Home
Products
Red Hat Gluster Storage
3.3
Administration Guide
23.3. Configuring Network Encryption for an existing Trusted Storage Pool

23.3. Configuring Network Encryption for an existing Trusted Storage Pool

You can configure network encryption for an existing Red Hat Gluster Storage Trusted Storage Pool for both I/O encryption and management encryption.

23.3.1. Enabling I/O encryption for a Volume

Enable the I/O encryption between the servers and clients:

Unmount the volume on all the clients.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
umount mount-point
```
```
# umount mount-point
```
Stop the volume.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
gluster volume stop VOLNAME
```
```
# gluster volume stop VOLNAME
```
Set the list of common names for clients allowed to access the volume. Be sure to include the common names of all the servers.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
gluster volume set VOLNAME auth.ssl-allow 'server1,server2,server3,client1,client2,client3'
```
```
# gluster volume set VOLNAME auth.ssl-allow 'server1,server2,server3,client1,client2,client3'
```
Note
If you set auth.ssl-allow option with * as value, any TLS authenticated clients can mount and access the volume from the application side. Hence, you set the option's value to * or provide common names of clients as well as the nodes in the trusted storage pool.

Enable Transport Layer Security on the volume by setting the client.ssl and server.ssl options to on.

Copy to Clipboard Toggle word wrap

gluster volume set VOLNAME client.ssl on
gluster volume set VOLNAME server.ssl on

# gluster volume set VOLNAME client.ssl on
# gluster volume set VOLNAME server.ssl on

Start the volume.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
gluster volume start VOLNAME
```
```
# gluster volume start VOLNAME
```
Mount the volume from the new clients. For example, to manually mount a volume and access data using Native client, use the following command:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
mount -t glusterfs server1:/test-volume /mnt/glusterfs
```
```
# mount -t glusterfs server1:/test-volume /mnt/glusterfs
```

23.3.2. Enabling Management Encryption

Though, Red Hat Gluster Storage can be configured only for I/O encryption without using management encryption, management encryption is recommended. On an existing installation, with running servers and clients, schedule a downtime of volumes, applications, clients, and other end-users to enable management encryption.

You cannot currently change between unencrypted and encrypted connections dynamically. Bricks and other local services on the servers and clients do not receive notifications from glusterd if they are running when the switch to management encryption is made.

Unmount all the volumes on all the clients.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
umount mount-point
```
```
# umount mount-point
```
If you are using either NFS Ganesha or Samba service, then stop the service. For more information regarding NFS Ganesha see, Section 6.2.3, “NFS Ganesha” . For more information regarding Samba, see Section 6.3, “SMB”.
If shared storage is being used, then unmount the shared storage on all nodes
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
umount /var/run/gluster/shared_storage
```
```
# umount /var/run/gluster/shared_storage
```
Note
Services dependent on shared storage, such as snapshot and geo-replication may not work until it is remounted again.
Stop all the volumes including the shared storage.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
gluster volume stop VOLNAME
```
```
# gluster volume stop VOLNAME
```
Stop glusterd on all servers.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
service glusterd stop
```
```
# service glusterd stop
```
Important
If glusterd crashes, there is no functionality impact to this crash as it occurs during the shutdown. For more information, see Section 24.3, “Resolving glusterd Crash”
Stop all gluster-related processes on all servers.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
pkill glusterfs
```
```
# pkill glusterfs
```
Create the /var/lib/glusterd/secure-access file on all servers and clients.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
touch /var/lib/glusterd/secure-access
```
```
# touch /var/lib/glusterd/secure-access
```
Start glusterd on all the servers.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
service glusterd start
```
```
# service glusterd start
```
Start all the volumes including shared storage.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
gluster volume start VOLNAME
```
```
# gluster volume start VOLNAME
```

Mount the shared used if used earlier.

Copy to Clipboard Toggle word wrap

mount -t glusterfs <hostname>:/gluster_shared_storage /run/gluster/shared_storage

# mount -t glusterfs <hostname>:/gluster_shared_storage /run/gluster/shared_storage

If you are using either NFS Ganesha or Samba service, then start the service. For more information regarding NFS Ganesha see, Section 6.2.3, “NFS Ganesha”. For more information regarding Samba, see Section 6.3, “SMB”.
Mount the volume on all the clients. For example, to manually mount a volume and access data using Native client, use the following command:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
mount -t glusterfs server1:/test-volume /mnt/glusterfs
```
```
# mount -t glusterfs server1:/test-volume /mnt/glusterfs
```

23.3. Configuring Network Encryption for an existing Trusted Storage Pool

23.3.1. Enabling I/O encryption for a Volume

23.3.2. Enabling Management Encryption

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

Making open source more inclusive

About Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links