Teiid can have multiple transports defined for access. A transport contains properties to configure SSL. |
h1. Encryption Modes |
|
Teiid supports a couple different levels Encryption based on the _"mode"_ attribute on _"ssl"_ element which is part of _"transport"_ configuration in the Teiid subsystem. * *logIn* \- (non-data) messages between client and server are encrypted using a [Diffy-Hellman|http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange] key that is negotiated per connection. This is default setting for JDBC connections that use "teiid" transport. * *enabled* \- Mode to enable certificate based SSL * *disabled* \- turns off any kind of encryption h1. SSL Authentication Modes * *anonymous* -- No certificates are required, but all communications are still encrypted using the TLS_DH_anon_WITH_AES_128_CBC_SHA SSL suite. In most secure intranet environments, anonymous is suitable to just bulk encrypt traffic without the need to setup SSL certificates. No certificates are exchanged, settings are not needed for the keystore and truststore properties. Clients must have {{org.teiid.ssl.allowAnon}} set to true (the default) to connect to an anonymous server. * *1-way* -- Only authenticates the server to the client. Requires a private key keystore to be created for the server and a truststore at the client that authenticates that certificate. * *2-way* -- Mutual client and server authentication. The server and client applications each have a keystore for their private keys and each has a truststore that authenticates the other. The server will present a certificate, which is obtained from the keystore related properties. The client should have a truststore configured to accept the server certificate. The client is also expected to present a certificate, which is obtained from its keystore. The client certificate should be accepted by the trust store configured by the truststore related properties. For non-anonymous SSL, the suite is negotiated - see _enabled\-cipher\-suites_ below below. Depending upon the SSL mode, follow the guidelines of your organization around creating/obtaining private keys. If you have no organizational requirements, then follow this guide to create [self-signed certificates|Generating Self Signed Certificate with Keytool] with their respective keystores and truststores. The following keystore and truststore combinations are required for different SSL modes. The names of the files can be chosen by the user. The following files are shown for example purposes only. _1-way_ # server.keystore - has server's private key # server.truststore - has server's public key _2-way_ # server.keystore - has server's private key # server.truststore - has server's public key # client.keystore - client's private key # client.truststore - has client's public key h1. Full Configuration Options |
There are two types of remote transports, each with it's own SSL configuration: * "teiid" - Defaults to only encrypt login traffic, in which none of the other properties are used. |
... |
Properties |
* [mode|#Encryption Modes] - diabled\|login\|enabled |
_disabled_ = no transport or message level security will be used. _login_ = only the login traffic will be encrypted at a message level using 128 bit AES with an ephemeral DH key exchange. Only applies to the 'teiid' transport and no other config values are needed in this mode. |
... |
* keystore/type - Keystore type created by the keytool. Default "JKS" is used. |
* [authentication-mode|#SSL Authentication Modes] - anonymous\|1-way\|2-way, Type of SSL Authentication Mode. |
* keymanagement-algorithm - Type of key algorithm used. Default is based upon the VM, i.e. "SunX509" |
... |
{note} {info:Using password Vault} |
If you do not like to leave clear text passwords in the configuration file, then you can use JBoss AS vault mechanism for storing the keystore and truststore passwords. Use the directions defined here [https://community.jboss.org/docs/DOC-17248|https://community.jboss.org/docs/DOC-17248] |
{info} |
h1. SSL Authentication Modes |
|
SSL supports multiple authentication modes. In most secure intranet environments, anonymous is suitable to just bulk encrypt traffic without the need to setup SSL certificates. * _anonymous_\- no certificates are exchanged, settings are not needed for the keystore and truststore properties. Client must have {{org.teiid.ssl.allowAnon}} set to true (the default) to connect to an anonymous server. * _1-way_\- the server will present a certificate, which is obtained from the keystore related properties. The client should have a truststore configured to accept the server certificate. * _2-way_\- the server will present a certificate, which is obtained from the keystore related properties. The client should have a truststore configured to accept the server certificate. The client is also expected to present a certificate, which is obtained from its keystore. The client certificate should be accepted by the trust store configured by the truststore related properties. |
h1. Encryption Strength |
Both anonymous SSL and login only encryption are configured to use 128 bit AES encryption by default. By default, 1-way and 2-way SSL allow for cipher suite negotiation based upon the default cipher suites supported by the respective Java platforms of the client and server. User can restrict the cipher suites used for encryption by specifying the _enabledCipherSuites_ property above in ssl configuration. |
Both anonymous SSL and login only encryption are configured to use 128 bit AES encryption by default. By default 1-way and 2-way SSL allow for cipher suite negotiation based upon the default cipher suites supported by the respective Java platforms of the client and server. Users can restrict the cipher suites used by specifying the _enabled\-cipher\-suites_ property above in the SSL configuration. |
Teiid supports a couple different levels Encryption based on the "mode" attribute on "ssl" element which is part of "transport" configuration in the Teiid subsystem.
For non-anonymous SSL, the suite is negotiated - see enabled-cipher-suites below below.
Depending upon the SSL mode, follow the guidelines of your organization around creating/obtaining private keys. If you have no organizational requirements, then follow this guide to create self-signed certificates with their respective keystores and truststores. The following keystore and truststore combinations are required for different SSL modes. The names of the files can be chosen by the user. The following files are shown for example purposes only.
1-way
2-way
There are two types of remote transports, each with it's own SSL configuration:
The pg transport for ODBC access defaults to clear text username password authentication |
<ssl mode="enabled" authentication-mode="1-way" ssl-protocol="SSLv3" keymanagement-algorithm="algo" enabled-cipher-suites="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA"> <keystore name="cert.keystore" password="passwd" type="JKS" key-alias="alias"/> <truststore name="cert.truststore" password="passwd"/> </ssl>
Properties
You will typically use the CLI to modify the transport configuration. |
If you do not like to leave clear text passwords in the configuration file, then you can use JBoss AS vault mechanism for storing the keystore and truststore passwords. Use the directions defined here https://community.jboss.org/docs/DOC-17248 |
Both anonymous SSL and login only encryption are configured to use 128 bit AES encryption by default. By default 1-way and 2-way SSL allow for cipher suite negotiation based upon the default cipher suites supported by the respective Java platforms of the client and server. Users can restrict the cipher suites used by specifying the enabled-cipher-suites property above in the SSL configuration.