY_HOME/bin/jboss-cli.sh
        embed-server --server-config=standalone-ha.xml
        /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=remote-jdg-server1:add(host=localhost, port=11222)

        # keystore
        /subsystem=elytron/key-store=WildFly-Keystore:add(path=wildfly-keystore.p12, relative-to=jboss.home.dir, credential-reference={clear-text=123PIPPOBAUDO}, type=PKCS12)
        /subsystem=elytron/key-manager=WildFly-KeyManager:add(key-store=WildFly-Keystore, algorithm="SunX509", credential-reference={clear-text=123PIPPOBAUDO})

        # truststore
        /subsystem=elytron/key-store=WildFly-Truststore:add(path=wildfly-truststore.p12, relative-to=jboss.home.dir, credential-reference={clear-text=123PIPPOBAUDO}, type=PKCS12)
        /subsystem=elytron/trust-manager=WildFly-TrustManager:add(key-store=WildFly-Truststore, algorithm="SunX509")

        # ssl client
        /subsystem=elytron/client-ssl-context=CLIENT_SSL_CONTEXT:add(key-manager=WildFly-KeyManager, trust-manager=WildFly-TrustManager, protocols=["TLSv1.2"])

        batch
        /subsystem=infinispan/remote-cache-container=web-sessions:add(default-remote-cluster=jdg-server-cluster, statistics-enabled=true, properties={infinispan.client.hotrod.sasl_mechanism=EXTERNAL})
        /subsystem=infinispan/remote-cache-container=web-sessions/remote-cluster=jdg-server-cluster:add(socket-bindings=[remote-jdg-server1])
        run-batch
        /subsystem=infinispan/remote-cache-container=web-sessions/component=security:write-attribute(name=ssl-context,value=CLIENT_SSL_CONTEXT)

Option 2: use hotrod properties

$WILDFLY_HOME/bin/jboss-cli.sh
        embed-server --server-config=standalone-ha.xml
        /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=remote-jdg-server1:add(host=localhost, port=11222)
        batch
        /subsystem=infinispan/remote-cache-container=web-sessions:add(default-remote-cluster=jdg-server-cluster, statistics-enabled=true, properties={infinispan.client.hotrod.trust_store_file_name=/tmp/wildfly-34.0.0.Beta1/wildfly-truststore.p12, infinispan.client.hotrod.trust_store_password=123PIPPOBAUDO,infinispan.client.hotrod.key_store_file_name=/tmp/wildfly-34.0.0.Beta1/wildfly-keystore.p12,infinispan.client.hotrod.key_store_password=123PIPPOBAUDO,infinispan.client.hotrod.sasl_mechanism=EXTERNAL})
        /subsystem=infinispan/remote-cache-container=web-sessions/remote-cluster=jdg-server-cluster:add(socket-bindings=[remote-jdg-server1])
        run-batch
        /subsystem=infinispan/remote-cache-container=web-sessions:write-attribute(name=marshaller,value=PROTOSTREAM)
        /subsystem=infinispan/cache-container=web/invalidation-cache=offload:add()
        /subsystem=infinispan/cache-container=web/invalidation-cache=offload/store=hotrod:add(remote-cache-container=web-sessions, fetch-state=false, preload=false, passivation=false, purge=false, shared=true)
        /subsystem=infinispan/cache-container=web/invalidation-cache=offload/component=transaction:add(mode=BATCH)
        /subsystem=infinispan/cache-container=web:write-attribute(name=default-cache, value=offload)

NOTE: replace /tmp with the actual path to your WildFly installation

Start Wildfly

$WILDFLY_HOME/bin/standalone.sh --server-config=standalone-ha.xml
0
Subscribe to my newsletter

Read articles from tommaso borgato directly inside your inbox. Subscribe to the newsletter, and don't miss out.

infinispanwildflyencryptionSSL CertificateSSLSSL/TLS

Written by

tommaso borgato
tommaso borgato