22.3. Configuring Network Encryption for an existing Trusted Storage Pool
You can configure network encryption for an existing Red Hat Gluster Storage Trusted Storage Pool for both I/O encryption and management encryption.
22.3.1. Enabling I/O encryption for a Volume
Enable the I/O encryption between the servers and clients:
- Unmount the volume on all the clients.
#
umount mount-point - Stop the volume.
#
gluster volume stop VOLNAME - Set the list of common names for clients allowed to access the volume. Be sure to include the common names of all the servers.
#
gluster volume set VOLNAME auth.ssl-allow 'server1,server2,server3,client1,client2,client3'Note
If you setauth.ssl-allowoption with*as value, any TLS authenticated clients can mount and access the volume from the application side. Hence, you set the option's value to*or provide common names of clients as well as the nodes in the trusted storage pool. - Enable
client.sslandserver.sslon the volume.#
gluster volume set VOLNAME client.ssl on# gluster volume set VOLNAME server.ssl on - Start the volume.
#
gluster volume start VOLNAME - Mount the volume from the new clients. For example, to manually mount a volume and access data using Native client, use the following command:
#
mount -t glusterfs server1:/test-volume /mnt/glusterfs
22.3.2. Enabling Management Encryption
Though, Red Hat Gluster Storage can be configured only for I/O encryption without using management encryption, management encryption is recommended. On an existing installation, with running servers and clients, schedule a downtime of volumes, applications, clients, and other end-users to enable management encryption.
You cannot currently change between unencrypted and encrypted connections dynamically. Bricks and other local services on the servers and clients do not receive notifications from
glusterd if they are running when the switch to management encryption is made.
- Unmount all the volumes on all the clients.
#
umount mount-point - If you are using either NFS Ganesha or Samba service, then stop the service. For more information regarding NFS Ganesha see, Section 6.2.4, “NFS-Ganesha”. For more information regarding Samba, see Section 6.3, “SMB”.
- If shared storage is being used, then unmount the shared storage on all nodes
# umount /var/run/gluster/shared_storage
Note
Services dependent on shared storage, such as snapshot and geo-replication may not work until it is remounted again. - Stop all the volumes including the shared storage.
#
gluster volume stop VOLNAME - Stop
glusterdon all servers.#
service glusterd stop - Stop all gluster-related processes on all servers.
#
pkill glusterfs - Create the
/var/lib/glusterd/secure-accessfile on all servers and clients.#
touch /var/lib/glusterd/secure-access - Start
glusterdon all the servers.#
service glusterd start - Start all the volumes including shared storage.
#
gluster volume start VOLNAME - Mount the shared used if used earlier.
#
mount -t glusterfs <hostname>:/gluster_shared_storage /run/gluster/shared_storage - If you are using either NFS Ganesha or Samba service, then start the service. For more information regarding NFS Ganesha see, Section 6.2.4, “NFS-Ganesha”. For more information regarding Samba, see Section 6.3, “SMB”.
- Mount the volume on all the clients. For example, to manually mount a volume and access data using Native client, use the following command:
#
mount -t glusterfs server1:/test-volume /mnt/glusterfs
