2.7. Deploying SSL Secured Replication and Administration


This procedure is for Continuent Tungsten Version 4.x and below ONLY!

For the correct procedures for Continuent Tungsten Version 5.0 and above, please see Deployment Security (in [Tungsten Clustering for MySQL 5.0 Manual]).

Continuent Tungsten supports encrypted communication between replication hosts. SSL can be employed at two different levels within the configuration, encryption of the THL communication channel used to transfer database events, and encryption (and implied authentication) of the JMX remote method invocation (RMI) used to administer services remotely within Continuent Tungsten.

To use SSL you must be using a Java Runtime Environment or Java Development Kit 1.5 or later. SSL is implemented through the javax.net.ssl.SSLServerSocketFactory socket interface class.

You will also need an SSL certificate. These can either be self-generated or obtained from an official signing authority. The certificates themselves must be stored within a Java keystore and truststore. To create your certificates and add them to the keystore or truststore, see Section 2.7.1, “Creating the Truststore and Keystore”. Instructions are provided for self-generated, self-signed, and officially signed versions of the necessary certificates.

For JMX RMI authentication, a password file and authentication definition must also be generated. This information is required by the JMX system to support the authentication and encryption process. See Section 2.7.2, “SSL and Administration Authentication” for more information.

Once the necessary files are available, you need to use tpm to install, or update an existing installation with the SSL configuration. See Section 2.7.3, “Configuring the Secure Service through tpm.


Although not strictly required for installation, it may be useful to have the OpenSSL package installed. This contains a number of tools and utilities for dealing with certificate authority and general SSL certificates.