Enabling secure communication between RSA and the RSA client for grid synchronization
You can enable secure TLS communication between the EGO repository server agent (RSA) and the RSA client (for gridsync commands) by editing the rsa.xml file on the primary and primary candidate hosts within your cluster.
Before you begin
- IBM® Spectrum Symphony supports
TLS communication between RSA and the RSA client for Linux® hosts, Windows
hosts, or a combination (that is, a mixed operating system cluster of Linux and Windows hosts).
For a single operating system cluster, set the CERTIFICATE, PRIVATE_KEY, and CAFILE subparameters.
For a mixed operating system cluster, additionally set the CERTIFICATE_WIN, PRIVATE_KEY_WIN, and CAFILE_WIN subparameters. For Windows hosts, binaries first use the values of the CERTIFICATE_WIN, PRIVATE_KEY_WIN, and CAFILE_WIN subparameters, and if not defined, then use the CERTIFICATE, PRIVATE_KEY, and CAFILE subparameter values.
- Within IBM Spectrum Symphony, the
RSA client includes:
- Command line interface for gridsync.
- RESTful API for gridsync.
- Cluster management console pages that involve package operations.
- The session director (SD).
- This topic shows adding the GS_AGENT_TRANSPORT and GS_AGENT_TRANSPORT_ARG settings to configure TLS connections between the RSA and the RSA client. Ensure you configure both settings (for example, if you configure only the GS_AGENT_TRANSPORT setting, this enables TLS on the client side; the client will not verify certificates on the server side).
Procedure
What to do next
- Verify that your certificate was issued by a specific CA. For
example:
$ openssl verify -CAfile cacert.pem user.pem user.pem: OK
- Check that the CERTIFICATE (or CERTIFICATE_WIN), PRIVATE_KEY (or PRIVATE_KEY_WIN), and CAFILE (or CAFILE_WIN) settings exist in the ego.conf file.
- When
SERVER_AUTH is set to HOST, check that the server
certificate's CN (used when generating the certificate) is same as the server's host name.
When SERVER_AUTH is set to {string}, check that the server certificate's CN (used when generating the certificate) is same as the defined string used for the corresponding daemon.
When SERVER_AUTH is set to HOST_CN_DNS, check that the server certificate's DNS (defined in the subject alternative name), or the CN (used when generating the certificate), is the same as the server's host name.
- Check that the CIPHER setting is a supported cipher, and the cipher specified for server and client match.
- If you see a No permission to access this page error while accessing cluster management console, ensure that you are accessing the console using the URL provided when you run the egosh client view GUIURL_1 command. within the
- Ensure the GS_AGENT_TRANSPORT setting is set to TCPIPv4SSL.
- Check the value of the GS_AGENT_TRANSPORT_ARG setting is
$EGO_DEFAULT_TS_PARAMS, or in this
format:
SSL[CERTIFICATE=$HOME/security/user.pem,CIPHER=ECDHE-ECDSA-AES256-GCM-SHA384,PRIVATE_KEY=$HOME/security/user.key]
- If all the aforementioned configurations are correct, refer to the $EGO_TOP/eservice/rsa/log/rsa.host_name.log (Linux) or %EGO_TOP%\eservice\rsa\log\rsa.host_name.log (Windows) file for additional troubleshooting.