22.2. Configuring Network Encryption for a New Trusted Storage Pool

Procedure 22.3. Enabling management encryption on servers

1. Create and edit the secure-access file

   Create a new /var/lib/glusterd/secure-access file. This file can be empty if you are using the default settings.

   # touch /var/lib/glusterd/secure-access

   Your Certificate Authority may require changes to the SSL certificate depth setting, transport.socket.ssl-cert-depth, in order to work correctly. To edit this setting, add the following line to the secure-access file, replacing n with the certificate depth required by your Certificate Authority.

   echo "option transport.socket.ssl-cert-depth n" > /var/lib/glusterd/secure-access

2. Start glusterd

   On Red Hat Enterprise Linux 7 based servers, run:

   # systemctl start glusterd

   On Red Hat Enterprise Linux 6 based servers, run:

   # service glusterd start

3. Continue storage configuration

   Proceed with the normal configuration process by setting up the trusted storage pool, formatting bricks, and creating volumes. For more information, see Chapter 4, Adding Servers to the Trusted Storage Pool and Chapter 5, Setting Up Storage Volumes.

Procedure 22.4. Enabling management encryption on clients

1. Create and edit the secure-access file

   Create the /var/lib/glusterd directory, and create a new /var/lib/glusterd/secure-access file. This file can be empty if you are using the default settings.

   # touch /var/lib/glusterd/secure-access

   Your Certificate Authority may require changes to the SSL certificate depth setting, transport.socket.ssl-cert-depth, in order to work correctly. To edit this setting, add the following line to the secure-access file, replacing n with the certificate depth required by your Certificate Authority.

   echo "option transport.socket.ssl-cert-depth n" > /var/lib/glusterd/secure-access

2. Start the volume

   On the server, start the volume.

   # gluster volume start volname

3. Mount the volume

   The process for mounting a volume depends on the protocol your client is using. The following command mounts a volume called testvol using the native FUSE protocol.

   # mount -t glusterfs server1:testvol /mnt/glusterfs

Procedure 22.5. Enabling I/O encryption

1. Specify servers and clients to allow

   Provide a list of the common names of servers and clients that are allowed to access the volume. The common names provided must be exactly the same as the common name specified when you created the glusterfs.pem file for that server or client.

   # gluster volume set volname auth.ssl-allow 'server1,server2,client1,client2,client3'

   This provides an additional check in case you want to leave keys in place, but temporarily restrict a client or server by removing it from this list, as shown in Section 22.7, “Deauthorizing a Client”.
   You can also use the default value of *, which indicates that any TLS authenticated machine can mount and access the volume.

2. Enable TLS/SSL on the volume

   # gluster volume set volname client.ssl on
   # gluster volume set volname server.ssl on

3. Start the volume

   # gluster volume start volname

4. Verify

   Verify that the volume can be mounted on authorized clients, and that the volume cannot be mounted by unauthorized clients. The process for mounting a volume depends on the protocol your client is using.
   The process for mounting a volume depends on the protocol your client is using. The following command mounts a volume called testvol using the native FUSE protocol.

   # mount -t glusterfs server1:testvol /mnt/glusterfs