You can enable SSL communication between VEMKD and PEM by editing the
ego.conf file on all management hosts in your cluster.
Before you begin
- Enabling SSL communication between VEMKD and PEM and enabling Kerberos authentication between
VEMKD and PEM, at the same time, is not supported. If you enabled Kerberos authentication between
VEMKD and PEM, do not use this topic.
Note also that SSL communication between VEMKD
and PEM is not supported in a mixed cluster that includes Linux® and Windows hosts.
- The CAPATH setting is not supported for VEMKD and PEM SSL connections. Do
not set the CAPATH value in the ego.conf file when
configuring SSL between VEMKD and PEM.
- You cannot manually change the SSL parameters introduced by connections between PEM and VEMKD in
the ego.conf file on compute hosts. Use the instructions in this topic to
configure the ego.conf file on management hosts. After you add these settings
and restart your cluster, the configuration settings you make to the ego.conf
file on management hosts are automatically propagated to the ego.conf file on
the compute hosts.
The files specified for the CERTIFICATE,
PRIVATE_KEY, and CAFILE settings must be stored in the
same directory on all compute hosts.
Procedure
-
Open the $EGO_CONFDIR/ego.conf file on your management host to add the
following settings:
-
Add EGO_PEM_TRANSPORT_SECURITY=SSL to enable connections between PEM and
VEMKD.
-
Add the EGO_KD_PEM_TS_PARAMS setting, which consists of the
CAFILE, CERTIFICATE, CIPHER,
PRIVATE_KEY, and SERVER_AUTH settings.
For
example:
EGO_KD_PEM_TS_PARAMS="SSL[CAFILE=$EGO_TOP/wlp/usr/shared/resources/security/cacert.pem,CERTIFICATE=$EGO_TOP/wlp/usr/shared/resources/security/user.pem,CIPHER=AES256-GCM-SHA384,
PRIVATE_KEY=$HOME/secuirty/vemkd.key,SERVER_AUTH=*.example.com]"
The supported ciphers for SSL connections between VEMKD and PEM are as follows:
- DHE-RSA-AES256-GCM-SHA384
- DHE-RSA-AES256-SHA256
- DHE-RSA-AES256-SHA
- DHE-RSA-CAMELLIA25SH6A
- AES256-GCM-SHA384 (default)
- AES256-SHA256
- AES256-SHA
- CAMELLIA256-SHA
- DHE-RSA-AES128-GCM-SHA256
- DHE-RSA-AES128-SHA
- DHE-RSA-SEED-SHA
- DHE-RSA-CAMELLIA128-SHA
- AES128-GCM-SHA256
- AES128-SHA256
- AES128-SHA
- SEED-SHA
- CAMELLIA128-SHA
- IDEA-CBC-SHA
- RC4-MD5
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-SHA384
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-SHA256
If you do not configure the cipher using the EGO_KD_PEM_TS_PARAMS setting,
then the default cipher AES256-GCM-SHA384 will be used.
Note:
- If you do not configure this EGO_KD_PEM_TS_PARAMS setting, ensure that the
EGO_DEFAULT_TS_PARAMS setting is correctly configured in the
ego.conf file.
- Configuring both the EGO_KD_PEM_TS_PARAMS and
EGO_PEM_TS_PARAMS settings to use the default parameter from the
EGO_DEFAULT_TS_PARAMS setting, at the same time, is not supported.
-
Add EGO_PEM_TS_PARAMS, which consists of the
CERTIFICATE, CIPHER, PRIVATE_KEY,
CAFILE, and SERVER_AUTH settings.
For a list of supported ciphers, refer to the list in the previous step.
For
example:
EGO_PEM_TS_PARAMS="SSL[CERTIFICATE=$EGO_TOP/wlp/usr/shared/resources/security/user.pem,PRIVATE_KEY=$EGO_TOP/wlp/usr/shared/resources/security/user.key,CIPHER=ECDHE-ECDSA-AES256-GCM-SHA384,
CAFILE=$EGO_TOP/wlp/usr/shared/resources/security/cacert.pem,SERVER_AUTH=*.example.com]"
Note:
- If you do not configure this EGO_PEM_TS_PARAMS setting, ensure that the
EGO_DEFAULT_TS_PARAMS setting is correctly configured in the
ego.conf file on a management host (the setting propagates to
compute hosts). Also, ensure that all compute hosts can access the certificate files.
- Configuring the EGO_PEM_TS_PARAMS setting to use the default parameter from
the EGO_DEFAULT_TS_PARAMS setting, at the same time, is not supported.
-
Add EGO_KD_PEM_TS_PORT=VEMKD_port_number to specify
the SSL port number for VEMKD (for example, port 32781).
-
Add EGO_PEM_TS_PORT=PEM_port_number to specify the
SSL port number for PEM (for example, port 32782).
-
Repeat step 1 for each management host within your cluster.
-
Ensure configuration changes take effect by starting the cluster:
Results
After you restart your cluster, the configuration settings you make to the
ego.conf file on the management host will be automatically propagated to the
ego.conf file on the compute hosts.
What to do next
If SSL is not enabled successfully, follow these troubleshooting steps:
- Verify that your certificate was issued by a specific CA. For
example:
[root@host1 ssl]# openssl verify -CAfile cacert.pem user.pem user.pem: OK
- Check that the CERTIFICATE, PRIVATE_KEY, and
CAFILE settings exist in the ego.conf file.
- Check that the SERVER_AUTH setting is the same value as the common name
(used when generating the certificate) when its type is HOST or
{string}.
- Check that the CIPHER setting is a supported cipher, and the cipher
specified for server and client match.
- If you see a No permission to access this page error while accessing within the cluster management console, ensure that you are
accessing the console using the URL provided when you run the egosh client view
GUIURL_1 command.
- Ensure the EGO_PEM_TRANSPORT_SECURITY setting is set to
SSL.
- Check whether the values of the EGO_KD_PEM_TS_PARAMS and
EGO_PEM_TS_PARAMS settings are configured correctly in the
ego.conf file.