红帽全球峰会2.12. Configuring an NFS server with TLS support
Without the RPCSEC_GSS protocol, NFS traffic is unencrypted by default. Starting with Red Hat Enterprise Linux 10, it is possible to configure NFS with TLS, allowing NFS traffic to be encrypted by default.
Prerequisites
- You have configured an NFSv4 server. For instructions, see Configuring an NFSv4-only server.
- You have a Certificate Authority (CA) certificate.
-
You have installed the
ktls-utilspackage.
Procedure
Create a private key and a certificate signing request (CSR):
# openssl req -new -newkey rsa:4096 -noenc \ -keyout /etc/pki/tls/private/server.example.com.key \ -out /etc/pki/tls/private/server.example.com.csr \ -subj "/C=US/ST=State/L=City/O=Organization/CN=server.example.com" \ -addext "subjectAltName=DNS:server.example.com,IP:192.0.2.1"重要Common Name (CN) and DNS must match the hostname. IP must match IP of the host.
-
Send the
/etc/pki/tls/private/server.example.com.csrfile to a CA and request a server certificate. Store the received CA certificate and the server certificate on the host. Import the CA certificate to the systems’s truststore:
# cp ca.crt /etc/pki/ca-trust/source/anchors # update-ca-trustMove the server certificate to the
/etc/pki/tls/certs/directory:# mv server.example.com.crt /etc/pki/tls/certs/Ensure the SELinux context is correct on the private key and certificates:
# restorecon -Rv /etc/pki/tls/certs/Add the server certificate and private key to the
[authenticate.server]section in the/etc/tlshd.conffile:x509.certificate= /etc/pki/tls/certs/server.example.com.crt x509.private_key= /etc/pki/tls/private/server.example.com.keyLeave the
x509.truststoreparameter unset.Enable and start the
tlshdservice:# systemctl enable --now tlshd.service
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}