6.1.2. Enabling Security using the INI Method

Security can be enabled either during initial installation or via an update.

For many reasons, it is much easier to enable SSL at install time. Both procedures follow below.

Enabling During Install

  • First, configure the tungsten.ini file as follows:

    
    disable-security-controls=false
    start-and-report=false
      
  • Next, do the fresh install on each node, which will generate new, different certificates on every node.

    shell> tools/tpm install
  • You must then select one of the nodes and copy that node's certificate files to all other nodes.

    For example, to seed a 6-node composite cluster, login to db1 and copy both the main and backup files to the other five nodes:

    shell> for i in `seq 2 6`; do scp /opt/continuent/share/[jpt]* db$i:/opt/continuent/share/; done
    shell> for i in `seq 2 6`; do scp /opt/continuent/share/.[jpt]* db$i:/opt/continuent/share/; done
  • On all nodes:

    shell> startall

Enabling Post-Installation

Security can be enabled after install time by updating the tungsten.ini file, followed by a special invocation of the tpm update command on all nodes.

  • First, configure the tungsten.ini file as follows:

    
    disable-security-controls=false
    start-and-report=false
      
  • Do the update on each node, which will generate new, different certificates on every node.

    Warning

    This update procedure will force replicators to be restarted.

    shell> stopall
    shell> tpm query staging
    shell> cd {staging_directory}
    shell> tools/tpm update --replace-jgroups-certificate --replace-tls-certificate --replace-release
  • As with a fresh install, you must then select one of the nodes and copy that node's certificate files to all other nodes:

    For example, to seed a 6-node composite cluster, login to db1 and copy both the main and backup files to the other five nodes:

    shell> for i in `seq 2 6`; do scp /opt/continuent/share/[jpt]* db$i:/opt/continuent/share/; done
    shell> for i in `seq 2 6`; do scp /opt/continuent/share/.[jpt]* db$i:/opt/continuent/share/; done
  • On all nodes:

    shell> startall