[teiid-issues] [JBoss JIRA] (TEIIDSB-86) Plans for secure socket transports
Steven Hawkins (Jira)
issues at jboss.org
Mon May 13 11:35:00 EDT 2019
[ https://issues.jboss.org/browse/TEIIDSB-86?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13732736#comment-13732736 ]
Steven Hawkins commented on TEIIDSB-86:
---------------------------------------
The only approach for external pg transport security is the use of a stunnel - http://cpitman.github.io/openshift/tcp/networking/2016/12/28/stunnel-and-openshift.html#.XNX3G3VKhhE - which can be combined with the service certificate generation linked above, rather than his example that shows a self-signed certificate.
The downside being the requirement of running a client stunnel instance. You'd also have a stunnel server instance along side every Teiid instance.
And this still exposes an intra-cluster unsecured host/port - so we'd either have to double encrypt (at the stunnel level and at the pg protocol level) or make the requirement for a secure pg transport more flexible.
Of course since we have control over the teiid jdbc side we could just do http/https ourselves there and further simplify things.
> Plans for secure socket transports
> ----------------------------------
>
> Key: TEIIDSB-86
> URL: https://issues.jboss.org/browse/TEIIDSB-86
> Project: Teiid Spring Boot
> Issue Type: Quality Risk
> Reporter: Steven Hawkins
> Assignee: Steven Hawkins
> Priority: Major
> Fix For: 1.1.0
>
>
> The Teiid Spring Boot configuration allows for only non-secured pg / JDBC socket transports. For external client scenarios and even for varying degrees of compliance with intra-cluster traffic, a secure layer may be required.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
More information about the teiid-issues
mailing list