‹ All Tutorials

TLS with Client Certificate Authorization

What You Will Learn

How to configure the Hot Rod client with TLS encryption and client certificate authentication. The tutorial demonstrates multiple SSL configurations, from simple server-only trust to mutual TLS with the EXTERNAL SASL mechanism for authorization.

Prerequisites

  • Java 17+

  • An Infinispan Server configured with TLS and client certificate authentication

  • Certificate keystores and truststores generated by the included shell scripts

Step 1: Generate Certificates

The build generates the required certificates during the package phase. Three scripts create unsigned certificates, signed certificates, and the server truststore:

mvn package

This runs create_unsigned_certificates.sh, create_signed_certificates.sh, and create_signed_server_truststore_auth.sh automatically.

Step 2: Configure Simple TLS

Connect with server-only TLS by providing the server truststore:

         builder
               .security()
               .ssl().hostnameValidation(false)
               .trustStoreFileName("server-truststore.pfx")
               .trustStorePassword("trustSecret".toCharArray());

Step 3: Configure Mutual TLS with Client Certificates

Add a client keystore and use the EXTERNAL SASL mechanism so the server authenticates the client by its certificate:

         builder.security()
               .ssl().hostnameValidation(false)
               .trustStoreFileName("server_truststore.p12")
               .trustStorePassword("ServerTrustsecret".toCharArray())
               .keyStoreFileName("client1_keystore.p12")
               .keyStorePassword("Client1secret".toCharArray());

         builder.security().authentication().saslMechanism("EXTERNAL");

Step 4: Test the Connection

The tutorial iterates through all SSL configurations and tests cache operations on the secured cache:

         cacheManager = TutorialsConnectorHelper.connect(builder);
         RemoteCache<String, String> cache = cacheManager.getCache("secured");
         System.out.println("    = connection success");
         cache.put("test", "test");
         System.out.println("    = put succeeds");
         cache.get("test");
         System.out.println("    = get succeeds");

You can select specific configurations with the TEST environment variable (e.g., TEST=CLIENT1AUTH).

Step 5: Run the Tutorial

mvn package exec:java

What’s Next

Infinispan is released under the Apache 2.0 open source license. The source code is available on GitHub.

Thanks to
Zulip Weblate
Navigation
Get Help
Contribute
Follow Us
Commonhaus Foundation
Copyright © Infinispan. All rights reserved. For details on trademarks, please visit the Trademark Policy and Trademark List. Trademarks of third parties are owned by their respective holders and their mention here does not suggest any endorsement or association.