Node identities

Node identities consist of X.509 Transport Layer Security (TLS) certificates and private key pairs. The administration daemon replaces the SSH daemon (sshd) for remote communication. To support secure communication between administration daemons, node identities are required on each node for TLS connections. All communication between administration daemons is encrypted over TLS.

Each node that joins the cluster must import its own identity. Although all nodes can use the same identity, but it is recommended to configure a unique identity for each node.

Creating a node certificate

You must create the node certificate for the node identities within a cluster. A sample procedure for creating a node certificate is as follows:
  1. Create a directory (tls) in the home folder and navigate to that directory for storing certificate files.
    mkdir -p ~/tls

    cd ~/tls
  2. Generate a private key (ca.key) for the certificate authority (CA).
    openssl ecparam -name prime256v1 -genkey -noout -out ca.key
  3. Create a self-signed root CA certificate (ca.crt) to sign the node certificates as a trusted root.
    openssl req -new -x509 -sha256 -key ca.key -out ca.crt -subj "/C=US/ST=Arizona/L=Tucson/O=XXX/CN=`hostname`" -days 10000
    The -subj option sets the following certificate details:
    1. C - Country
    2. ST - State
    3. L - Location
    4. O - Organization
    5. CN - Common Name
  4. Generate a private key (server.key) for the node.
    openssl ecparam -name prime256v1 -genkey -noout -out server.key
  5. Generate a Certificate Signing Request (CSR) (server.csr) for the node with the private key of the node.
    openssl req -new -sha256 -key server.key -out server.csr -subj "/C=US/ST=Arizona/L=Tucson/O=XXX/CN=<cluster name>"
  6. Generate a signed node certificate (server.pem) with the self-signed CA certificate (ca.crt).
    openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.pem -days 10000 -sha256
  7. Verify the signed node certificate (server.pem) with the self-signed CA certificate (ca.crt).
    openssl verify -CAfile ca.crt server.pem
    A successful output is as follows:
    server.pem: OK

Importing node identities

Node identities are required to support mutual TLS authentication. When cluster nodes communicate, both the initiating (client) and receiving (server) nodes must authenticate each other. Node identities must be configured in an all-to-all manner so that each node can act as both a client and a server. IBM Storage Scale uses TLS version 3 (TLSv3) for secure communication between nodes.

To manage node identities, use the scalectl node config command. For more information, see scalectl node command.

To import the generated node identity, run the following command:
scalectl node config set --cert <path to certificate> --key <path to private key> --chain <path to ca chain>
For example,
scalectl  node config set  --cert  /root/tls/server.pem --key /root/tls/server.key --chain /root/tls/ca.crt
Note: For more information about this command, run scalectl node config [command] --help.