Chapter 23. Configuring Network Encryption in Red Hat Gluster Storage

Encryption is the process of converting data into a cryptic format, or code when it is transmitted on a network. Encryption prevents unauthorized use of the data.
Red Hat Gluster Storage supports network encryption using TLS/SSL. Red Hat Gluster Storage uses TLS/SSL for authentication and authorization, in place of the home grown authentication framework used for normal connections. Red Hat Gluster Storage supports the following encryption types:
  • I/O encryption - encryption of the I/O connections between the Red Hat Gluster Storage clients and servers
  • Management encryption - encryption of the management (glusterd) connections within a trusted storage pool and also between the ganesha/smb client and glusterd.
The following files will be used in configuring the network encryption:
  • /etc/ssl/glusterfs.pem - Certificate file containing the system's uniquely signed TLS certificate. This file is unique for each system and must not be shared with others.
  • /etc/ssl/glusterfs.key - This file contains the system's unique private key. This file must not be shared with others.
  • /etc/ssl/glusterfs.ca - This file contains the certificates of the Certificate Authorities (CA) who have signed the certificates. This file is not unique and should be the same on all servers in the trusted storage pool. All the clients also should have the same file, but not necessarily the same one as the servers. Red Hat Gluster Storage does not use the global CA certificates that come with the system. The CA file on the servers should contain the certificates of the signing CA for all the servers and all the clients.
    The CA file on the clients must contain the certificates of the signing CA for all the servers. In case self-signed certificates are being used, the CA file for the servers is a concatenation of the certificate files /etc/ssl/glusterfs.pem of every server and every client. The client CA file is a concatenation of the certificate files of every server.
  • /var/lib/glusterd/secure-access - This file enables encryption on the management (glusterd) connections between glusterd of all servers and the connection between clients. glusterd of all servers uses this file to fetch volfiles and notify the clients with the volfile changes. This file is empty and mandatory only if you configure management encryption. It must be present on all the servers and all the clients. This is required on the clients to indicate the mount command to use an encrypted connection to retrieve the volfiles.

23.1. Prerequisites

Before setting up the network encryption, you must first generate a private key and a signed certificate for each system and place it in the respective folders. You must generate a private key and a signed certificate for both clients and servers.
Perform the following to generate a private key and a signed certificate for both clients and servers:
  1. Generate a private key for each system.
    # openssl genrsa -out /etc/ssl/glusterfs.key 2048
  2. Use the generated private key to create a signed certificate by running the following command:
    # openssl req -new -x509 -key /etc/ssl/glusterfs.key -subj "/CN=COMMONNAME" -days 365 -out /etc/ssl/glusterfs.pem
    If your organization has a common CA, the certificate can be signed by it. To do this a certificate signing request (CSR) must be generated by running the following command:
    # openssl req -new -sha256 -key /etc/ssl/glusterfs.key -subj '/CN=<COMMONNAME>' -days 365 -out glusterfs.csr
    The common name in this command can be a hostname / FQDN / IP address, et cetera. The generated glusterfs.csr file should be given to the CA, and CA will provide a .pem file containing the signed certificate. Place that signed glusterfs.pem file in the/etc/ssl/ directory.
    By default, the SSL certificate expires after 30 days. You can use the -days option to specify the validity of the cerfitifacte based on your requirement. In the above command, the certificate is valid for 365 days (1 year).
    1. For self signed CA certificates on servers, collect the .pem certificates of clients and servers, that is, /etc/ssl/glusterfs.pem files from every system. Concatenate the collected files into a single file. Place this file in /etc/ssl/glusterfs.ca on all the servers in the trusted storage pool. If you are using common CA, collect the certificate file from the CA and place it in /etc/ssl/glusterfs.ca on all servers.
    2. For self-signed CA certificates on clients, collect the .pem certificates of servers, that is, /etc/ssl/glusterfs.pem files from every server. Concatenate the collected files into a single file. Place this file in /etc/ssl/glusterfs.ca on all the clients. If you are using common CA, collect the certificate file from the CA and place it in /etc/ssl/glusterfs.ca on all servers.