-
Notifications
You must be signed in to change notification settings - Fork 29
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
10 changed files
with
117 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
13 changes: 13 additions & 0 deletions
13
documentation/asciidoc/stories/assembly_configuring_encryption.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
ifdef::context[:parent-context: {context}] | ||
[id='encryption'] | ||
:context: network-access | ||
= Configuring encryption | ||
[role="_abstract"] | ||
Configure encryption for your {brandname}. | ||
include::{topics}/proc_enabling_endpoint_encryption.adoc[leveloffset=+1] | ||
include::{topics}/proc_enabling_transport_encryption.adoc[leveloffset=+1] | ||
// Restore the parent context. | ||
ifdef::parent-context[:context: {parent-context}] | ||
ifndef::parent-context[:!context:] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,6 @@ | ||
include::{stories}/assembly_installing_helm_chart.adoc[leveloffset=+1] | ||
include::{stories}/assembly_configuring_servers.adoc[leveloffset=+1] | ||
include::{stories}/assembly_configuring_authentication.adoc[leveloffset=+1] | ||
include::{stories}/assembly_configuring_encryption.adoc[leveloffset=+1] | ||
include::{stories}/assembly_network_access.adoc[leveloffset=+1] | ||
include::{stories}/assembly_connecting_clusters.adoc[leveloffset=+1] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
31 changes: 31 additions & 0 deletions
31
documentation/asciidoc/topics/proc_enabling_endpoint_encryption.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
[id='enabling-endpoint-encryption_{context}'] | ||
= Enabling endpoint encryption | ||
|
||
[role="_abstract"] | ||
Enable TLS encryption on the endpoint. | ||
|
||
.Prerequisites | ||
* A secret containing the keystore | ||
|
||
.Procedure | ||
|
||
|
||
+ | ||
.Set the secret name in the deploy configuration | ||
[source,yaml,options="nowrap",subs=attributes+] | ||
---- | ||
include::yaml/ssl_endpoint_secretname.yaml[] | ||
---- | ||
+ | ||
.Enable TLS in the Realm | ||
|
||
Configure the keystore path in the endpoint realm. Secret is mounted at `/etc/encrypt/endpoint`. Alias and password for the keystore must be provided. | ||
|
||
[source,yaml,options="nowrap",subs=attributes+] | ||
---- | ||
include::yaml/realm_encryption.yaml[] | ||
---- | ||
|
||
[role="_additional-resources"] | ||
.Additional resources | ||
* link:{security_docs}[{brandname} Security Guide] |
33 changes: 33 additions & 0 deletions
33
documentation/asciidoc/topics/proc_enabling_transport_encryption.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
[id='enabling-transport-encryption_{context}'] | ||
= Enabling endpoint encryption | ||
|
||
[role="_abstract"] | ||
Enable TLS encryption for the cluster transport. | ||
|
||
.Prerequisites | ||
* A secret containing the certificates | ||
|
||
.Procedure | ||
|
||
|
||
+ | ||
.Set the secret name in the deploy configuration. | ||
Secret is mounted at `/etc/encrypt/transport`. | ||
[source,yaml,options="nowrap",subs=attributes+] | ||
---- | ||
include::yaml/ssl_transport_secretname.yaml[] | ||
---- | ||
+ | ||
.Enable TLS in the JGroups stack | ||
|
||
Configure JGroups with the desired encryption, extending the `kubernetes` stack. If needed, name and password for the keystore must be provided. | ||
|
||
|
||
[source,yaml,options="nowrap",subs=attributes+] | ||
---- | ||
include::yaml/transport_encryption.yaml[] | ||
---- | ||
|
||
[role="_additional-resources"] | ||
.Additional resources | ||
* link:{security_docs}[{brandname} Security Guide] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
deploy: | ||
infinispan: | ||
server: | ||
security: | ||
securityRealms: | ||
- name: default | ||
serverIdentities: | ||
ssl: | ||
keystore: | ||
alias: "server" | ||
path: "/etc/encrypt/endpoint/keystore.p12" | ||
password: "password" |
3 changes: 3 additions & 0 deletions
3
documentation/asciidoc/topics/yaml/ssl_endpoint_secretname.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
deploy: | ||
ssl: | ||
endpointSecretName: "tls-secret" |
3 changes: 3 additions & 0 deletions
3
documentation/asciidoc/topics/yaml/ssl_transport_secretname.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
deploy: | ||
ssl: | ||
transportSecretName: "tls-secret" |
21 changes: 21 additions & 0 deletions
21
documentation/asciidoc/topics/yaml/transport_encryption.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
infinispan: | ||
jgroups: | ||
stack: | ||
name: "encryption" | ||
extends: "kubernetes" | ||
SSL_KEY_EXCHANGE: | ||
"keystore_name": "/etc/encrypt/transport/cert.p12" | ||
"keystore_password": "password" | ||
"stack.combine": "INSERT_AFTER" | ||
"stack.position": "VERIFY_SUSPECT2" | ||
ASYM_ENCRYPT: | ||
"asym_algorithm": "RSA" | ||
"asym_keylength": 3072 | ||
"change_key_on_coord_leave": "false" | ||
"change_key_on_leave": "false" | ||
"use_external_key_exchange": "true" | ||
"stack.combine": "INSERT_BEFORE" | ||
"stack.position": "pbcast.NAKACK2" | ||
cacheContainer: | ||
transport: | ||
stack: encryption |