Encrypting Veritas Volume Replicator (VVR) communication using SSL/TLS

book

Article ID: 100065260

calendar_today

Updated On:

Description

Description

Encrypting Veritas Volume Replicator (VVR) communication  using SSL/TLS

 

Creating Signed certificates using the Primary host as the Certificate Authority (CA)

 

                Certificate Authority (CA)

  1. Prepare a directory structure.

[root@primary ~]#mkdir -p Certificates/{certs,keys,csr,cnf}

[root@primary ~]#cd Certificates/

 

  1. Create CA Client key

[root@primary Certificates]#openssl genrsa -aes256 -out keys/ca.key 4096

Generating RSA private key, 4096 bit long modulus (2 primes)

..............++++

...........................................++++

e is 65537 (0x010001)

Enter pass phrase for keys/ca.key:

Verifying - Enter pass phrase for keys/ca.key:

 

  1. Create self-signed CA Certificate

[root@primary Certificates]#openssl req -x509 -new -nodes -key keys/ca.key -sha256 -days 3650 -out certs/ca.crt -subj '/CN=CA Cert/C=US/ST=Mass/L=Boston/O=support'

Enter pass phrase for keys/ca.key:

 

Primary Client Certificate:

 

  1. Create the client private key

[root@primary Certificates]#openssl genrsa -out keys/primary.key 2048

Generating RSA private key, 2048 bit long modulus (2 primes)

...............................................................+++++

......................................+++++

e is 65537 (0x010001)

 

  1. Generate Certificate Sign Request (CSR)

[root@primary Certificates]#openssl req -new -sha256 -key keys/primary.key -subj '/CN=Primary Cert/C=US/ST=Mass/L=Boston/O=support' -out csr/primary.csr

 

  1. Sign the client certificate using the Certificate Authority (CA)

[root@primary Certificates]#echo "subjectAltName=IP:" >> cnf/primary.cnf

[root@primary Certificates]#openssl x509 -req -days 3650 -sha256 -in csr/primary.csr -CA certs/ca.crt -CAkey keys/ca.key -out certs/primary.crt -extfile cnf/primary.cnf -set_serial 01

Signature ok

subject=CN = Primary Cert, C = US, ST = Mass, L = Boston, O = support

Getting CA Private Key

Enter pass phrase for keys/ca.key:

 

                Secondary Client Certificate:

  1. Create the private client key

[root@secondary Certificates]#openssl genrsa -out keys/secondary.key 2048

Generating RSA private key, 2048 bit long modulus (2 primes)

................+++++

..+++++

e is 65537 (0x010001)

 

  1. Generate Certificate Sign Request (CSR)

[root@secondary Certificates]#openssl req -new -sha256 -key keys/secondary.key -subj '/CN=Secondary Cert/C=US/ST=Mass/L=Boston/O=support' -out csr/secondary.csr

 

  1. Sign the client certificate using the Certificate Authority (CA)

 

       a) Copy the Certificate Sign Request (CSR) to the Certificate Authority (CA) for signing.

[root@secondary Certificates]#scp csr/secondary.csr primary:/root/Certificates/csr

 

       b) Sign the Certificate

[root@primary Certificates]#echo "subjectAltName=IP:" >> cnf/secondary.cnf

[root@primary Certificates]#openssl x509 -req -days 3650 -sha256 -in csr/secondary.csr -CA certs/ca.crt -CAkey keys/ca.key -out certs/secondary.crt -extfile cnf/secondary.cnf -set_serial 01

Signature ok

subject=CN = Secondary Cert, C = US, ST = Mass, L = Boston, O = support

Getting CA Private Key

Enter pass phrase for keys/ca.key:

       

      c) Copy both the signed secondary client certificate and the CA certificate to the secondary node.

[root@primary Certificates]#scp certs/secondary.crt :/root/Certificates/certs

[root@primary Certificates]#scp certs/ca.crt :/root/Certificates/certs

 

Copy the Certificates to /etc/vx/vvr using the following naming convention.

/etc/vx/vvr/cacert.pem                 CA Certificate

/etc/vx/vvr/cert.pem                    Client Certificate

/etc/vx/vvr/key.pem                    Client Private Key

 

                Primary Node:

 

  1. Copy Certificate Authority (CA)

[root@primary Certificates]#cp certs/ca.crt /etc/vx/vvr/cacert.pem

 

  1. Copy Client Certificate

[root@primary Certificates]#cp certs/primary.crt /etc/vx/vvr/cert.pem

 

  1. Copy Private Client key

[root@primary Certificates]#cp keys/primary.key /etc/vx/vvr/key.pem

 

                Secondary Node:

  1. Copy Certificate Authority (CA)

[root@secondary Certificates]#cp certs/ca.crt /etc/vx/vvr/cacert.pem

 

  1. Copy Client Certificate

[root@secondary Certificates]#cp certs/secondary.crt /etc/vx/vvr/cert.pem

 

  1. Copy Private Client key

[root@secondary Certificates]#cp keys/secondary.key /etc/vx/vvr/key.pem

 

Restart Vradmind and verify SSL is initialized on both nodes

 

  1. Restart vradmind

[root@secondary Certificates]#/usr/sbin/vxstart_vvr stop

[root@secondary Certificates]#/usr/sbin/vxstart_vvr start

 

[root@primary Certificates]#/usr/sbin/vxstart_vvr stop

[root@primary Certificates]#/usr/sbin/vxstart_vvr start

 

  1. Check the messages file to verify SSL was enabled for VVR            

[root@primary Certificates]# grep SSL /var/log/messages

Apr 12 07:29:14 primary vradmind[1197899]: VVR_SSL_SOCK: SSL initialization succeeded.

[root@secondary Certificates]# grep SSL /var/log/messages

Apr 12 07:37:57 secondary vradmind[1106463]: VVR_SSL_SOCK: SSL initialization succeeded.

 

Issue/Introduction

Encrypting Veritas Volume Replicator (VVR) communication using SSL/TLS
Powered by Wolken Software