Step 1: Securing a 3-node cluster
Note: The user running these steps should be the same user that created the Grainite cluster .
Note: This step can be skipped if you directly created a secure cluster.
Run the following command to enable encryption for your cluster, from where the cluster VPC is accessible:
GCP AWS Azure
Copy ./grainite/scripts/bin/gcp-grainite cluster-secure -h
cluster-secure: Secures the current unsecure grainite cluster with TLS certs, disk encryption if enabled
Usage:
cluster-secure CLUSTER_NAME [flags]
Envs:
GXS_CERTS_KEYS_DIR:
Default GXS_CERTS_KEYS_DIR= ${HOME} /.gxscerts/
For secure setup of grainite cluster and enabling disk encryption you need to export this env.
The server CA CERTS, client certs and encryption KEYS will be generated under
${GXS_CERTS_KEYS_DIR} /<cluster-name>/ {server/, client/, keys/}
Flags:
-e: enable disk encryption also, default only TLS setup
-R: region
Copy ./grainite/scripts/bin/aws-grainite cluster-secure -h
cluster-secure: Secures the current unsecure grainite cluster with TLS certs, disk encryption if enabled
Usage:
cluster-secure CLUSTER_NAME [flags]
Envs:
GXS_CERTS_KEYS_DIR:
Default GXS_CERTS_KEYS_DIR= ${HOME} /.gxscerts/
For secure setup of grainite cluster and enabling disk encryption you need to export this env.
The server CA CERTS, client certs and encryption KEYS will be generated under
${GXS_CERTS_KEYS_DIR} /<cluster-name>/ {server/, client/, keys/}
Flags:
-e: enable disk encryption also, default only TLS setup
-R: region
Copy ./grainite/scripts/bin/azure-grainite cluster-secure -h
cluster-secure: Secures the current unsecure grainite cluster with TLS certs, disk encryption if enabled
Usage:
cluster-secure CLUSTER_NAME [flags]
Envs:
GXS_CERTS_KEYS_DIR:
Default GXS_CERTS_KEYS_DIR= ${HOME} /.gxscerts/
For secure setup of grainite cluster and enabling disk encryption you need to export this env.
The server CA CERTS, client certs and encryption KEYS will be generated under
${GXS_CERTS_KEYS_DIR} /<cluster-name>/ {server/, client/, keys/}
Flags:
-e: enable disk encryption also, default only TLS setup
-R: region
<region>
is the cluster's region
cluster-secure
generates a unique CA (self-signed certificate and private key) for the provided cluster into the provided directory. In the next step, the CA private key will be used to issue certificates to allow clients to connect to this cluster.
Step 2: Generate client certificates and private keys
The following command can be run to generate client certificates.
GCP AWS Azure
Copy ./grainite/scripts/bin/gcp-grainite gen-client-cert -h
gen-client-cert: Generates client cert to connect to secured grainite
cluster returned by 'cluster-current'
Usage:
gen-client-cert CERT-USER-NAME
Envs:
GXS_CERTS_KEYS_DIR:
Default GXS_CERTS_KEYS_DIR= ${HOME} /.gxscerts/
For secure setup of grainite cluster and enabling disk encryption
you need to export this env. The CA CERTS, client certs and
encryption KEYS will be generated under
${GXS_CERTS_KEYS_DIR} /<cluster-name>/ {server/, client/, keys/}
The client certs will be generated for the user and signed by
the CA certs. Zip file will be available under
${GXS_CERTS_KEYS_DIR} /<cluster-name>/client/
Additionally PCKS12 cert will also be generated with the provided
password for using with GX command
Copy ./grainite/scripts/bin/aws-grainite gen-client-cert -h
gen-client-cert: Generates client cert to connect to secured grainite
cluster returned by 'cluster-current'
Usage:
gen-client-cert CERT-USER-NAME PKCS12-CERT-PASSWORD
PKCS12-CERT-PASSWORD
PKCS12 cert password, will be prompted for password if not
specified, min 8 chars
Envs:
GXS_CERTS_KEYS_DIR:
Default GXS_CERTS_KEYS_DIR= ${HOME} /.gxscerts/
For secure setup of grainite cluster and enabling disk encryption
you need to export this env. The CA CERTS, client certs and
encryption KEYS will be generated under
${GXS_CERTS_KEYS_DIR} /<cluster-name>/ {server/, client/, keys/}
The client certs will be generated for the user and signed by
the CA certs. Zip file will be available under
${GXS_CERTS_KEYS_DIR} /<cluster-name>/client/
Additionally PCKS12 cert will also be generated with the provided
password for using with GX command
Copy ./grainite/scripts/bin/azure-grainite gen-client-cert -h
gen-client-cert: Generates client cert to connect to secured grainite
cluster returned by 'cluster-current'
Usage:
gen-client-cert CERT-USER-NAME PKCS12-CERT-PASSWORD
PKCS12-CERT-PASSWORD
PKCS12 cert password, will be prompted for password if not
specified, min 8 chars
Envs:
GXS_CERTS_KEYS_DIR:
Default GXS_CERTS_KEYS_DIR= ${HOME} /.gxscerts/
For secure setup of grainite cluster and enabling disk encryption
you need to export this env. The CA CERTS, client certs and
encryption KEYS will be generated under
${GXS_CERTS_KEYS_DIR} /<cluster-name>/ {server/, client/, keys/}
The client certs will be generated for the user and signed by
the CA certs. Zip file will be available under
${GXS_CERTS_KEYS_DIR} /<cluster-name>/client/
Additionally PCKS12 cert will also be generated with the provided
password for using with GX command
Where:
CERT-USER-NAME
is the name of the user for whom to generate the certificate.
PKCS12-CERT-PASSWORD
is the password to use for the certificate.
NOTE: This argument will be removed in a future release.
Example
GCP AWS Azure
Copy ./grainite/scripts/bin/gcp-grainite gen-client-cert tom password
Copy ./grainite/scripts/bin/aws-grainite gen-client-cert tom password
Copy ./grainite/scripts/bin/azure-grainite gen-client-cert tom password
The client certs, key, and a file with the server ip will be created under ${GXS_CERTS_KEYS_DIR}/<cluster-name>/client/<CERT-USER-NAME>
. Distribute these files to the user.
Step 3: Configure TLS support for gx
Next, the user must run the following commands to set the paths for the certificates in their $HOME.gx
:
Copy gx config ca_cert_path /path/to/ca/grainite_ca.crt
Copy gx config client_cert_path /path/to/cert/grainite_client. < CERT-USER-NAM E > .crt
Copy gx config client_key_path /path/to/key/grainite_client.<CERT-USER-NAME>.key
To prevent having to specify the IP address of your cluster each time you use gx
commands, you can run the following to set the ip:
gx config host $(cat /path/to/server_ip)
Step 4: Use the secure Java client API
Once all the certificates and keys have been generated, the next step is to pass them to the java API in order to access the cluster securely Ensure that settings.xml exists under .m2 directory with the credentials for the private token before running maven.
You can get the server ip by running the command on AWS: kubectl get svc gslb -ojsonpath={'.status.loadBalancer.ingress[0].hostname'}
For GCP, the command is kubectl get svc gslb
Java Kotlin
Copy Grainite grainite = GrainiteClient . getClient ( < server ip > , 5056 , < ca cert > , < client cert > , < client key > , < env > );
Copy val grainite = GrainiteClient. getClient ( "localhost" , 5056 , < ca cert > , < client cert > , < client key > , < env > )
Where:
<server ip>
is the IP address of the cluster.
<ca cert>
is the path to the CA certificate generated in step 1 .
<client cert>
is the path the client certificate generated in step 2 .
<client key>
is the path to the client key generated in step 2 .
<env>
is the name of the environment for the application.
Last updated 8 months ago