|
Size: 2056
Comment:
|
Size: 1049
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| = GlusterFS Encryption = | = GlusterFS Server Encryption = The default GlusterFS setup does not encrypt its communication. Use the method below enable encryption. |
| Line 3: | Line 4: |
{{{#!highlight bash #!/bin/sh if [ ! -e /etc/ssl/glusterfs ] then mkdir -p /etc/ssl/glusterfs fi cd /etc/ssl/glusterfs # create the server keys openssl genrsa -out gluster01.key 2048 openssl genrsa -out gluster02.key 2048 openssl genrsa -out gluster03.key 2048 openssl genrsa -out gluster04.key 2048 # sign the server certificates openssl req -new -x509 -key gluster01.key -subj "/CN=gluster01" -out gluster01.pem openssl req -new -x509 -key gluster02.key -subj "/CN=gluster02" -out gluster02.pem openssl req -new -x509 -key gluster03.key -subj "/CN=gluster03" -out gluster03.pem openssl req -new -x509 -key gluster04.key -subj "/CN=gluster04" -out gluster04.pem # create the client keys openssl genrsa -out glusterclient01.key 2048 # sign the client certificates openssl req -new -x509 -key glusterclient01.key -subj "/CN=glusterclient01" -out glusterclient01.pem # server certificates authorities cat gluster01.key gluster02.key gluster03.key gluster04.key glusterclient01.pem > glusterfs.ca # client certificates authorities cat gluster01.key gluster02.key gluster03.key gluster04.key > glusterfs-client.ca }}} == Keys == On each of the Glusterfs servers and clients run. |
== Keys and Certificates == Make an encryption key and make sure to set the `CN` to match the name of the host. Repeat this on the client and on each of the servers. |
| Line 41: | Line 7: |
| mkdir /etc/ssl/glusterfs cd /etc/ssl/glusterfs |
cd /etc/ssl |
| Line 44: | Line 9: |
| }}} == Certificates == Now sign certificates using those keys. Replace the `CN` so it matches the host you are siging the certificate for. {{{ |
|
| Line 52: | Line 12: |
| == Compile == | == Certificate Authorities == |
| Line 54: | Line 14: |
| Compile all the certificates into one large file | === Server === Compile all the certificates in one place and concatenate them into one file `glusterfs.ca` {{{ cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem glusterclient01.pem > glusterfs.ca cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem > glusterfs-client.ca }}} === Client === and `glusterfs-client.ca`. Copy `glusterfs.ca` to `/etc/ssl/glusterfs.ca` on all servers. Copy `glusterfs-client.ca` to `/etc/ssl/glusterfs.ca` on the client. == Activate Encryption == |
| Line 56: | Line 28: |
| scp gluster01:/etc/ssl/glusterfs/gluster.pem gluster01.pem scp gluster02:/etc/ssl/glusterfs/gluster.pem gluster02.pem scp gluster03:/etc/ssl/glusterfs/gluster.pem gluster03.pem scp gluster04:/etc/ssl/glusterfs/gluster.pem gluster04.pem scp glusterclient01:/etc/ssl/glusterfs/gluster.pem glusterclient01.pem cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem > glusterfs.ca |
touch /var/lib/glusterd/secure-access |
GlusterFS Server Encryption
The default GlusterFS setup does not encrypt its communication. Use the method below enable encryption.
Keys and Certificates
Make an encryption key and make sure to set the CN to match the name of the host. Repeat this on the client and on each of the servers.
cd /etc/ssl openssl genrsa -out glusterfs.key 2048 openssl req -new -x509 -key glusterfs.key -subj "/CN=gluster01" -out glusterfs.pem
Certificate Authorities
Server
Compile all the certificates in one place and concatenate them into one file glusterfs.ca
cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem glusterclient01.pem > glusterfs.ca cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem > glusterfs-client.ca
Client
and glusterfs-client.ca.
Copy glusterfs.ca to /etc/ssl/glusterfs.ca on all servers. Copy glusterfs-client.ca to /etc/ssl/glusterfs.ca on the client.
Activate Encryption
touch /var/lib/glusterd/secure-access