Continuent Documentation

Manual Home
Tungsten Replicator 7.1 Manual
Page in Other Manuals
Tungsten Clustering (for MySQL) 7.1 Manual
Breadcrumbs
> Tungsten Replicator 7.1 Manual

       > 6. Deployment: Security

       > 6.1. Enabling Security
Chapters
Preface
1. Introduction
2. Deployment Overview
3. Deploying MySQL Extractors
4. Deploying Appliers
5. Deployment: Advanced
6. Deployment: Security
7. Operations Guide
8. Command-line Tools
9. The tpm Deployment Command
10. Tungsten REST API (APIv2)
11. Replication Filters
12. Performance and Tuning
A. Release Notes
B. Prerequisites
C. Troubleshooting
D. Files, Directories, and Environment
E. Terminology Reference
F. Internals
G. Frequently Asked Questions (FAQ)
H. Ecosystem Support
I. Configuration Property Reference
Navigate Up
6.1. Enabling Security
Parent Sections
6.1.1. Enabling Security using the Staging Method
6.1.2. Enabling Security using the INI Method
6.1.2. Enabling Security using the INI Method
Prev  ^Up6.1. Enabling Security Next

6.1.2. Enabling Security using the INI Method

Security will be enabled during initial install by default, should you choose to disable at install, then these steps will guide you in the process to enable as part of a post-install update

Enabled During Install

As mentioned, security is enabled by default. This is controlled by the disable-security-controls property. If not supplied, the default is false. You can choose to specify this in your configuration for transparency if you wish. 

disable-security-controls=false

The above configuration (and the default) will assume that your database has been configured with SSL enabled. The installation will error and fail if this is not the case. You must manually ensure database SSL has been enabled prior to issuing the install. Steps to enable this can be found in Section 6.10.1, “Enabling Database SSL”

If you DO NOT want to enable database level SSL, then you must also include the following options in your tungsten.ini file: 

datasource-enable-ssl=false

Following installation there are a few additional steps that will be required before starting the software.

  • You must select one of the nodes and copy that node's certificate/keystore/truststore files to all other nodes.

    Available as of Version 7.1.0, the tpm copy command can perform the file transfers for you. For example, run it from node db1 to copy to all the rest of the nodes in the cluster: 

    shell> tpm copy
About to copy all needed files for:
>>> Security directory: /opt/continuent/share
Please confirm that all nodes are done installing, and that none of the Tungsten processes have been started yet.
Ready to proceed (y/N)? y

    For example, assuming you choose db1, and have 5 other nodes to copy the files to you could use this syntax: 

    shell> for host in db2 db3 db4 db5 db6; do 
scp /opt/continuent/share/[jpt]* ${host}:/opt/continuent/share/
scp /opt/continuent/share/.[jpt]* ${host}:/opt/continuent/share/
done

    Important

    The above example assumes ssh has been setup between nodes as the tungsten OS user. If this is not the case you will need to use whichever methods you have available to sync these files.

  • Then, on all nodes, you can start the software: 

    shell> source /opt/continuent/share/env.sh
shell> startall

Enabling Post-Installation

If, at install time, you disabled security (by specifying disable-security-controls=true you can enable it by changing the value to false in your tungsten.ini on all nodes.

The above configuration (and the default) will assume that your database has been configured with SSL enabled. The update will error and fail if this is not the case. You must manually ensure database SSL has been enabled prior to issuing the update. Steps to enable this can be found in Section 6.10.1, “Enabling Database SSL”

If you DO NOT want to enable database level SSL, then you must also include the following options in your tungsten.ini file: 

datasource-enable-ssl=false

Before issuing the update, there are a number of additional steps required. These are outlined below:

  • First, configure the tungsten.ini file as follows: 

    disable-security-controls=false
start-and-report=false

  • Do the update on each node, which will generate new, different certificates on every node.

    Warning

    This update procedure will force replicators to be restarted. 

    shell> stopall
shell> tpm query staging
shell> cd {staging_directory}
shell> tools/tpm update --replace-jgroups-certificate --replace-tls-certificate --replace-release

  • As with a fresh install, you must then select one of the nodes and copy that node's certificate files to all other nodes:

    Available as of Version 7.1.0, the tpm copy command can perform the file transfers for you. For example, run it from node db1 to copy to all the rest of the nodes: 

    shell> tpm copy
About to copy all needed files for:
>>> Security directory: /opt/continuent/share
Please confirm that all nodes are done installing, and that none of the Tungsten processes have been started yet.
Ready to proceed (y/N)? y

    For example, assuming you choose db1, and have 5 other nodes to copy the files to you could use this syntax: 

    shell> for host in db2 db3 db4 db5 db6; do 
scp /opt/continuent/share/[jpt]* ${host}:/opt/continuent/share/
scp /opt/continuent/share/.[jpt]* ${host}:/opt/continuent/share/
done

    Important

    The above example assumes ssh has been setup between nodes as the tungsten OS user. If this is not the case you will need to use whichever methods you have available to sync these files.

  • On all nodes: 

    shell> startall

Prev Up Next
6.1.1. Enabling Security using the Staging Method  ^Level 6.2. Disabling Security
Copyright © 2016-2023 Continuent, Ltd.(800) 270-9035Terms of UsePrivacy & CookiesLegal NoticeExhibits