Securing an EFM cluster

Learn how to secure intra-cluster communication between Edge Flow Manager (EFM) instances in a clustered mode.

By default, intra-cluster communication is through unsecure TCP. It is assumed that all EFM instances must be running in a Virtual Private Cloud and the cluster communication port must not be open to public networks.

Configuring secure communications between EFM nodes

To enable secure communications you need to configure a few properties. Follow the steps below to make the necessary configuration:

  1. Set efm.infinispan.ssl.enable to 'true' to activate SSL for Infinispan.

  2. Define the path to the keystore for Infinispan by setting efm.infinispan.ssl.key-store.

  3. Set the password for the keystore by configuring efm.infinispan.ssl.key-store-password.

After configuring these properties, you should see similar log entries like the one below in your application logs:
2023-08-22 16:44:12.208  INFO org.infinispan.CLUSTER : ISPN000078: Starting JGroups channel `efm` with stack `tcp-ssl`

Generating a Java Keystore

You can use your existing Java Keystore (JKS) for a secure setup, or you can create a new one. Follow the steps below to create a new Java Keystore (JKS) with a signed certificate for secure communications with Infinispan.

  1. Generate a private key and a self-signed certificate (root certificate).
    openssl genrsa -out root.key
    openssl req -new -x509 -key root.key -out root.crt
    chmod 600 root.key
    chmod 644 root.crt
  2. Create a keystore (infini.keystore.jks) and generate a key pair with a subject alternative name (SAN).
    keytool -keystore infini.keystore.jks -alias localhost -validity 365 -genkey -keyalg RSA -ext SAN=DNS:localhost -storetype PKCS12
  3. Generate a certificate signing request (CSR) for the key pair.
    keytool -keystore infini.keystore.jks -alias localhost -certreq -file infini.unsigned.crt
  4. Sign the certificate with the root certificate to create the signed certificate.
    openssl x509 -req -CA root.crt -CAkey root.key -in infini.unsigned.crt -out infini.signed.crt -days 365 -CAcreateserial
  5. Import the root certificate into the keystore.
    keytool -keystore infini.keystore.jks -alias CARoot -import -file root.crt
  6. Import the signed certificate into the keystore.
    keytool -keystore infini.keystore.jks -alias localhost -import -file infini.signed.crt