<html>
<head>
<base href="https://docs.jboss.org/author">
<link rel="stylesheet" href="/author/s/en/2172/19/5/_/styles/combined.css?spaceKey=TEIID&forWysiwyg=true" type="text/css">
</head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
<h2><a href="https://docs.jboss.org/author/display/TEIID/Teiid+Server+SSL">Teiid Server SSL</a></h2>
<h4>Page <b>edited</b> by <a href="https://docs.jboss.org/author/display/~shawkins">Steven Hawkins</a>
</h4>
<br/>
<h4>Changes (18)</h4>
<div id="page-diffs">
<table class="diff" cellpadding="0" cellspacing="0">
<tr><td class="diff-snipped" >...<br></td></tr>
<tr><td class="diff-unchanged" > <br>* "pg" - Defaults to no SSL <br></td></tr>
<tr><td class="diff-changed-lines" >{note}The pg transport for ODBC access defaults to clear text username password <span class="diff-changed-words">authentication<span class="diff-added-chars"style="background-color: #dfd;">.</span>{note}</span> <br></td></tr>
<tr><td class="diff-unchanged" > <br>SSL configuration is part of the _"transport"_ configuration in the Teiid subsystem. <br></td></tr>
<tr><td class="diff-snipped" >...<br></td></tr>
<tr><td class="diff-unchanged" ><ssl mode="enabled" authentication-mode="1-way" ssl-protocol="SSLv3" keymanagement-algorithm="algo" <br> enabled-cipher-suites="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA"> <br></td></tr>
<tr><td class="diff-changed-lines" ><keystore name="cert.keystore" password="passwd" type="JKS" <span class="diff-changed-words">key-alias="alias"<span class="diff-added-chars"style="background-color: #dfd;"> key-password="passwd1"</span>/></span> <br></td></tr>
<tr><td class="diff-unchanged" > <truststore name="cert.truststore" password="passwd"/> <br></ssl> <br></td></tr>
<tr><td class="diff-snipped" >...<br></td></tr>
<tr><td class="diff-unchanged" > _enabled_ = traffic will be secured with SSL using the other configuration properties. "teiid" transport clients *must* connect using SSL with the mms protocol. ODBC "pg" transport clients may optionally use SSL. <br> <br></td></tr>
<tr><td class="diff-changed-lines" >* ssl-protocol\- Type of SSL protocol to be used. <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">Default</span> <span class="diff-added-words"style="background-color: #dfd;">Optional - by default</span> is TLSv1 <br></td></tr>
<tr><td class="diff-unchanged" > <br></td></tr>
<tr><td class="diff-changed-lines" >* keystore/type - Keystore type created by the keytool. <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">Default</span> <span class="diff-added-words"style="background-color: #dfd;">Optional - by default</span> "JKS" is used. <br></td></tr>
<tr><td class="diff-unchanged" > <br>* [authentication-mode|#SSL Authentication Modes] - anonymous\|1-way\|2-way, Type of SSL Authentication Mode. <br> <br></td></tr>
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">* keymanagement-algorithm - Type of key algorithm used. Default is based upon the VM, i.e. "SunX509" <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">* keymanagement-algorithm - Type of key algorithm used. Optional - by default is based upon the VM, e.g. "SunX509" <br></td></tr>
<tr><td class="diff-unchanged" > <br></td></tr>
<tr><td class="diff-changed-lines" >* keystore/name - The file name of the keystore, which contains the <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;"> </span> private key of the Server. The file name can be relative resource path <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;"> </span> available to the Teiid deployer classloader or an absolute file system path. A typical installation would place the keystore file in the conf <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;"> </span> directory of the profile where Teiid is deployed with a file name <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;"> </span> relative to the conf path. <span class="diff-added-words"style="background-color: #dfd;"> Typically required if 1-way or 2-way authentication is used.</span> <br></td></tr>
<tr><td class="diff-unchanged" > <br></td></tr>
<tr><td class="diff-changed-lines" >* <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">keystorePassword</span> <span class="diff-added-words"style="background-color: #dfd;">keystore/password</span> - password for the keystore. <span class="diff-added-words"style="background-color: #dfd;"> Required if the keystore has a password.</span> <br></td></tr>
<tr><td class="diff-unchanged" > <br></td></tr>
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">* keystore/key-alias - Alias name for the certificate that is in the key store. <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">* keystore/key-alias - Alias name for the private key to use. Optional - only needed if there are multiple private keys in the keystore and you need to choose which one to use. <br></td></tr>
<tr><td class="diff-unchanged" > <br></td></tr>
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">* truststore/name - if "authenticationMode" is chosen as "2-way", then this property must be provided. This is the truststore that contains the public key for the client. Depending upon how you created the keystore and truststores, this may be same file as defined under "keystoreFilename" property. <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">* keystore/key-password - Alias name for the private key to use. Optional - only needed if the key password is different than the keystore password. <br></td></tr>
<tr><td class="diff-unchanged" > <br></td></tr>
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">* truststore/password - password for the truststore. <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">* truststore/name - This is the truststore containing the public certificate(s) for client keys. Depending upon how you created the keystore and truststores, this may be same file as defined under "keystore/name" property. Required if "authenticationMode" is "2-way". <br></td></tr>
<tr><td class="diff-unchanged" > <br></td></tr>
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">* enabled-cipher-suites - A comma separated list of cipher suites allowed for encryption between server and client. The values must be valid supported cipher suites otherwise SSL connections will fail. <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">* truststore/password - password for the truststore. Required if the truststore has a password. <br></td></tr>
<tr><td class="diff-unchanged" > <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">* enabled-cipher-suites - A comma separated list of cipher suites allowed for encryption between server and client. The values must be valid supported cipher suites otherwise SSL connections will fail. Optional - defaults to all supported cipher suites for the vm. <br> <br></td></tr>
<tr><td class="diff-unchanged" >{note} <br>You will typically use the CLI to modify the transport configuration. <br>{note} <br>{info:Using password Vault} <br></td></tr>
<tr><td class="diff-changed-lines" >If you do not like to leave clear text passwords in the configuration <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;"> </span> file, then you can use JBoss AS vault mechanism for storing the keystore and truststore passwords. Use the directions defined here [https://community.jboss.org/docs/DOC-17248|https://community.jboss.org/docs/DOC-17248] <br></td></tr>
<tr><td class="diff-unchanged" >{info} <br> <br></td></tr>
<tr><td class="diff-unchanged" >h1. Encryption Strength <br> <br></td></tr>
<tr><td class="diff-snipped" >...<br></td></tr>
</table>
</div> <h4>Full Content</h4>
<div class="notificationGreySide">
<p>There are two types of remote transports, each with it's own SSL configuration:</p>
<ul>
<li>"teiid" - Defaults to only encrypt login traffic, in which none of the other configuration properties are used.</li>
</ul>
<ul>
<li>"pg" - Defaults to no SSL
<div class='panelMacro'><table class='noteMacro'><colgroup><col width='24'><col></colgroup><tr><td valign='top'><img src="/author/images/icons/emoticons/warning.gif" width="16" height="16" align="absmiddle" alt="" border="0"></td><td>The pg transport for ODBC access defaults to clear text username password authentication.</td></tr></table></div></li>
</ul>
<p>SSL configuration is part of the <em>"transport"</em> configuration in the Teiid subsystem.</p>
<h1><a name="TeiidServerSSL-EncryptionModes"></a>Encryption Modes</h1>
<p>Teiid supports a couple different encryption modes based on the <em>"mode"</em> attribute on <em>"ssl"</em> element.</p>
<ul>
<li><b>logIn</b> - (non-data) messages between client and server are encrypted using a <a href="http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange" class="external-link" rel="nofollow">Diffy-Hellman</a> key that is negotiated per connection. This is the default setting for JDBC connections that use "teiid" transport - this setting has no affect on the "pg" transport.</li>
</ul>
<ul>
<li><b>enabled</b> - Mode to enable certificate based SSL</li>
</ul>
<ul>
<li><b>disabled</b> - turns off any kind of encryption</li>
</ul>
<h1><a name="TeiidServerSSL-SSLAuthenticationModes"></a>SSL Authentication Modes</h1>
<ul>
<li><b>anonymous</b> – No certificates are required, but all communications are still encrypted using the TLS_DH_anon_WITH_AES_128_CBC_SHA SSL suite. In most secure intranet environments, anonymous is suitable to just bulk encrypt traffic without the need to setup SSL certificates. No certificates are exchanged, settings are not needed for the keystore and truststore properties. Clients must have <tt>org.teiid.ssl.allowAnon</tt> set to true (the default) to connect to an anonymous server.</li>
</ul>
<ul>
<li><b>1-way</b> – Only authenticates the server to the client. Requires a private key keystore to be created for the server and a truststore at the client that authenticates that certificate.</li>
</ul>
<ul>
<li><b>2-way</b> – Mutual client and server authentication. The server and client applications each have a keystore for their private keys and each has a truststore that authenticates the other. The server will present a certificate, which is obtained from the keystore related properties. The client should have a truststore configured to accept the server certificate. The client is also expected to present a certificate, which is obtained from its keystore. The client certificate should be accepted by the trust store configured by the truststore related properties.</li>
</ul>
<p>For non-anonymous SSL, the suite is negotiated - see <em>enabled-cipher-suites</em> below below.</p>
<p>Depending upon the SSL mode, follow the guidelines of your organization around creating/obtaining private keys. If you have no organizational requirements, then follow this guide to create <a href="/author/display/TEIID/Generating+Self+Signed+Certificates" title="Generating Self Signed Certificates">self-signed certificates</a> with their respective keystores and truststores. The following keystore and truststore combinations are required for different SSL modes. The names of the files can be chosen by the user. The following files are shown for example purposes only. </p>
<p><em>1-way</em></p>
<ol>
<li>server.keystore - has server's private key</li>
<li>server.truststore - has server's public key</li>
</ol>
<p><em>2-way</em></p>
<ol>
<li>server.keystore - has server's private key</li>
<li>server.truststore - has server's public key</li>
<li>client.keystore - client's private key</li>
<li>client.truststore - has client's public key</li>
</ol>
<h1><a name="TeiidServerSSL-FullConfigurationOptions"></a>Full Configuration Options</h1>
<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>Example XML Configuration</b></div><div class="codeContent panelContent">
<pre class="theme: Confluence; brush: xml; gutter: false" style="font-size:12px; font-family: ConfluenceInstalledFont,monospace;">
<ssl mode="enabled" authentication-mode="1-way" ssl-protocol="SSLv3" keymanagement-algorithm="algo"
enabled-cipher-suites="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA">
<keystore name="cert.keystore" password="passwd" type="JKS" key-alias="alias" key-password="passwd1"/>
<truststore name="cert.truststore" password="passwd"/>
</ssl>
</pre>
</div></div>
<p>Properties</p>
<ul>
<li><a href="#TeiidServerSSL-EncryptionModes">mode</a> - diabled|login|enabled<br/>
<em>disabled</em> = no transport or message level security will be used.<br/>
<em>login</em> = only the login traffic will be encrypted at a message level using 128 bit AES with an ephemeral DH key exchange. Only applies to the 'teiid' transport and no other config values are needed in this mode.<br/>
<em>enabled</em> = traffic will be secured with SSL using the other configuration properties. "teiid" transport clients <b>must</b> connect using SSL with the mms protocol. ODBC "pg" transport clients may optionally use SSL.</li>
</ul>
<ul>
<li>ssl-protocol- Type of SSL protocol to be used. Optional - by default is TLSv1</li>
</ul>
<ul>
<li>keystore/type - Keystore type created by the keytool. Optional - by default "JKS" is used.</li>
</ul>
<ul>
<li><a href="#TeiidServerSSL-SSLAuthenticationModes">authentication-mode</a> - anonymous|1-way|2-way, Type of SSL Authentication Mode.</li>
</ul>
<ul>
<li>keymanagement-algorithm - Type of key algorithm used. Optional - by default is based upon the VM, e.g. "SunX509"</li>
</ul>
<ul>
<li>keystore/name - The file name of the keystore, which contains the private key of the Server. The file name can be relative resource path available to the Teiid deployer classloader or an absolute file system path. A typical installation would place the keystore file in the conf directory of the profile where Teiid is deployed with a file name relative to the conf path. Typically required if 1-way or 2-way authentication is used.</li>
</ul>
<ul>
<li>keystore/password - password for the keystore. Required if the keystore has a password.</li>
</ul>
<ul>
<li>keystore/key-alias - Alias name for the private key to use. Optional - only needed if there are multiple private keys in the keystore and you need to choose which one to use.</li>
</ul>
<ul>
<li>keystore/key-password - Alias name for the private key to use. Optional - only needed if the key password is different than the keystore password.</li>
</ul>
<ul>
<li>truststore/name - This is the truststore containing the public certificate(s) for client keys. Depending upon how you created the keystore and truststores, this may be same file as defined under "keystore/name" property. Required if "authenticationMode" is "2-way".</li>
</ul>
<ul>
<li>truststore/password - password for the truststore. Required if the truststore has a password.</li>
</ul>
<ul>
<li>enabled-cipher-suites - A comma separated list of cipher suites allowed for encryption between server and client. The values must be valid supported cipher suites otherwise SSL connections will fail. Optional - defaults to all supported cipher suites for the vm.</li>
</ul>
<div class='panelMacro'><table class='noteMacro'><colgroup><col width='24'><col></colgroup><tr><td valign='top'><img src="/author/images/icons/emoticons/warning.gif" width="16" height="16" align="absmiddle" alt="" border="0"></td><td>You will typically use the CLI to modify the transport configuration.</td></tr></table></div>
<div class='panelMacro'><table class='infoMacro'><colgroup><col width='24'><col></colgroup><tr><td valign='top'><img src="/author/images/icons/emoticons/information.gif" width="16" height="16" align="absmiddle" alt="" border="0"></td><td>If you do not like to leave clear text passwords in the configuration file, then you can use JBoss AS vault mechanism for storing the keystore and truststore passwords. Use the directions defined here <a href="https://community.jboss.org/docs/DOC-17248" class="external-link" rel="nofollow">https://community.jboss.org/docs/DOC-17248</a></td></tr></table></div>
<h1><a name="TeiidServerSSL-EncryptionStrength"></a>Encryption Strength</h1>
<p>Both anonymous SSL and login only encryption are configured to use 128 bit AES encryption by default. By default 1-way and 2-way SSL allow for cipher suite negotiation based upon the default cipher suites supported by the respective Java platforms of the client and server. Users can restrict the cipher suites used by specifying the <em>enabled-cipher-suites</em> property above in the SSL configuration.</p>
</div>
<div id="commentsSection" class="wiki-content pageSection">
<div style="float: right;" class="grey">
<a href="https://docs.jboss.org/author/users/removespacenotification.action?spaceKey=TEIID">Stop watching space</a>
<span style="padding: 0px 5px;">|</span>
<a href="https://docs.jboss.org/author/users/editmyemailsettings.action">Change email notification preferences</a>
</div>
<a href="https://docs.jboss.org/author/display/TEIID/Teiid+Server+SSL">View Online</a>
|
<a href="https://docs.jboss.org/author/pages/diffpagesbyversion.action?pageId=18646063&revisedVersion=21&originalVersion=20">View Changes</a>
|
<a href="https://docs.jboss.org/author/display/TEIID/Teiid+Server+SSL?showComments=true&showCommentArea=true#addcomment">Add Comment</a>
</div>
</div>
</div>
</div>
</div>
</body>
</html>