Enabling TLS Authentication on the Server
- To enable TLS authentication, enable it for all compute nodes in the BoostIO cluster.
- After the installation and deployment are complete, delete the public key used for communication between cluster nodes during the installation.
- You are advised to disable history recording before generating an encrypted password. You can enable this function after the password is generated.
A private key imported by users must be encrypted. The private key password must be encrypted using the provided tool. Otherwise, security risks may occur.
Certificate security requirements:
- Use industry-recognized asymmetric encryption algorithms, key lengths, hash algorithms, and certificate formats.
- Certificates that are within their valid periods.
Prerequisites
BoostIO has been installed. This section uses the installation directory /opt as an example. Prepare the files required for TLS authentication, as listed in Table 1.
|
File |
Description |
|---|---|
|
Certificate Authority (CA) file |
Self-signed certificate in PEM (*.pem) format. It can be used to issue other certificates. |
|
Certificate revocation list (CRL) file |
Lists revoked certificates. This file is in PEM (*.crl) format and is optional. If there is no revoked certificate, this file is not required. |
|
Server certificate |
A certificate in PEM chain (*.pem) format issued by the CA. It must be within the validity period. |
|
Encrypted private key file of the server certificate |
This file must correspond to the server certificate and be in PEM encrypted (*.pem) format. The server installation user must know the password of the private key file. |
|
seceasy_encrypt file |
Encryption tool. This file is in the /opt/boostio/bin directory. |
Procedure
- Log in to the node where TLS authentication is to be enabled as the server installation user.
- Set the environment variable.
export HSECEASY_PATH=/opt/boostio/lib
- Go to the security directory.
cd /opt/boostio/security
- Create a server directory. You are advised to set the permission on the new directory to 0700.
mkdir server chmod 0700 server
- Place the CA file, server certificate, and private key file of the server certificate described in Table 1 in the server directory. For security purposes, you are advised to set the permission on the files to 0400.Figure 1 Required files
- Generate a password ciphertext file.
- Encrypt the password of the certificate private key file.
cd /opt/boostio/security/server ../../bin/seceasy_encrypt --encrypt 1 2
- Input the private key password.
please input the password to encrypt {Private key password} please input the password to encrypt again {Private key password} encrypted: {Base64-Encoded-Data}After you input the same private key password for two consecutive times, the encryption tool outputs Base64-coded data.
- Save the encrypted password file. Copy the generated data and save it to a new file as the password ciphertext file. For security purposes, you are advised to set the permission on the file to 0400.
echo "{Base64-Encoded-Data}" > keypass.path chmod 0400 keypass.path - After the encryption is complete, root key files are generated. The tools directory under the current directory contains the master root key file ksfa and standby root key file ksfb. The paths to the two files are required in 7.
Figure 2 Structure of the tools directory
- Encrypt the password of the certificate private key file.
- Modify the bio.conf configuration file. Enable the security option, and write the paths to the certificate files in 5 and the paths to the password ciphertext file, master root key file, and standby root key file generated in 6 to the corresponding options in the configuration file.
If a CRL file is used, place it in the server directory and write its path to the bio.net.tls.ca.crl.path option in the configuration file.