红帽全球峰会2.14. Configuring an NFS client with mutual TLS support
If the server supports NFS with TLS encryption, you can configure the NFS server and client to authenticate each other by using TLS protocol.
Prerequisites
- You have configured the NFS server with TLS encryption. For details, see Configuring an NFS server with TLS support.
-
You have installed the
ktls-utilspackage.
Procedure
Create a private key and a certificate signing request (CSR):
# openssl req -new -newkey rsa:4096 -noenc \ -keyout /etc/pki/tls/private/client.example.com.key \ -out /etc/pki/tls/private/client.example.com.csr \ -subj "/C=US/ST=State/L=City/O=Organization/CN=client.example.com" \ -addext "subjectAltName=DNS:client.example.com,IP:192.0.2.2"重要Common Name (CN) and DNS must match the hostname. IP must match IP of the host.
-
Send the
/etc/pki/tls/private/client.example.com.csrfile to a Certificate Authority (CA) and request a client certificate. Store the received CA certificate and the client certificate on the host. Import the CA certificate to the systems’s truststore:
# cp ca.crt /etc/pki/ca-trust/source/anchors # update-ca-trustMove the client certificate to the
/etc/pki/tls/certs/directory:# mv client.example.com.crt /etc/pki/tls/certs/Ensure the SELinux context is correct on the private key and certificates:
# restorecon -Rv /etc/pki/tls/certs/Add the client certificate and private key to the
[authenticate.client]section in the/etc/tlshd.conffile:x509.certificate= /etc/pki/tls/certs/client.example.com.crt x509.private_key= /etc/pki/tls/private/client.example.com.keyLeave the
x509.truststoreparameter unset.Enable and start the
tlshdservice:# systemctl enable --now tlshd.serviceMount an NFS share by using TLS encryption:
# mount -o xprtsec=mtls server.example.com:/nfs/projects/ /mnt/
Verification
Verify that the client successfully mounted NFS share with TLS support:
# journalctl -u tlshd … Apr 01 08:37:56 client.example.com tlshd[10688]: Handshake with server.example.com (192.0.2.1) was successful
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}