MC2 Redis TLS Configuration
Starting with April 2021 release MC2 supports connecting to REDIS using TLS. This is not enabled by default and requires additional configuration.
This document describes a sample on how to configure REDIS and MC2 to use TLS to communicate.
The following steps should be performed:
...
openssl pkcs12 -export -in redis-cli-keycert.pem -out redis-cli-keystore.pkcs12 -name redis -noiter –nomaciter
Enter a password for the keystore at the prompt. Note this password, we will refer to it as keystore_password
...
keytool -import -keystore redis-cli-truststore.ks -file redis-server-cert.pem
Enter a password for the truststore at the prompt. Save this password, we will refer to it as truststore_password
NoteNOTE: The steps above create certificates with a validity of 1 year (365 days). After 1 year the self-signed server and client certificates will have to be regenerated by repeating the above steps.
8 Stop redis and extractservice:
...
11 Create a configuration file for extractservice in estart/tpe/dynamic/mc2/cfg/extractservice.yml. If the file is there add the following parameters to the configuration files in the corresponding sections (extractservice-lb and extractservice-worker):
View file | ||
---|---|---|
|
...
The truststore_password and keystore_password can be specified as dbconnini – in this case the passwords will be encrypted using emshell and configured in db_connection.ini configuration file. Otherwise the clear text passwords can be specified in this configuration file.
The paths should be full paths. The file:/// prefix should have three slash symbols.
12 Encrypt the passwords using emshell. Do this on all app server nodes in the region on which MC2 is running:
...
[mc2rediskeystore]
DBType=
DBName=mc2rediskeystore
EstarName=mc2rediskeystore
Credfile=estar/tpe/dynamic/mc2/redis/epasswd
[mc2redistruststore]
DBType=
DBName=mc2redistruststore
EstarName=mc2redistruststore
Credfile=estar/tpe/dynamic/mc2/redis/epasswd
...