Size: 1847
Comment:
|
Size: 1536
Comment:
|
Deletions are marked like this. | Additions are marked like this. |
Line 1: | Line 1: |
= GlusterFS Encryption = | = GlusterFS Server Encryption = |
Line 5: | Line 6: |
Make an encryption key and make sure to set the `CN` to match the name of the host. Repeat this on the client and on each of the servers. | Make an encryption key and make sure to set the `CN` to match the name of the client/server. Repeat this on all the servers and the client. === Server === |
Line 7: | Line 10: |
mkdir /etc/ssl/glusterfs cd /etc/ssl/glusterfs openssl genrsa -out gluster01.key 2048 openssl req -new -x509 -key gluster01.key -subj "/CN=gluster01" -out gluster01.pem |
cd /etc/ssl openssl genrsa -out glusterfs.key 2048 openssl req -new -x509 -key glusterfs.key -subj "/CN=gluster01" -out glusterfs.pem }}} === Client === {{{ cd /etc/ssl openssl genrsa -out glusterfs.key 2048 openssl req -new -x509 -key glusterfs.key -subj "/CN=glusterclient01" -out glusterfs.pem |
Line 14: | Line 23: |
compile all the certificates in one place and concatename them into two files. glusterfs.ca and glusterfs-client.ca. | Compile all the certificates in one place and concatenate them into `/etc/ssl/glusterfs.ca`. Notice that this will also include the certificates from the client. |
Line 17: | Line 27: |
cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem > glusterfs-client.ca | |
Line 20: | Line 29: |
Copy the certificate authority to all the servers and place it in `/etc/ssl/glusterfs.ca` | |
Line 21: | Line 31: |
== Activate Encryption == When this file exists the glusterfs server will use the new certificates |
|
Line 22: | Line 34: |
# create the server keys openssl genrsa -out gluster01.key 2048 openssl genrsa -out gluster02.key 2048 openssl genrsa -out gluster03.key 2048 openssl genrsa -out gluster04.key 2048 # sign the server certificates openssl req -new -x509 -key gluster01.key -subj "/CN=gluster01" -out gluster01.pem openssl req -new -x509 -key gluster02.key -subj "/CN=gluster02" -out gluster02.pem openssl req -new -x509 -key gluster03.key -subj "/CN=gluster03" -out gluster03.pem openssl req -new -x509 -key gluster04.key -subj "/CN=gluster04" -out gluster04.pem # create the client keys openssl genrsa -out glusterclient01.key 2048 # sign the client certificates openssl req -new -x509 -key glusterclient01.key -subj "/CN=glusterclient01" -out glusterclient01.pem # server certificates authorities cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem glusterclient01.pem > glusterfs.ca # client certificates authorities cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem > glusterfs-client.ca |
touch /var/lib/glusterd/secure-access |
Line 41: | Line 36: |
== Enable Encryption == On one of the servers encryption is enabled {{{ gluster volume set www client.ssl on gluster volume set www server.ssl on }}} == Allow Only Specific Hosts == We allow only access from known hosts {{{ gluster volume set www auth.ssl-allow 'gluster01,gluster02,gluster03,gluster04,glusterclient01' }}} |
GlusterFS Server Encryption
The default GlusterFS setup does not encrypt its communication. Use the method below enable encryption.
Keys and Certificates
Make an encryption key and make sure to set the CN to match the name of the client/server. Repeat this on all the servers and the client.
Server
cd /etc/ssl openssl genrsa -out glusterfs.key 2048 openssl req -new -x509 -key glusterfs.key -subj "/CN=gluster01" -out glusterfs.pem
Client
cd /etc/ssl openssl genrsa -out glusterfs.key 2048 openssl req -new -x509 -key glusterfs.key -subj "/CN=glusterclient01" -out glusterfs.pem
Certificate Authorities
Compile all the certificates in one place and concatenate them into /etc/ssl/glusterfs.ca. Notice that this will also include the certificates from the client.
cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem glusterclient01.pem > glusterfs.ca
Copy the certificate authority to all the servers and place it in /etc/ssl/glusterfs.ca
Activate Encryption
When this file exists the glusterfs server will use the new certificates
touch /var/lib/glusterd/secure-access
Enable Encryption
On one of the servers encryption is enabled
gluster volume set www client.ssl on gluster volume set www server.ssl on
Allow Only Specific Hosts
We allow only access from known hosts
gluster volume set www auth.ssl-allow 'gluster01,gluster02,gluster03,gluster04,glusterclient01'