Installing via INI File with CA-Signed Certificates
This procedure will take a signed certificate from a known Certificate Authority and use it as the basis for all SSL operations within the cluster, not including Connector client-server SSL, which is configured separately. Please visit "Configuring Connector SSL" for more information about configuring Connector SSL.
The below example procedure assumes that you have an existing, installed and running cluster with security enabled by setting
disable-security-controls=falseAssume a 3-node cluster called
alphawith member hostsdb1,db2anddb3.WarningIn all examples below, because you are updating an existing secure installation, the password
tungstenis required, do not change it.Select one node to create the proper set of certs, i.e.
db1:shell> su - tungstenshell> mkdir /etc/tungsten/secureshell> mkdir ~/certsshell> cd ~/certsCopy the available files (CA cert, Intermediate cert (if needed), signed cert and signing key) into ~/certs/, i.e.:
ca.crt.pemint.crt.pemsigned.crt.pemsigning.key.pemCreate a pkcs12 (.p12) version of the signed certificate:
shell> openssl pkcs12 -export -in ~/certs/signed.crt.pem -inkey ~/certs/signing.key.pem \-out ~/certs/tungsten_sec.crt.p12 -name mysqlEnter Export Password: tungstenVerifying - Enter Export Password: tungstenImportantWhen using OpenSSL 3.0 with Java 1.8, you MUST add the
-legacyoption to the openssl command.ImportantIf you choose a different alias name rather than
mysqlshown in the example above, then you must also specify the tpm optionjava-mysql-aliasin your/etc/tungsten/tungsten.iniCreate a pkcs12-based keystore (.jks) version of the signed certificate:
shell> keytool -importkeystore -deststorepass tungsten -destkeystore /etc/tungsten/secure/tungsten_keystore.jks \-srckeystore ~/certs/tungsten_sec.crt.p12 -srcstoretype pkcs12 -deststoretype pkcs12Importing keystore /home/tungsten/certs/tungsten_sec.crt.p12 to /etc/tungsten/secure/tungsten_keystore.jks...Enter source keystore password: tungstenEntry for alias replserver successfully imported.Import command completed: 1 entries successfully imported, 0 entries failed or cancelledImport the Certificate Authority's certificate into the keystore:
shell> keytool -import -alias mysql -file ~/certs/ca.crt.pem -keypass tungsten \-keystore /etc/tungsten/secure/tungsten_keystore.jks -storepass tungsten...Trust this certificate? [no]: yesCertificate was added to keystoreImport the Certificate Authority's intermediate certificate (if supplied) into the keystore:
shell> keytool -import -alias mysql -file ~/certs/int.crt.pem -keypass tungsten \-keystore /etc/tungsten/secure/tungsten_keystore.jks -storepass tungstenCertificate was added to keystoreExport the cert from the keystore into file
client.cerfor use in the next step to create the truststore:shell> keytool -export -alias mysql -file ~/certs/client.cer \-keystore /etc/tungsten/secure/tungsten_keystore.jksEnter keystore password: tungstenCertificate stored in file </home/tungsten/certs/client.cer>Create the truststore:
shell> keytool -import -trustcacerts -alias mysql -file ~/certs/client.cer \-keystore /etc/tungsten/secure/tungsten_truststore.ts -storepass tungsten -nopromptCertificate was added to keystoreCreate the rmi_jmx password store entry:
shell> tpasswd -c tungsten tungsten -t rmi_jmx -p /etc/tungsten/secure/passwords.store -e \-ts /etc/tungsten/secure/tungsten_truststore.ts -tsp tungstenUsing parameters:-----------------security.properties = /opt/continuent/tungsten/cluster-home/../cluster-home/conf/security.propertiespassword.file.location = /etc/tungsten/secure/passwords.storeencrypted.password = truetruststore.location = /etc/tungsten/secure/tungsten_truststore.tstruststore.password = *********-----------------Creating non existing file: /etc/tungsten/secure/passwords.storeUser created successfuly: tungstenCreate the tls password store entry:
shell> tpasswd -c tungsten tungsten -t unknown -p /etc/tungsten/secure/passwords.store -e \-ts /etc/tungsten/secure/tungsten_truststore.ts -tsp tungstenUsing parameters:-----------------security.properties = /opt/continuent/tungsten/cluster-home/../cluster-home/conf/security.propertiespassword.file.location = /etc/tungsten/secure/passwords.storeencrypted.password = truetruststore.location = /etc/tungsten/secure/tungsten_truststore.tstruststore.password = ********-----------------User created successfuly: tungstenList and verify the user for each security service password store entry, rmi_jmx and tls (which has a display tag of
unknown):shell> tpasswd -l -p /etc/tungsten/secure/passwords.store -ts /etc/tungsten/secure/tungsten_truststore.tsUsing parameters:-----------------security.properties = /opt/continuent/tungsten/cluster-home/../cluster-home/conf/security.propertiespassword.file.location = ./passwords.storeencrypted.password = truetruststore.location = ./tungsten_truststore.tstruststore.password = ********-----------------Listing users by application type:[unknown]-----------tungsten[rmi_jmx]-----------tungstenOn host db1, transfer the generated certificates to the same path on all remaining hosts:
shell> for host in `seq 2 3`; do rsync -av /etc/tungsten/secure/ db${host}:/etc/tungsten/secure/; doneEdit the
/etc/tungsten/tungsten.iniconfiguration file on all nodes and add:Example tungsten.ini[defaults]...disable-security-controls=falsejava-keystore-path=/etc/tungsten/secure/tungsten_keystore.jksjava-keystore-password=tungstenjava-truststore-path=/etc/tungsten/secure/tungsten_truststore.tsjava-truststore-password=tungstenrmi-ssl=truermi-authentication=truermi-user=tungstenjava-passwordstore-path=/etc/tungsten/secure/passwords.storeShow argument definitions
disable-security-controls=falseDisables all forms of security, including SSL, TLS and authentication.java-keystore-path=/etc/tungsten/secure/tungsten_keystore.jksLocal path to the Java Keystore file. Specific for intra cluster communication. NOTE: When java-keystore-path is passed totpm, the keystore must contain both tls and mysql certs when appropriate.tpmwill NOT add mysql cert nor generate tls cert when this flag is found, so both certs must be manually imported already. Additionally,java-mysql-aliasmust be specificed when using custom keystores.java-keystore-password=tungstenSet the password for unlocking the tungsten_keystore.jks file in the security directory. Specific for intra cluster communication.java-truststore-path=/etc/tungsten/secure/tungsten_truststore.tsLocal path to the Java Truststore file.java-truststore-password=tungstenThe password for unlocking thetungsten_truststore.jksfile in the security directory.rmi-ssl=trueEnable SSL encryption of RMI communication on this host.rmi-authentication=trueEnable RMI authentication for the services running on this host.rmi-user=tungstenThe username for RMI authentication.java-passwordstore-path=/etc/tungsten/secure/passwords.storeLocal path to the Java Password Store fileImportantIf you chose a different alias name rather than
mysqlshown in the examples, then you must also specify thejava-mysql-aliasImportantWhen
java-keystore-pathis passed totpm, the keystore must contain both tls and mysql certs when appropriate.tpmwill NOT add mysql cert nor generate tls cert when this flag is found, so both certs must be manually imported already.On one node only, enable MAINTENANCE mode:
cctrl> set policy maintenanceOn ALL nodes, stop the tungsten software, execute the update, then restart:
WarningThis procedure requires the complete restart of all layers and will cause a brief outage.
shell> tpm query stagingshell> cd {staging_dir}shell> stopallshell> tools/tpm update --replace-releaseshell> startallOn one node only, enable AUTOMATIC mode and check cluster status:
shell> cctrlcctrl> set policy automaticcctrl> lsCOORDINATOR[db1:AUTOMATIC:ONLINE]ROUTERS:+---------------------------------------------------------------------------------+|connector@db1[9871](ONLINE, created=0, active=0) ||connector@db2[27930](ONLINE, created=0, active=0) ||connector@db3[23727](ONLINE, created=0, active=0) |+---------------------------------------------------------------------------------+DATASOURCES:+---------------------------------------------------------------------------------+|db1(master:ONLINE, progress=1, THL latency=0.656) ||STATUS [OK] [2019/06/06 12:48:11 PM UTC] |+---------------------------------------------------------------------------------+| MANAGER(state=ONLINE) || REPLICATOR(role=master, state=ONLINE) || DATASERVER(state=ONLINE) || CONNECTIONS(created=0, active=0) |+---------------------------------------------------------------------------------++---------------------------------------------------------------------------------+|db2(slave:ONLINE, progress=1, latency=9.858) ||STATUS [OK] [2019/06/06 12:48:11 PM UTC] |+---------------------------------------------------------------------------------+| MANAGER(state=ONLINE) || REPLICATOR(role=slave, master=db1, state=ONLINE) || DATASERVER(state=ONLINE) || CONNECTIONS(created=0, active=0) |+---------------------------------------------------------------------------------++---------------------------------------------------------------------------------+|db3(slave:ONLINE, progress=1, latency=19.235) ||STATUS [OK] [2019/06/06 12:48:10 PM UTC] |+---------------------------------------------------------------------------------+| MANAGER(state=ONLINE) || REPLICATOR(role=slave, master=db1, state=ONLINE) || DATASERVER(state=ONLINE) || CONNECTIONS(created=0, active=0) |+---------------------------------------------------------------------------------+