This chapter will shows you various security configurations that can be used with Teiid in securing your data access. Note that data level security called as "data roles" are explained in Reference Guide. This chapter pertains to transport level security. h1. Encryption Modes Teiid supports couple different levels Encryption based on the _"mode"_ attribute on _"ssl"_ element which is part of _"tranport"_ configuration in the Teiid subsystem in _<jboss-install>/standalone/configuration/standalone-teiid.xml_ file. * *logIn* \- (non-data) messages between client and server are encrypted using a [Diffy-Hellman|http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange] key that is negotiated per connection. This is default setting for JDBC connections that use "teiid" transport. * *enabled* \- Mode to enable certificate based SSL * *disabled* \- turn off any kind of encryption. h1. SSL Authentication Modes Teiid supports SSL based channel between the client JDBC application and Teiid Server. Teiid supports the following SSL modes. * *Anonymous* -- No certificates are required, but all communications are still encrypted using the TLS_DH_anon_WITH_AES_128_CBC_SHA SSL suite. * *1-way* -- Only authenticates the server to the client traffic. Requires a private key keystore to be created for the server and a truststore at the client that authenticates that key. The SSL suite is negotiated. * *2-way* -- Mutual client and server authentication. The server and client applications each have a keystore for their private keys and each has a truststore that authenticates the other. Depending upon the SSL mode, follow the guidelines of your organization around creating/obtaining private keys. If you have no organizational requirements, then follow this guide to create self-signed certificates with their respective keystores and truststores. The following keystore and truststore combinations are required for different SSL modes. The names of the files can be chosen by the user. The following files are shown for example purposes only. _1-way_ # server.keystore - has server's private key # server.truststore - has server's public key _2-way_ # server.keystore - has server's private key # server.truststore - has server's public key # client.keystore - client's private key # client.truststore - has client's public key |
h1. Client SSL Settings |
... |
The following sections define the properties required for each SSL mode. Note that when connecting to Teiid Server with SSL enabled, you MUST use the "mms" protocol, instead of "mm" in the JDBC connection URL, for example
jdbc:teiid:<myVdb>@mms://<host>:<port>
There are two different sets of properties that a client can configure to enable 1-way or 2-way SSL.
Generating Self Signed Certificate with Keytool If you want to create a self signed keystore and truststore, you can check out these instructions https://community.jboss.org/docs/DOC-13901 |
These are standard Java defined system properties to configure the SSL under any JVM, Teiid is not unique in its use of SSL. Provide the following system properties to the client VM process.
-Djavax.net.ssl.trustStore=<dir>/server.truststore (required) -Djavax.net.ssl.trustStorePassword=<password> (optional) -Djavax.net.ssl.keyStoreType (optional)
-Djavax.net.ssl.keyStore=<dir>/client.keystore (required) -Djavax.net.ssl.keyStrorePassword=<password> (optional) -Djavax.net.ssl.trustStore=<dir>/server.truststore (required) -Djavax.net.ssl.trustStorePassword=<password> (optioanl) -Djavax.net.ssl.keyStroreType=<keystore type> (optional)
Use this option for anonymous mode or when the above "javax" based properties are already in use by the host process. For example if your client application is a Tomcat process that is configured for https protocol and the above Java based properties are already in use, and importing Teiid-specific certificate keys into those https certificate keystores is not allowed.
In this scenario, a different set of Teiid-specific SSL properties can be set as system properties or defined inside the a "teiid-client-settings.properties" file. A sample "teiid-client-settings.properties" file can be found inside the "teiid-<version>-client.jar" file at the root called "teiid-client-settings.orig.properties". Extract this file, make a copy, change the property values required for the chosen SSL mode, and place this file in the client application's classpath before the "teiid-<version>-client.jar" file.
SSL properties and definitions that can be set in a "teiid-client-settings.properties" file are shown below.
######################################## # SSL Settings ######################################## # # The key store type. Defaults to JKS # org.teiid.ssl.keyStoreType=JKS # # The key store algorithm, defaults to # the system property "ssl.TrustManagerFactory.algorithm" # #org.teiid.ssl.algorithm= # # The classpath or filesystem location of the # key store. # # This property is required only if performing 2-way # authentication that requires a specific private # key. # #org.teiid.ssl.keyStore= # # The key store password (not required) # #org.teiid.ssl.keyStorePassword= # # The key alias(not required, if given named certificate is used) # #org.teiid.ssl.keyAlias= # # The classpath or filesystem location of the # trust store. # # This property is required if performing 1-way # authentication that requires trust not provided # by the system defaults. # #org.teiid.ssl.trustStore= # # The trust store password (not required) # #org.teiid.ssl.trustStorePassword= # # The cipher protocol, defaults to SSLv3 # org.teiid.ssl.protocol=SSLv3 # # Whether to allow anonymous SSL # (the TLS_DH_anon_WITH_AES_128_CBC_SHA cipher suite) # defaults to true # org.teiid.ssl.allowAnon=true
org.teiid.ssl.trustStore=<dir>/server.truststore (required)
org.teiid.ssl.keyStore=<dir>/client.keystore (required) org.teiid.ssl.trustStore=<dir>/server.truststore (required)
org.teiid.ssl.trustStore=NONE