Enabling TLS on the NuoDB Admin layer

TLS is enabled by default with a default certificate. For production environments, you must provide an alternate PKCS#12 keystore.

This section provides guidance on generating your own self-signed certificate then using that to start an admin process. The following files are required:



ca.key CA private key
ca.cert CA public certificate
client.key CLI private key
client.csr CLI certificate signing request
client.cert CLI public certificate
client.pem CLI private key and public certificate (catted in one file)
server.key Server node private key for the domain
server.csr Server certificate signing request
server.cert Server node public certificate for the domain
server.p12 Server node PKCS#12 keystore

In regard to file naming conventions, .cert is used for the public portion, .key is used for the private portion, .pem is used for the combined, and .p12 is used for keystores and truststores.

Enabling TLS

Note: Take note of the Common Name (CN) for your SSL certificate. The CN is the fully qualified name for the system that uses the SSL certificate. If you are using Dynamic DNS, your CN ideally includes a wild-card, for example: *.api.com. Otherwise, use the hostname or IP address set in your Gateway Cluster, for example dp1.acme.com.

1. To generate your self-signed CA private and public key, run the following OpenSSL command:

{{ $ openssl req -newkey rsa:2048 -nodes -x509 -days 365 \ -subj '/C=US/ST=MA/L=Boston/CN=localhost/O=NuoDB/OU=Eng' \ -keyout ca.key -out ca.cert }}

2. Review the CA certificate generated (see example below).

{{ $ openssl x509 -text -noout -in ca.cert }}

3. Generate a client private key and CSR.

{{ $ openssl req -newkey rsa:2048 -nodes \ -subj '/C=US/ST=MA/L=Boston/CN=localhost/O=NuoDB/OU=Eng' \ -keyout client.key -out client.csr }}

4. Generate a client certificate based upon the CA certificate.

{{ $ openssl x509 -req -in client.csr -CA ca.cert -CAkey ca.key \ -CAcreateserial -days 1024 -sha256 -out client.cert }}

5. Generate a server private key and CSR.

{{ $ openssl req -newkey rsa:2048 -nodes \ -subj '/C=US/ST=MA/L=Boston/CN=localhost/O=NuoDB/OU=Eng' \ -keyout server.key -out server.csr }}

6. Generate a server certificate based upon the CA certificate.

{{ $ openssl x509 -req -in server.csr -CA ca.cert -CAkey ca.key \ -CAcreateserial -days 1024 -sha256 -out server.cert }}

7. Generate a Java truststore.

{{ $ export PASSWORD=changeIt $ keytool -importcert -file ca.cert -trustcacerts -alias ca-cert \ -keystore truststore.p12 -storepass ${PASSWORD} -storetype pkcs12 -noprompt $ keytool -importcert -file server.cert -alias nuoadmin \ -keystore truststore.p12 -storepass ${PASSWORD} -storetype PKCS12 -noprompt $ keytool -importcert -file client.cert -alias nuocmd \ -keystore truststore.p12 -storepass ${PASSWORD} -storetype PKCS12 -noprompt }}

8. Validate the truststore.

{{ $ export PASSWORD=changeIt $ keytool -list -keystore truststore.p12 -storepass ${PASSWORD} -storetype PKCS12 }}

9. Generate a server PKCS#12 keystore with the key and certificate.

{{$ export PASSWORD=changeIt $ openssl pkcs12 -inkey server.key -in server.cert -export \ -out server.p12 -passout pass:${PASSWORD} }}

10. Validate your P12 file.

{{$ openssl pkcs12 -in server.p12 -noout -info -passin pass:${PASSWORD} MAC Iteration 2048 MAC verified OK PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 Certificate bag PKCS7 Data Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048 }}

11. Volume mount the configuration file and PKCS#12 files when starting an admin node.

{{$ cat client.cert > client.pem $ cat client.key >> client.pem $ docker run -d --name ad1 --rm \ --hostname ad1 \ --net nuodb-net \ --volume $(pwd)/truststore.p12:/etc/nuodb/keys/nuoadmin-truststore.p12 \ --volume $(pwd)/server.p12:/etc/nuodb/keys/nuoadmin.p12 \ --volume $(pwd)/client.pem:/etc/nuodb/keys/nuocmd.pem \ -p 8888:8888 \ -p 48004:48004 \ -p 48005:48005 \ -e "NUODB_DOMAIN_ENTRYPOINT=ad1" \ ${IMG_NAME} nuoadmin $ docker logs ad1 ... NuoAdmin Server running ... }}

12. Validate connectivity by issuing a show domain command.

{{$ docker run -it --net nuodb-net \ --volume $(pwd)/truststore.p12:/etc/nuodb/keys/nuoadmin-truststore.p12 \ --volume $(pwd)/server.p12:/etc/nuodb/keys/nuoadmin.p12 \ --volume $(pwd)/client.pem:/etc/nuodb/keys/nuocmd.pem \ ${IMG_NAME} \ nuocmd --api-server ad1:8888 show domain }}

Note: The remaining processes also start with the volume mounted certificates and keystores.

Enabling TLS on OpenShift

To enable TLS on OpenShift ,we need to create a secret containing the key material.

1. Create a nuodb-tls.yaml file.

apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque data: nuoadmin-truststore.p12: replace nuocmd.pem: replace nuoadmin.p12: replace

Note: The keys within the data element (seen above) become the file names when volume mounted, below.

2. Inject the key material.

$ export TRUSTSTORE_BASE64=$(cat truststore.p12 | base64 | tr -d '\n') $ export NUOCMD_PEM_BASE64=$(cat client.pem | base64 | tr -d '\n') $ export NUOADMIN_P12_BASE64=$(cat server.p12 | base64 | tr -d '\n') $ sed -i -e '/nuoadmin-truststore.p12:./ s|:.|: '"${TRUSTSTORE_BASE64}"'|' nuodb-tls.yaml $ sed -i -e '/nuocmd.pem:./ s|:.|: '"${NUOCMD_PEM_BASE64}"'|' nuodb-tls.yaml $ sed -i -e '/nuoadmin.p12:./ s|:.|: '"${NUOADMIN_P12_BASE64}"'|' nuodb-tls.yaml 

3. Install the secret before launching any admin.

$ kubectl create -f nuodb-tls.yaml

In every pod for an Admin, TE, or SM process, volume mount the certificates as follows (noting the volumeMounts and volumes sections):

{{apiVersion: v1 kind: Pod metadata: name: secret-test-pod spec: containers: - name: test-container image: nginx volumeMounts: # name must match the volume name below - name: tls-keys mountPath: /etc/nuodb/keys # The secret data is exposed to Containers in the Pod through a Volume. volumes: - name: tls-keys secret: secretName: mysecret }}

For more information on distributing credentials securely, see kubernetes support.