Secure replication for HA RDQM

You can specify that replication links in your HA RDQM configuration are secured with TLS.

When you create a high availability (HA) queue manager in an RDQM configuration, you can specify that the links used to replicate data between the queue manager instances are secured with TLS.

To configure secure replication, complete the following steps:

Configure the required certificates.
Configure the tlshd service.
Specify the -re option when creating a new queue manager using crtmqm.

Complete the first two steps once per node. The certificates and tlshd configuration are shared by all RDQM queue managers on the node that are configured to use secure replication links.

The TLS protocols and cipher suites that can be used by the RDQM secure replication links are controlled by the active system-wide cryptographic policy. Use the Linux® update-crypto-policies command to change the current active policy.

Configuring certificates

You must configure the certificates to be used by the replication links. The certificates that you create for each node can be used by any replication links. If you have more than one RDQM queue manager on a node that uses secure replication links, the same certificate is used.

Note: If any queue manager that runs on a node might ever be part of a DR/HA configuration, then a Subject Alternative Name (SAN) must be specified when the certificates are created. For more information, see Secure replication for DR/HA RDQM.

To use secure replication links in a RDQM HA configuration you need three certificates, one certificate per node in the RDQM HA group.

To configure your certificates complete the following steps for each node in your RDQM configuration:

Use the following command to generate a private key:
```
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out key_file
```
where key_file is the name of the file that is created to store the private key.
Use the following command to create a certificate signing request:
```
openssl req -key key_file -subj "/CN=hostname" -new -out cert_req_file
```
where key_file is the file that contains the private key that you created in step 1, hostname is the hostname of the node, and cert_req_file is the file that is created to store the certificate signing request.
Set the certificate Common Name (CN) to the hostname of the RDQM node.

You can also specify a CN that differs from the RDQM node hostname. If you do so, ensure that the certificate is created with a Subject Alternative Name (SAN) that contains the RDQM node hostname.
Send the certificate signing request to your certificate authority (CA) to be signed. When you receive the signed certificate from the CA, copy the private key, signed certificate, and CA certificate files to the directory where you want to store these files. For example, the /etc/drbd.d/ directory.
Set the file permissions and ownership of the private key and certificate files to ensure that only the root user can view the private keys.
- Change the ownership of the private key and certificate file to the root user.
- Set the permissions on the private key file so that only the root user has read and write access.

The following example script creates an internal certificate authority and three certificates for use in a RDQM HA configuration.

Important: This example is not suitable for a production environment, and is intended only as an example to set up a test environment quickly. Certificate management is a complex subject for advanced users. For production, you must consider things like rotation, revocation, key length, and much more.

Run the following script on one of the nodes:

#!/bin/bash

# The CA name
ca_name="RDQM Test CA"

# The CA filename
ca_filename="rdqm_test_ca"

# Host certificates to generate
test_hosts=("alice" "bob" "charlie")

mkdir certificates && cd ./certificates

# Create private key for use with private CA using OpenSSL
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 \
-out $ca_filename.key

# Create a private CA certificate using OpenSSL
openssl req -key $ca_filename.key -new -x509 -days 3650 -subj "/CN=$ca_name" \
-out $ca_filename.crt

# Create certificates for each node
for host in ${test_hosts[@]}; do

    # Create a private key
    openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 \
    -out $host.key

    # Generate a CSR
    openssl req -key $host.key -subj "/CN=$host" -new -out $host.csr

    # Create a valid certificate signed by the private CA
    openssl x509 -req -in $host.csr -CA $ca_filename.crt \
    -CAkey $ca_filename.key -CAcreateserial -days 365 -out $host.crt

    # Remove sequential serial number
    rm -f $ca_filename.srl

    # Remove CSR
    rm -f $host.csr

done

The example generates the following files in the certificates directory:

rdqm_test_ca.crt
rdqm_test_ca.key
alice.crt
alice.key
bob.crt
bob.key
charlie.crt
charlie.key

Deploy the certificates by completing the following steps:

Copy the CA certificate (rdqm_test_ca.crt) to each node’s /etc/drbd.d/ directory. (These are example paths, you can choose another location if required.)
Copy each node’s certificate (.crt file) and private key (.key file) to /etc/drbd.d/. (These are example paths, you can choose another location if required.)
Change file permissions and ownership for the private keys and certificate on each node. This ensures that only the root user can view the contents of the private keys:
```
chmod 600 /etc/drbd.d/*.key
chown root:root /etc/drbd.d/*.key 
chown root:root /etc/drbd.d/*.crt
```
Store the certificate authority's private key in a secure location.

Configuring the tlshd service

This tlshd service needs to be configured and then enabled and started, before any DRBD TLS handshakes can be completed. The tlshd service is provided in a package that is installed with the drbd-utils-9 packages.

The configuration file for this service is /etc/tlshd.conf and the initial contents are:

[debug]
loglevel=0
tls=0
nl=0

[authenticate]
#keyrings= <keyring>;<keyring>;<keyring>

[authenticate.client]
#x509.truststore= <pathname>
#x509.certificate= <pathname>
#x509.private_key= <pathname>

[authenticate.server]
#x509.truststore= <pathname>
#x509.certificate= <pathname>
#x509.private_key= <pathname>

Before enabling and starting the tlshd service, you must specify values for the following properties in both the authenticate.client and authenticate.server sections (DRBD can establish its connections in either direction, unless there is a firewall blocking one direction):

x509.truststore: The path to the file that contains the certificate of the CA that signed the certificates used by the RDQM nodes. If a complex trust chain is required, it must be captured in a single file.
x509.certificate: The path to the file that contains the CA-signed certificate for the RDQM node.
x509.private_key: The path to the file that contains the private key for the RDQM node. The file must be owned by root and read/write permissions must be granted to only the root user.

The paths that are specified in these properties must all identify local files.

You can also optionally specify a certificate revocation list (CRL). You must set this in both the authenticate.client and authenticate.server sections:

x509.crl: The path to a file containing PEM-encoded certificate revocation lists (CRL) that are to be used to verify the revocation status of certificates during each handshake. If this option is not specified, CRL checking is skipped.

If you created the certificates using the example script in Configuring certificates, then you would configure the file as follows for server alice:

[authenticate.client]
x509.truststore=/etc/drbd.d/rdqm_test_ca.crt
x509.certificate=/etc/drbd.d/alice.crt
x509.private_key=/etc/drbd.d/alice.key

[authenticate.server]
x509.truststore=/etc/drbd.d/rdqm_test_ca.crt
x509.certificate=/etc/drbd.d/alice.crt
x509.private_key=/etc/drbd.d/alice.key

Before you enable the service for the first time, enter the following command:

systemctl daemon-reload

To start the tlshd service, enter the following command:

systemctl enable --now tlshd

Creating the HA RDQM

You create an HA queue manager with secure replication links by using the crtmqm command with the -re option, for example:

crtmqm -sx -re HAqm

The command attempts to use SSH to connect to the other nodes in the cluster as the mqm user. If connection is successful, the secondary instances of the queue manager are created on the other nodes, and these secondary instances also use secure replication links.

Use the rdqmstatus command to confirm that the replication links are secured with TLS. For more information, see Viewing HA RDQM and HA group status.

For more information about creating an HA RDQM, see Creating an HA RDQM.