MC2 Redis TLS Configuration

Starting with April 2021 release MC2 supports connecting to REDIS using TLS. This is not enabled by default and requires additional configuration.
This document describes a sample on how to configure REDIS and MC2 to use TLS to communicate.
The following steps should be performed:

...

openssl pkcs12 -export -in redis-cli-keycert.pem -out redis-cli-keystore.pkcs12 -name redis -noiter –nomaciter
Enter a password for the keystore at the prompt. Note this password, we will refer to it as keystore_password

...

keytool -import -keystore redis-cli-truststore.ks -file redis-server-cert.pem
Enter a password for the truststore at the prompt. Save this password, we will refer to it as truststore_password

NoteNOTE: The steps above create certificates with a validity of 1 year (365 days). After 1 year the self-signed server and client certificates will have to be regenerated by repeating the above steps.

8 Stop redis and extractservice:

...

11 Create a configuration file for extractservice in estart/tpe/dynamic/mc2/cfg/extractservice.yml. If the file is there add the following parameters to the configuration files in the corresponding sections (extractservice-lb and extractservice-worker):

...

The truststore_password and keystore_password can be specified as dbconnini – in this case the passwords will be encrypted using emshell and configured in db_connection.ini configuration file. Otherwise the clear text passwords can be specified in this configuration file.

The paths should be full paths. The file:/// prefix should have three slash symbols.

12 Encrypt the passwords using emshell. Do this on all app server nodes in the region on which MC2 is running:

...

[mc2rediskeystore]
DBType=
DBName=mc2rediskeystore
EstarName=mc2rediskeystore
Credfile=estar/tpe/dynamic/mc2/redis/epasswd
[mc2redistruststore]
DBType=
DBName=mc2redistruststore
EstarName=mc2redistruststore
Credfile=estar/tpe/dynamic/mc2/redis/epasswd

...