20.3. Configuring Network Encryption for an existing Trusted Storage Pool
20.3.1. Enabling I/O Encryption
Procedure 20.6. Enabling I/O encryption
Unmount the volume from all clientsUnmount the volume by running the following command on all clients.
# umount mountpoint
Stop the volumeStop the volume by running the following command from any server.
# gluster volume stop VOLNAME
Specify servers and clients to allowProvide a list of the common names of servers and clients that are allowed to access the volume. The common names provided must be exactly the same as the common name specified when you created the
glusterfs.pemfile for that server or client.
# gluster volume set volname auth.ssl-allow 'server1,server2,client1,client2,client3'This provides an additional check in case you want to leave keys in place, but temporarily restrict a client or server by removing it from this list, as shown in Section 20.7, “Deauthorizing a Client”.You can also use the default value of
*, which indicates that any TLS authenticated machine can mount and access the volume.
Enable TLS/SSL encryption on the volumeRun the following command from any server to enable TLS/SSL encryption.
# gluster volume set volname client.ssl on # gluster volume set volname server.ssl on
Start the volume
# gluster volume start volname
VerifyVerify that the volume can be mounted only on authorized clients. The process for mounting a volume depends on the protocol your client is using.The following command mounts a volume using the native FUSE protocol. Ensure that this command works on authorized clients, and does not work on unauthorized clients.
# mount -t glusterfs server1:/testvolume /mnt/glusterfs