... |
* *logIn* \- This is the default setting for the transports. |
** JDBC (non-data) messages between client and server are encrypted using a [Diffy-Hellman|http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange] key that is negotiated per connection. |
** JDBC (non-data by default) messages between client and server are encrypted using 128 bit AES with a [Diffie-Hellman|http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange] key that is negotiated per connection. When possible a 2048 bit key exchange will be used otherwise 1024 bit will be used. Oracle/Sun 1.7 JREs are known not to support key lengths over 1024 bits. The [connection property|Driver Connection] encryptRequest can be used to encrypt requests and results using the same 128 AES scheme. |
** For the pg transport authentication is expected to be secure - which currently is only GSS logins. |
... |
There are two types of remote transports, each with it's own encryption configuration:
![]() | The pg transport for ODBC access defaults to clear text username password authentication. |
SSL configuration is part of the "transport" configuration in the Teiid subsystem.
Teiid supports a couple different encryption modes based on the "mode" attribute on "ssl" element.
For non-anonymous SSL, the suite is negotiated - see enabled-cipher-suites below below.
Depending upon the SSL mode, follow the guidelines of your organization around creating/obtaining private keys. If you have no organizational requirements, then follow this guide to create self-signed certificates with their respective keystores and truststores. The following keystore and truststore combinations are required for different SSL modes. The names of the files can be chosen by the user. The following files are shown for example purposes only.
1-way
2-way
<ssl mode="enabled" authentication-mode="1-way" ssl-protocol="TSLv1" keymanagement-algorithm="algo" enabled-cipher-suites="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA"> <keystore name="cert.keystore" password="passwd" type="JKS" key-alias="alias" key-password="passwd1"/> <truststore name="cert.truststore" password="passwd"/> </ssl>
Properties
![]() | SSLv3 is not recommended due to the POODLE security vulnerability. |
![]() | You will typically use the CLI to modify the transport configuration. |
![]() | If you do not like to leave clear text passwords in the configuration file, then you can use JBoss AS vault mechanism for storing the keystore and truststore passwords. Use the directions defined here https://community.jboss.org/docs/DOC-17248 |
Both anonymous SSL and login only (JDBC specific) encryption are configured to use 128 bit AES encryption by default. By default 1-way and 2-way SSL allow for cipher suite negotiation based upon the default cipher suites supported by the respective Java platforms of the client and server. Users can restrict the cipher suites used by specifying the enabled-cipher-suites property above in the SSL configuration.