2.8.3. Configuring the Secure Service through tpm

To configure a basic SSL setup where the THL communication between, the keystore, truststore, and corresponding passwords must be configured in your installation.

Configuring SSL for THL Only

The configuration can be applied using tpm, either during the initial installation, or when performing an update of an existing installation. The same command-line options should be used for both. For the keystore and truststore, the pathnames supplied to tpm will be distributed to the other hosts during the update.

For example, to update an existing configuration, go to the staging directory for your installation:

shell> ./tools/tpm update \
    --thl-ssl=true \
    --java-keystore-path=~/keystore.jks \
    --java-keystore-password=password \
    --java-truststore-path=~/truststore.ts \
    --java-truststore-password=password

Where:

Note

If you plan to update your configuration to use RMI authentication with SSL, the keystore and truststore must be the same as that used for THL SSL.

Once the installation or update has completed, the use of SSL can be confirmed by checking the THL URIs used to exchange information. For secure communication, the protocol is thls, as in the example output from trepctl status:

shell> trepctl status
Processing status command...
NAME                     VALUE
----                     -----
appliedLastEventId     : mysql-bin.000011:0000000000003097;0
...
masterConnectUri       : thls://localhost:/
masterListenUri        : thls://tr-ms1:2112/
maximumStoredSeqNo     : 15
minimumStoredSeqNo     : 0
...
Finished status command...

Configuring SSL for Administration

Authentication and SSL encryption for administration controls the communication between administration tools such as cctrl. This prevents unknown tools for attempting to use the JMX remote invocation to perform different administration tasks.

The system works by encrypting communication, and then using explicit authentication (defined by the RMI user) to exchange authentication information.

To update your existing installation, go to the staging directory for your installation:

shell> ./tools/tpm update \
    --java-keystore-path=~/keystore.jks \
    --java-keystore-password=password \
    --java-truststore-path=~/truststore.ts \
    --java-truststore-password=password \
    --rmi-ssl=true \
    --rmi-authentication=true \
    --rmi-user=tungsten \
    --java-jmxremote-access-path=~/jmxremote.access \
    --java-passwordstore-path=~/password.store

Where:

Once the update or installation has been completed, check that trepctl works and shows the status.

Configuring SSL for THL and Administration

To configure both JMX and THL SSL encrypted communication, you must specify the SSL and JMX security properties. The SSL properties are the same as those used for enabling SSL on THL, but adding the necessary configuration parameters for the JMX settings:

shell> ./tools/tpm update \
    --thl-ssl=true \
    --rmi-ssl=true \
    --java-keystore-path=~/keystore.jks \
    --java-keystore-password=password \
    --java-truststore-path=~/truststore.ts \
    --java-truststore-password=password \
    --rmi-authentication=true \
    --rmi-user=tungsten \
    --java-jmxremote-access-path=~/jmxremote.access \
    --java-passwordstore-path=~/password.store

This configures SSL and security for authentication. These options for tpm can be used to update an existing installation, or defined when creating a new deployment.

Important

All SSL certificates have a limited life, specified in days when the certificate is created. In the event that your replication service fails to connect, check your certificate files and confirm that they are still valid. If they are out of date, new certificates must be created, or your existing certificates can be renewed. The new certificates must then be imported into the keystore and truststore, and tpm update executed to update your replicator configuration.