Enabling SSL communication between VEMKD and PEM

You can enable SSL communication between VEMKD and PEM by editing the ego.conf file on all management hosts in your cluster.

Before you begin

  • Enabling SSL communication between VEMKD and PEM and enabling Kerberos authentication between VEMKD and PEM, at the same time, is not supported. If you enabled Kerberos authentication between VEMKD and PEM, do not use this topic.

    Note also that SSL communication between VEMKD and PEM is not supported in a mixed cluster that includes Linux® and Windows hosts.

  • The CAPATH setting is not supported for VEMKD and PEM SSL connections. Do not set the CAPATH value in the ego.conf file when configuring SSL between VEMKD and PEM.
  • You cannot manually change the SSL parameters introduced by connections between PEM and VEMKD in the ego.conf file on compute hosts. Use the instructions in this topic to configure the ego.conf file on management hosts. After you add these settings and restart your cluster, the configuration settings you make to the ego.conf file on management hosts are automatically propagated to the ego.conf file on the compute hosts.

    The files specified for the CERTIFICATE, PRIVATE_KEY, and CAFILE settings must be stored in the same directory on all compute hosts.

Procedure

  1. Open the $EGO_CONFDIR/ego.conf file on your management host to add the following settings:
    1. Add EGO_PEM_TRANSPORT_SECURITY=SSL to enable connections between PEM and VEMKD.
    2. Add the EGO_KD_PEM_TS_PARAMS setting, which consists of the CAFILE, CERTIFICATE, CIPHER, PRIVATE_KEY, and SERVER_AUTH settings.
      For example:
      EGO_KD_PEM_TS_PARAMS="SSL[CAFILE=$EGO_TOP/wlp/usr/shared/resources/security/cacert.pem,CERTIFICATE=$EGO_TOP/wlp/usr/shared/resources/security/user.pem,CIPHER=AES256-GCM-SHA384,
PRIVATE_KEY=$HOME/secuirty/vemkd.key,SERVER_AUTH=*.example.com]"
      The supported ciphers for SSL connections between VEMKD and PEM are as follows:
      • DHE-RSA-AES256-GCM-SHA384
      • DHE-RSA-AES256-SHA256
      • DHE-RSA-AES256-SHA
      • DHE-RSA-CAMELLIA25SH6A
      • AES256-GCM-SHA384 (default)
      • AES256-SHA256
      • AES256-SHA
      • CAMELLIA256-SHA
      • DHE-RSA-AES128-GCM-SHA256
      • DHE-RSA-AES128-SHA
      • DHE-RSA-SEED-SHA
      • DHE-RSA-CAMELLIA128-SHA
      • AES128-GCM-SHA256
      • AES128-SHA256
      • AES128-SHA
      • SEED-SHA
      • CAMELLIA128-SHA
      • IDEA-CBC-SHA
      • RC4-MD5
      • ECDHE-ECDSA-AES256-GCM-SHA384
      • ECDHE-ECDSA-AES256-SHA384
      • ECDHE-ECDSA-AES128-GCM-SHA256
      • ECDHE-ECDSA-AES128-SHA256
      • ECDHE-RSA-AES256-GCM-SHA384
      • ECDHE-RSA-AES256-SHA384
      • ECDHE-RSA-AES128-GCM-SHA256
      • ECDHE-RSA-AES128-SHA256

      If you do not configure the cipher using the EGO_KD_PEM_TS_PARAMS setting, then the default cipher AES256-GCM-SHA384 will be used.

      Note:
      1. If you do not configure this EGO_KD_PEM_TS_PARAMS setting, ensure that the EGO_DEFAULT_TS_PARAMS setting is correctly configured in the ego.conf file.
      2. Configuring both the EGO_KD_PEM_TS_PARAMS and EGO_PEM_TS_PARAMS settings to use the default parameter from the EGO_DEFAULT_TS_PARAMS setting, at the same time, is not supported.
    3. Add EGO_PEM_TS_PARAMS, which consists of the CERTIFICATE, CIPHER, PRIVATE_KEY, CAFILE, and SERVER_AUTH settings.

      For a list of supported ciphers, refer to the list in the previous step.

      For example:
      EGO_PEM_TS_PARAMS="SSL[CERTIFICATE=$EGO_TOP/wlp/usr/shared/resources/security/user.pem,PRIVATE_KEY=$EGO_TOP/wlp/usr/shared/resources/security/user.key,CIPHER=ECDHE-ECDSA-AES256-GCM-SHA384,
CAFILE=$EGO_TOP/wlp/usr/shared/resources/security/cacert.pem,SERVER_AUTH=*.example.com]"
      Note:
      1. If you do not configure this EGO_PEM_TS_PARAMS setting, ensure that the EGO_DEFAULT_TS_PARAMS setting is correctly configured in the ego.conf file on a management host (the setting propagates to compute hosts). Also, ensure that all compute hosts can access the certificate files.
      2. Configuring the EGO_PEM_TS_PARAMS setting to use the default parameter from the EGO_DEFAULT_TS_PARAMS setting, at the same time, is not supported.
    4. Add EGO_KD_PEM_TS_PORT=VEMKD_port_number to specify the SSL port number for VEMKD (for example, port 32781).
    5. Add EGO_PEM_TS_PORT=PEM_port_number to specify the SSL port number for PEM (for example, port 32782).
  2. Repeat step 1 for each management host within your cluster.
  3. Ensure configuration changes take effect by starting the cluster: 
    egosh ego start all

Results

After you restart your cluster, the configuration settings you make to the ego.conf file on the management host will be automatically propagated to the ego.conf file on the compute hosts.

What to do next

If SSL is not enabled successfully, follow these troubleshooting steps:
  1. Verify that your certificate was issued by a specific CA. For example:
    [root@host1 ssl]# openssl verify -CAfile cacert.pem user.pem user.pem: OK
  2. Check that the CERTIFICATE, PRIVATE_KEY, and CAFILE settings exist in the ego.conf file.
  3. Check that the SERVER_AUTH setting is the same value as the common name (used when generating the certificate) when its type is HOST or {string}.
  4. Check that the CIPHER setting is a supported cipher, and the cipher specified for server and client match.
  5. If you see a No permission to access this page error while accessing Resources > Hosts > Rack View within the cluster management console, ensure that you are accessing the console using the URL provided when you run the egosh client view GUIURL_1 command.
  6. Ensure the EGO_PEM_TRANSPORT_SECURITY setting is set to SSL.
  7. Check whether the values of the EGO_KD_PEM_TS_PARAMS and EGO_PEM_TS_PARAMS settings are configured correctly in the ego.conf file.