2.6. Deployment Security

Tungsten Cluster supports SSL, TLS and certificates for both communication and authentication for all components within the system. This security is disabled by default and includes:

  • Authentication between command-line tools (cctrl), and between background services.

  • SSL/TLS between command-line tools and background services.

  • SSL/TLS between Tungsten Replicator and datasources.

  • SSL/TLS between Tungsten Connector and datasources.

  • File permissions and access by all components.

If you are using a single staging directory to handle your complete installation, tpm will automatically create the necessary certificates for you. If you fit in the below categories, you will need to use manually generated certificates.

  • Installing heterogeneous replication using independent configurations

  • Composite Active/Active Clusters using v5 or earlier of Tungsten Cluster, Cluster-Extractor replication or anything using multiple Continuent packages

  • Installing from multiple Staging Directories


Due to a known issue in earlier Java revisions that may cause performance degradation with client connections, it is strongly advised that you ensure your Java version is one of the following MINIMUM releases before enabling SSL:

  • Oracle JRE 8 Build 261
  • Oracle JRE 11 Build 8
  • OpenJDK 8 Build 222


Installing from a staging host will automatically generate certificates and configuration for a secured installation. No further changes or actions are required.

For INI-based installations, there are additional steps required to copy the needed certificate files to all of the nodes.