The procedures in this section are designed for the Multi-Site/Active-Active topology ONLY. Do NOT use these procedures for Composite Active/Active Clustering uing v6 onwards.
For version 6.x onwards, Composite Active/Active Clustering, please refer to Section 3.4, “Deploying Composite Active/Active Clusters”
It is possible to enable secure communications for just the Replicator layer in a Multi-Site/Active-Active topology. This would include both the Cluster Replicators and the Cross-Site Replicators because they cannot be SSL-enabled independently.
Create a certificate and load it into a java keystore, and then load
it into a truststore and place all files into the
/etc/tungsten/ directory. For detailed
instructions, see Chapter 5, Deployment: Security
Update /etc/tungsten/tungsten.ini to include
these additional lines in the both the defaults
section and the defaults.replicator section:
[defaults] ...java-keystore-path=/etc/tungsten/keystore.jks java-keystore-password=secret java-truststore-path=/etc/tungsten/truststore.ts java-truststore-password=secret thl-ssl=true[defaults.replicator] ...java-keystore-path=/etc/tungsten/keystore.jks java-keystore-password=secret java-truststore-path=/etc/tungsten/truststore.ts java-truststore-password=secret thl-ssl=true
Put all clusters into maintenance mode.
shell>cctrlcctrl>set policy maintenance
On all hosts, update the cluster configuration:
shell>tpm query stagingshell>cd {cluster_staging_directory}shell>tools/tpm updateshell>trepctl onlineshell>trepctl status | grep thl
On all hosts, update the cross-site replicator configuration:
shell>mm_tpm query stagingshell>cd {replicator_staging_directory}shell>tools/tpm updateshell>mm_trepctl onlineshell>mm_trepctl status | grep thl
Please note that all replication will effectively be down until all nodes/services are SSL-enabled and online.
Once all the updates are done and the Replicators are back up and running, use the various commands to check that secure communications have been enabled.
Each datasource will show [SSL] when enabled:
shell>cctrlcctrl>lsDATASOURCES: +----------------------------------------------------------------------------+ |db1(master:ONLINE, progress=208950063, THL latency=0.895) | |STATUS [OK] [2018/04/10 11:47:57 AM UTC][SSL] | +----------------------------------------------------------------------------+ | MANAGER(state=ONLINE) | | REPLICATOR(role=master, state=ONLINE) | | DATASERVER(state=ONLINE) | | CONNECTIONS(created=15307, active=2) | +----------------------------------------------------------------------------+ +----------------------------------------------------------------------------+ |db2(slave:ONLINE, progress=208950061, latency=0.920) | |STATUS [OK] [2018/04/19 11:18:21 PM UTC][SSL] | +----------------------------------------------------------------------------+ | MANAGER(state=ONLINE) | | REPLICATOR(role=slave, master=db1, state=ONLINE) | | DATASERVER(state=ONLINE) | | CONNECTIONS(created=0, active=0) | +----------------------------------------------------------------------------+ +----------------------------------------------------------------------------+ |db3(slave:ONLINE, progress=208950063, latency=0.939) | |STATUS [OK] [2018/04/25 12:17:20 PM UTC][SSL] | +----------------------------------------------------------------------------+ | MANAGER(state=ONLINE) | | REPLICATOR(role=slave, master=db1, state=ONLINE) | | DATASERVER(state=ONLINE) | | CONNECTIONS(created=0, active=0) | +----------------------------------------------------------------------------+
Both the local cluster replicator status command trepctl
status and the cross-site replicator status command
mm_trepctl status will show thls
instead of thl in the values for
masterConnectUri,
masterListenUri and
pipelineSource.
shell> trepctl status | grep thl
masterConnectUri : thls://db1:2112/
masterListenUri : thls://db5:2112/
pipelineSource : thls://db1:2112/