23.3. Configuring Network Encryption for an existing Trusted Storage Pool

Follow this section to configure I/O and management encryption for an existing Red Hat Gluster Storage Trusted Storage Pool.

23.3.1. Enabling I/O Encryption

Follow this section to enable I/O encryption between servers and clients.

Procedure 23.6. Enabling I/O encryption

  1. Unmount the volume from all clients

    Unmount the volume by running the following command on all clients.
    # umount mountpoint
  2. Stop the volume

    Stop the volume by running the following command from any server.
    # gluster volume stop VOLNAME
  3. Specify servers and clients to allow

    Provide a list of the common names of servers and clients that are allowed to access the volume. The common names provided must be exactly the same as the common name specified when you created the glusterfs.pem file for that server or client.
    # gluster volume set volname auth.ssl-allow 'server1,server2,client1,client2,client3'
    This provides an additional check in case you want to leave keys in place, but temporarily restrict a client or server by removing it from this list, as shown in Section 23.7, “Deauthorizing a Client”.
    You can also use the default value of *, which indicates that any TLS authenticated machine can mount and access the volume.
  4. Enable TLS/SSL encryption on the volume

    Run the following command from any server to enable TLS/SSL encryption.
    # gluster volume set volname client.ssl on
    # gluster volume set volname server.ssl on
  5. Start the volume

    # gluster volume start volname
  6. Verify

    Verify that the volume can be mounted only on authorized clients. The process for mounting a volume depends on the protocol your client is using.
    The following command mounts a volume using the native FUSE protocol. Ensure that this command works on authorized clients, and does not work on unauthorized clients.
    # mount -t glusterfs server1:/testvolume /mnt/glusterfs