Chapter 5. TLS Encryption Configuration
Red Hat Gluster Storage Web Administration supports etcd’s TLS-based security model which supports authentication and encryption of traffic between etcd and Web Administration system components.
By default, etcd functions without authentication and encryption but it is recommended to use TLS authentication for client-server encryption.
5.1. Prerequisites
The tendrl-ansible installation of Web Administration does not generate and deploy encryption certificates and keys. To configure etcd TLS client-server authentication, generate and deploy encryption certificates on all the nodes of the cluster before executing tendrl-ansible based Web Administration installation.
Before setting up the Transport Layer Security (TLS ) encryption, ensure the following encryption components are generated:
Certificate Authority (CA) Certificate
Generate a CA certificate either self-signed or signed by a trusted Certificate Authority (CA). For instructions on generating a CA certificate, see Creating Your Own Certificates section of the Red Hat AMQ Security Guide.
Private Keys
Generate a private key and a client certificate for each storage node and the Web Administration server. For more information, see the Creating and Managing Encryption Keys section of the Red Hat Enterprise Linux Security Guide. On each Web Administration managed storage node, and on the Web Administration server, place the PEM-encoded private key and the client/CA certificates in a secure place that is only accessible by the Web Administration server’s root user.
5.2. Configuring TLS Encryption
After generating and placing the TLS certificate files in the preferred directory, update the value of the Ansible variables in the site.yml file with the respective file paths of the certificate files.
In the site.yml file, add and modify the etcd TLS variables.
etcd_tls_client_auth: this variable is to enable or disable TLS authentication.
etcd_cert_file: certificate used for SSL/TLS connections to etcd. When this option is turned on, advertise-client-urls can use the HTTPS schema.
etcd_key_file: key for the certificate which must be unencrypted.
etcd_trusted_ca_file: the trusted Certificate Authority.
Configuring TLS
-
Open the
site.ymlplaybook file. - Set the value for etcd_tls_client_auth variable to True for both the Ansible roles: tendrl_server and gluster_servers. By default, the value of this variable is False.
-
Edit the file path for the etcd_cert_file variable as per required. The default value is:
/etc/pki/tls/certs/etcd.crt -
Edit the file path for etcd_key_file variable as per required. The default value is:
/etc/pki/tls/private/etcd.key -
Edit the file path for the etcd_trusted_ca_file variable. The default value is:
/etc/pki/tls/certs/ca-etcd.crt - Continue the Web Administration installation process by following the Web Administration Installation chapter.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.