Chapter 9. Configuring Network Encryption in Red Hat Gluster Storage
Encryption is the process of converting data into a cryptic format, or code when it is transmitted on a network. Encryption prevents unauthorized use of the data.
Red Hat Gluster Storage supports network encryption using TLS/SSL. Red Hat Gluster Storage uses TLS/SSL for authentication and authorization, in place of the home grown authentication framework used for normal connections. Red Hat Gluster Storage supports the following encryption types:
- I/O encryption - encryption of the I/O connections between the Red Hat Gluster Storage clients and servers
- Management encryption - encryption of the management (
glusterd) connections within a trusted storage pool.
The following files will be used in configuring the network encryption:
/etc/ssl/glusterfs.pem- Certificate file containing the system's uniquely signed TLS certificate. This file is unique for each system and must not be shared with others.
/etc/ssl/glusterfs.key- This file contains the system's unique private key. This file must not be shared with others.
/etc/ssl/glusterfs.ca- This file contains the certificates of the Certificate Authorities (CA) who have signed the certificates. This file is not unique and should be the same on all servers in the trusted storage pool. All the clients also should have the same file, but not necessarily the same one as the servers. Red Hat Gluster Storage does not use the global CA certificates that come with the system. The CA file on the servers should contain the certificates of the signing CA for all the servers and all the clients.The CA file on the clients must contain the certificates of the signing CA for all the servers. In case self-signed certificates are being used, the CA file for the servers is a concatenation of the certificate files
/etc/ssl/glusterfs.pemof every server and every client. The client CA file is a concatenation of the certificate files of every server.
/var/lib/glusterd/secure-access- This file enables encryption on the management (
glusterd) connections between
glusterdof all servers and the connection between clients.
glusterdof all servers uses this file to fetch volfiles and notify the clients with the volfile changes. This file is empty and mandatory only if you configure management encryption. It must be present on all the servers and all the clients. This is required on the clients to indicate the mount command to use an encrypted connection to retrieve the volfiles.
Before setting up the network encryption, you must first generate a private key and a signed certificate for each system and place it in the respective folders. You must generate a private key and a signed certificate for both clients and servers.
Perform the following to generate a private key and a signed certificate for both clients and servers:
- Generate a private key for each system.
# openssl genrsa -out /etc/ssl/glusterfs.key 2048
- Use the generated private key to create a signed certificate by running the following command:
# openssl req -new -x509 -key /etc/ssl/glusterfs.key -subj "/CN=COMMONNAME" -out /etc/ssl/glusterfs.pemIf your organization has a common CA, the certificate can be signed by it. To do this a certificate signing request (CSR) must be generated by running the following command:
# openssl req -new -sha256 -key /etc/ssl/glusterfs.key -subj '/CN=<COMMONNAME>' -out glusterfs.csrThe generated
glusterfs.csrfile should be given to the CA, and CA will provide a
.pemfile containing the signed certificate. Place that signed
glusterfs.pemfile in the
- For self signed CA certificates on servers, collect the
.pemcertificates of clients and servers, that is,
/etc/ssl/glusterfs.pemfiles from every system. Concatenate the collected files into a single file. Place this file in
/etc/ssl/glusterfs.caon all the servers in the trusted storage pool. If you are using common CA, collect the certificate file from the CA and place it in
/etc/ssl/glusterfs.caon all servers.
- For self-signed CA certificates on clients, collect the
.pemcertificates of servers, that is,
/etc/ssl/glusterfs.pemfiles from every server. Concatenate the collected files into a single file. Place this file in
/etc/ssl/glusterfs.caon all the clients. If you are using common CA, collect the certificate file from the CA and place it in
/etc/ssl/glusterfs.caon all servers.