Security can be enabled either during initial installation or via an update.
For many reasons, it is much easier to enable SSL at install time. Both procedures follow below.
Enabling During Install
First, configure the tungsten.ini
file as
follows:
disable-security-controls=false
start-and-report=false
Next, do the fresh install on each node, which will generate new, different certificates on every node.
shell> tools/tpm install
You must then select one of the nodes and copy that node's certificate files to all other nodes.
For example, to seed a 6-node composite cluster, login to db1 and copy both the main and backup files to the other five nodes:
shell>for i in `seq 2 6`; do scp /opt/continuent/share/[jpt]* db$i:/opt/continuent/share/; done
shell>for i in `seq 2 6`; do scp /opt/continuent/share/.[jpt]* db$i:/opt/continuent/share/; done
On all nodes:
shell> startall
Enabling Post-Installation
Security can be enabled after install time by updating the
tungsten.ini
file, followed by a special
invocation of the tpm update command on all nodes.
First, configure the tungsten.ini
file as
follows:
disable-security-controls=false
start-and-report=false
Enable Maintenance mode on the cluster
shell>cctrl -multi
cctrl>use world
cctrl>set policy maintenance
Do the update on each node, which will generate new, different certificates on every node.
This update procedure will force all running Tungsten processes to be stopped. Connectors MUST be done at the same time or they will no longer be able to communicate with the Managers.
shell>stopall
shell>tpm query staging
shell>cd {staging_directory}
shell>tools/tpm update --replace-jgroups-certificate --replace-tls-certificate --replace-release
As with a fresh install, you must then select one of the nodes and copy that node's certificate files to all other nodes:
For example, to seed a 6-node composite cluster, login to db1 and copy both the main and backup files to the other five nodes:
shell>for i in `seq 2 6`; do scp /opt/continuent/share/[jpt]* db$i:/opt/continuent/share/; done
shell>for i in `seq 2 6`; do scp /opt/continuent/share/.[jpt]* db$i:/opt/continuent/share/; done
On all nodes:
shell> startall