SSL Certificates
Describes how certificates are used to perform authentication and encryption for websites that use the HTTPS protocol.
The TLS (Transport Layer Security, formally SSL Secure Sockets Layer) certificate performs authentication and encryption for websites that use the HTTPS protocol. A certificate contains information about an entity and contains a public key. The public key is related to a private key that is NOT part of the certificate, but it is used by one entity when it communicates with another entity.
HPE Ezmeral Data Fabric stores the private key and certificate in a
key store file called ssl_keystore
. A certificate is also digitally signed
so that it cannot be altered. The signer is known as the signing certificate.
In order for an HTTPS connection to be established, the following criteria must be met:
- The server must have a key file that contains a certificate and a private key
- The client must provide a trust file that contains a signer who signed the certificate used by the server
- The server certificate must be valid and not expired
- The client must determine that the SubjectDN in the certificate is acceptable
The process of enabling security generates the common
ssl_keystore
and ssl_truststore
files on the first
CLDB server that are used by all clients and servers.
- The
ssl_keystore
contains a single self-signed certificate with a wildcard SubjectDN. For example, if the hostname of the CLDB isa.b.com
the SubjectDN would beCN=*.b.com
. - The
ssl_truststore
contains the signer for the certificate in thessl_keystore
.
The REST API calls in a Data Fabric cluster communicate over the HTTPS protocol on port 8443. These calls are secured with SSL certificates that identify a node to the cluster.