[teiid-issues] [JBoss JIRA] (TEIIDSB-86) Plans for secure socket transports

Steven Hawkins (Jira) issues at jboss.org
Tue May 14 10:15:01 EDT 2019 

    [ https://issues.jboss.org/browse/TEIIDSB-86?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13732736#comment-13732736 ] 

Steven Hawkins edited comment on TEIIDSB-86 at 5/14/19 10:14 AM:
-----------------------------------------------------------------

Another approach for external pg transport security is the use of a stunnel - http://cpitman.github.io/openshift/tcp/networking/2016/12/28/stunnel-and-openshift.html#.XNX3G3VKhhE - which can be combined with the service certificate generation linked above, rather than his example that shows a self-signed certificate.

The upside is it allows a route to be used.

The downside being the requirement of running a client stunnel instance.  You'd also have a stunnel server instance along side every Teiid instance.  

And this still exposes an intra-cluster unsecured host/port - so we'd either have to double encrypt (at the stunnel level and at the pg protocol level) or make the requirement for a secure pg transport more flexible.

Of course since we have control over the teiid jdbc side we could just do http/https ourselves there and further simplify things.


was (Author: shawkins):
The only approach for external pg transport security is the use of a stunnel - http://cpitman.github.io/openshift/tcp/networking/2016/12/28/stunnel-and-openshift.html#.XNX3G3VKhhE - which can be combined with the service certificate generation linked above, rather than his example that shows a self-signed certificate.

The downside being the requirement of running a client stunnel instance.  You'd also have a stunnel server instance along side every Teiid instance.  

And this still exposes an intra-cluster unsecured host/port - so we'd either have to double encrypt (at the stunnel level and at the pg protocol level) or make the requirement for a secure pg transport more flexible.

Of course since we have control over the teiid jdbc side we could just do http/https ourselves there and further simplify things.

> Plans for secure socket transports
> ----------------------------------
>
>                 Key: TEIIDSB-86
>                 URL: https://issues.jboss.org/browse/TEIIDSB-86
>             Project: Teiid Spring Boot
>          Issue Type: Quality Risk
>            Reporter: Steven Hawkins
>            Assignee: Steven Hawkins
>            Priority: Major
>             Fix For: 1.1.0
>
>
> The Teiid Spring Boot configuration allows for only non-secured pg / JDBC socket transports.  For external client scenarios and even for varying degrees of compliance with intra-cluster traffic, a secure layer may be required.



--
This message was sent by Atlassian Jira
(v7.12.1#712002)

More information about the teiid-issues mailing list