3.2.9. Enabling SSL for Replicators Only

Warning

The procedures in this section are designed for the pre-v6.x Multisite/Multimaster topology ONLY. Do NOT use these procedures with version 6.x Multisite Clusters.

For version 6.x Multisite Clustering, please refer to Deploying Composite Multimaster Clustering.

It is possible to enable secure communications for just the Replicator layer in a MSMM topology. This would include both the Cluster Replicators and the Cross-Site Replicators because they cannot be SSL-enabled independently.

  1. Create a certificate and load it into a java keystore, and then load it into a truststore and place all files into the /etc/tungsten/ directory. For detailed instructions, see Section 2.8.1.1, “Creating Your Own Client and Server Certificates”

  2. Update /etc/tungsten/tungsten.ini to include these additional lines in the both the defaults section and the defaults.replicator section:

    [defaults]
    ...
    java-keystore-path=/etc/tungsten/keystore.jks
    java-keystore-password=secret
    java-truststore-path=/etc/tungsten/truststore.ts
    java-truststore-password=secret
    thl-ssl=true
    
    [defaults.replicator]
    ...
    java-keystore-path=/etc/tungsten/keystore.jks
    java-keystore-password=secret
    java-truststore-path=/etc/tungsten/truststore.ts
    java-truststore-password=secret
    thl-ssl=true 
    
  3. Put all clusters into maintenance mode.

    shell> cctrl
    cctrl> set policy maintenance
  4. On all hosts, update the cluster configuration:

    shell> tpm query staging
    shell> cd {cluster_staging_directory}
    shell> tools/tpm update
    shell> trepctl online
    shell> trepctl status | grep thl

    On all hosts, update the cross-site replicator configuration:

    shell> mm_tpm query staging
    shell> cd {replicator_staging_directory}
    shell> tools/tpm update
    shell> mm_trepctl online
    shell> mm_trepctl status | grep thl

    Important

    Please note that all replication will effectively be down until all nodes/services are SSL-enabled and online.

  5. Once all the updates are done and the Replicators are back up and running, use the various commands to check that secure communications have been enabled.

    Each datasource will show [SSL] when enabled:

    shell> cctrl
    cctrl> ls
    
    DATASOURCES:
    +----------------------------------------------------------------------------+
    |db1(master:ONLINE, progress=208950063, THL latency=0.895)                   |
    |STATUS [OK] [2018/04/10 11:47:57 AM UTC][SSL]                               |
    +----------------------------------------------------------------------------+
    |  MANAGER(state=ONLINE)                                                     |
    |  REPLICATOR(role=master, state=ONLINE)                                     |
    |  DATASERVER(state=ONLINE)                                                  |
    |  CONNECTIONS(created=15307, active=2)                                      |
    +----------------------------------------------------------------------------+
    
    +----------------------------------------------------------------------------+
    |db2(slave:ONLINE, progress=208950061, latency=0.920)                        |
    |STATUS [OK] [2018/04/19 11:18:21 PM UTC][SSL]                               |
    +----------------------------------------------------------------------------+
    |  MANAGER(state=ONLINE)                                                     |
    |  REPLICATOR(role=slave, master=db1, state=ONLINE)                          |
    |  DATASERVER(state=ONLINE)                                                  |
    |  CONNECTIONS(created=0, active=0)                                          |
    +----------------------------------------------------------------------------+
    
    +----------------------------------------------------------------------------+
    |db3(slave:ONLINE, progress=208950063, latency=0.939)                        |
    |STATUS [OK] [2018/04/25 12:17:20 PM UTC][SSL]                               |
    +----------------------------------------------------------------------------+
    |  MANAGER(state=ONLINE)                                                     |
    |  REPLICATOR(role=slave, master=db1, state=ONLINE)                          |
    |  DATASERVER(state=ONLINE)                                                  |
    |  CONNECTIONS(created=0, active=0)                                          |
    +----------------------------------------------------------------------------+

    Both the local cluster replicator status command trepctl status and the cross-site replicator status command mm_trepctl status will show thls instead of thl in the values for masterConnectUri, masterListenUri and pipelineSource.

    shell> trepctl status | grep thl
    
    masterConnectUri       : thls://db1:2112/
    masterListenUri        : thls://db5:2112/
    pipelineSource         : thls://db1:2112/