Chapter 22. Configuring Network Encryption in Red Hat Gluster Storage
- I/O encryption - encryption of the I/O connections between the Red Hat Gluster Storage clients and servers
- Management encryption - encryption of the management (
glusterd) connections within a trusted storage pool and also between the ganesha/smb client and glusterd.
/etc/ssl/glusterfs.pem- Certificate file containing the system's uniquely signed TLS certificate. This file is unique for each system and must not be shared with others.
/etc/ssl/glusterfs.key- This file contains the system's unique private key. This file must not be shared with others.
/etc/ssl/glusterfs.ca- This file contains the certificates of the Certificate Authorities (CA) who have signed the certificates. This file is not unique and should be the same on all servers in the trusted storage pool. All the clients also should have the same file, but not necessarily the same one as the servers. Red Hat Gluster Storage does not use the global CA certificates that come with the system. The CA file on the servers should contain the certificates of the signing CA for all the servers and all the clients.The CA file on the clients must contain the certificates of the signing CA for all the servers. In case self-signed certificates are being used, the CA file for the servers is a concatenation of the certificate files
/etc/ssl/glusterfs.pemof every server and every client. The client CA file is a concatenation of the certificate files of every server.
/var/lib/glusterd/secure-access- This file enables encryption on the management (
glusterd) connections between
glusterdof all servers and the connection between clients.
glusterdof all servers uses this file to fetch volfiles and notify the clients with the volfile changes. This file is empty and mandatory only if you configure management encryption. It must be present on all the servers and all the clients. This is required on the clients to indicate the mount command to use an encrypted connection to retrieve the volfiles.
- Generate a private key for each system.
openssl genrsa -out /etc/ssl/glusterfs.key 2048
- Use the generated private key to create a signed certificate by running the following command:
openssl req -new -x509 -key /etc/ssl/glusterfs.key -subj "/CN=COMMONNAME" -days 365 -out /etc/ssl/glusterfs.pemIf your organization has a common CA, the certificate can be signed by it. To do this a certificate signing request (CSR) must be generated by running the following command:
# openssl req -new -sha256 -key /etc/ssl/glusterfs.key -subj '/CN=<COMMONNAME>' -days 365 -out glusterfs.csrThe
common namein this command can be a hostname / FQDN / IP address, et cetera. The generated
glusterfs.csrfile should be given to the CA, and CA will provide a
.pemfile containing the signed certificate. Place that signed
glusterfs.pemfile in the
/etc/ssl/directory.By default, the SSL certificate expires after 30 days. You can use the
-daysoption to specify the validity of the cerfitifacte based on your requirement. In the above command, the certificate is valid for 365 days (1 year).
- For self signed CA certificates on servers, collect the
.pemcertificates of clients and servers, that is,
/etc/ssl/glusterfs.pemfiles from every system. Concatenate the collected files into a single file. Place this file in
/etc/ssl/glusterfs.caon all the servers in the trusted storage pool. If you are using common CA, collect the certificate file from the CA and place it in
/etc/ssl/glusterfs.caon all servers.
- For self-signed CA certificates on clients, collect the
.pemcertificates of servers, that is,
/etc/ssl/glusterfs.pemfiles from every server. Concatenate the collected files into a single file. Place this file in
/etc/ssl/glusterfs.caon all the clients. If you are using common CA, collect the certificate file from the CA and place it in
/etc/ssl/glusterfs.caon all servers.