[ https://issues.jboss.org/browse/TEIIDSB-86?page=com.atlassian.jira.plugin... ] Steven Hawkins edited comment on TEIIDSB-86 at 5/14/19 10:14 AM: ----------------------------------------------------------------- Another approach for external pg transport security is the use of a stunnel - http://cpitman.github.io/openshift/tcp/networking/2016/12/28/stunnel-and-... - which can be combined with the service certificate generation linked above, rather than his example that shows a self-signed certificate. The upside is it allows a route to be used. The downside being the requirement of running a client stunnel instance. You'd also have a stunnel server instance along side every Teiid instance. And this still exposes an intra-cluster unsecured host/port - so we'd either have to double encrypt (at the stunnel level and at the pg protocol level) or make the requirement for a secure pg transport more flexible. Of course since we have control over the teiid jdbc side we could just do http/https ourselves there and further simplify things. was (Author: shawkins): The only approach for external pg transport security is the use of a stunnel - http://cpitman.github.io/openshift/tcp/networking/2016/12/28/stunnel-and-... - which can be combined with the service certificate generation linked above, rather than his example that shows a self-signed certificate. The downside being the requirement of running a client stunnel instance. You'd also have a stunnel server instance along side every Teiid instance. And this still exposes an intra-cluster unsecured host/port - so we'd either have to double encrypt (at the stunnel level and at the pg protocol level) or make the requirement for a secure pg transport more flexible. Of course since we have control over the teiid jdbc side we could just do http/https ourselves there and further simplify things. -- This message was sent by Atlassian Jira (v7.12.1#712002)