Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Enabling TLS Authentication on the Server

To enable TLS authentication, enable it for all compute nodes in the BoostIO cluster.

Prerequisites

BoostIO has been installed. This section uses the installation directory /opt as an example. Prepare the files required for TLS authentication, as listed in Table 1.

Table 1 Files required for enabling TLS authentication on the server

File

Description

Certificate Authority (CA) file

Self-signed certificate in PEM (*.pem) format. It can be used to issue other certificates.

Certificate revocation list (CRL) file

Lists revoked certificates. This file is in PEM (*.crl) format and is optional. If there is no revoked certificate, this file is not required.

Server certificate

A certificate in PEM chain (*.pem) format issued by the CA. It must be within the validity period.

Private key file of the server certificate

This file must correspond to the server certificate and be in PEM encrypted (*.pem) format. The installation user needs to know the password of the private key file.

seceasy_encrypt file

Encryption tool. This file is in the /opt/boostio/bin directory.

Procedure

  1. Log in to the node where TLS authentication is to be enabled as the installation user.
  2. Set the environment variable.
    export HSECEASY_PATH=/opt/boostio/lib
  3. Go to the security directory.
    cd /opt/boostio/security
  4. Create a server directory. You are advised to set the permission on the new directory to 0600.
    mkdir server
chmod 0600 server
  5. Place the CA file, server certificate, and private key file of the server certificate described in Table 1 in the server directory. For security purposes, you are advised to set the permission on the files to 0400.
    Figure 1 Required files
  6. Generate a password ciphertext file.
    1. Encrypt the password of the certificate private key file. 
      cd /opt/boostio/security/server
../../bin/seceasy_encrypt --encrypt 1 2
    2. Input the private key password. 
      please input the password to encrypt {Private key password}
please input the password to encrypt again {Private key password}
encrypted: {Base64-Encoded-Data}

      After you input the same private key password for two consecutive times, the encryption tool outputs Base64-coded data.

    3. Save the encrypted password file. Copy the generated data and save it to a new file as the password ciphertext file. For security purposes, you are advised to set the permission on the file to 0400. 
      echo "{Base64-Encoded-Data}" > keypass.path
chmod 0400 keypass.path
    4. After the encryption is complete, root key files are generated. The tools directory under the current directory contains the master root key file ksfa and standby root key file ksfb. The paths to the two files are required in 7.
      Figure 2 Structure of the tools directory
  7. Modify the bio.conf configuration file. Enable the security option, and write the paths to the certificate files in 5 and the paths to the password ciphertext file, master root key file, and standby root key file generated in 6 to the corresponding options in the configuration file.

    If a CRL file is used, place it in the server directory and write its path to the bio.net.tls.ca.crl.path option in the configuration file.