... |
_enabled_ = traffic will be secured with SSL using the other configuration properties. "teiid" transport clients *must* connect using SSL with the mms protocol. ODBC "pg" transport clients may optionally use SSL. |
* ssl-protocol\- Type of SSL protocol to be used. Optional - by default is TLSv1 |
* ssl-protocol\- Type of SSL protocol to be used. Optional - by default TLSv1. {note}SSLv3 is not recommended due to the POODLE security vulnerability.{note} |
* keystore/type - Keystore type created by the keytool. Optional - by default "JKS" is used. |
... |
There are two types of remote transports, each with it's own encryption configuration:
The pg transport for ODBC access defaults to clear text username password authentication. |
SSL configuration is part of the "transport" configuration in the Teiid subsystem.
Teiid supports a couple different encryption modes based on the "mode" attribute on "ssl" element.
For non-anonymous SSL, the suite is negotiated - see enabled-cipher-suites below below.
Depending upon the SSL mode, follow the guidelines of your organization around creating/obtaining private keys. If you have no organizational requirements, then follow this guide to create self-signed certificates with their respective keystores and truststores. The following keystore and truststore combinations are required for different SSL modes. The names of the files can be chosen by the user. The following files are shown for example purposes only.
1-way
2-way
<ssl mode="enabled" authentication-mode="1-way" ssl-protocol="TSLv1" keymanagement-algorithm="algo" enabled-cipher-suites="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA"> <keystore name="cert.keystore" password="passwd" type="JKS" key-alias="alias" key-password="passwd1"/> <truststore name="cert.truststore" password="passwd"/> </ssl>
Properties
SSLv3 is not recommended due to the POODLE security vulnerability. |
You will typically use the CLI to modify the transport configuration. |
If you do not like to leave clear text passwords in the configuration file, then you can use JBoss AS vault mechanism for storing the keystore and truststore passwords. Use the directions defined here https://community.jboss.org/docs/DOC-17248 |
Both anonymous SSL and login only (JDBC specific) encryption are configured to use 128 bit AES encryption by default. By default 1-way and 2-way SSL allow for cipher suite negotiation based upon the default cipher suites supported by the respective Java platforms of the client and server. Users can restrict the cipher suites used by specifying the enabled-cipher-suites property above in the SSL configuration.