Page MenuHomeClusterLabs Projects
IndexNew Document
Phriction Welcome to the ClusterLabs Wiki Development TLS certificate setup

TLS certificate setup
Updated 430 Days AgoPublic
Actions

Version 1 of 8: You are viewing an older version of this document, as it appeared on Dec 11 2024, 12:35 PM.
Previous
Published
Next
Draft

Pacemaker optionally supports encrypting communications with TLS certificates for two things:

  1. Pacemaker Remote node connections
  2. Remote CIB operations (CIB_user=... CIB_encrypted=... CIB_port=... cibadmin -Q)

This is especially important for remote CIB operations which have no encryption at all otherwise.

Testing this requires a fair bit of setup. We assume that users will use TLS certificates as follows:

  • They will set up their own Certificate Authority (CA). In the real world, you pay a real CA a lot of money to sign your credentials. This is because web browsers have lists of CAs they trust, and so if you use one of those then your credentials will be trusted. Otherwise the user will get a scary error about self-signed certificates and things like that. However, we expect that people will keep their clusters on private networks and connect via our own command line tools, so there's no real need for a trusted, real CA.
  • They will generate one set of credentials for each server. If they have ten Pacemaker Remote nodes (remember - remote nodes are the server, the cluster is the client) then each would have its own server cert and key.
  • They will generate one set of credentials for each client. If they have ten admin machines that need to run cibadmin to do remote CIB operations, then each would have its own client cert and key. This makes it possible to revoke a single client's credentials if necessary without a lot of annoying work.

In addition, this document will assume there is not an intermediate CA involved. In the real world, you would create a root CA and only use that to sign credentials for intermediate CAs. The intermediate CA would then sign the client/server credentials. The reason for this is that if your CA gets compromised, everything it has ever signed is now compromised as well. The root CA credentials would be locked away and only taken out on the rare time when you need a new intermediate. Pacemaker should support this just fine as long as the root CA and intermediate CA credentials get bundled together. I'm not going to cover how to do that here.

Last Author
clumens
Last Edited
Dec 11 2024, 12:35 PM