MC2 Redis TLS Configuration
Starting with April 2021 release MC2 supports connecting to REDIS using TLS. This is not enabled by default and requires additional configuration.
This document describes a sample on how to configure REDIS and MC2 to use TLS to communicate.
The following steps should be performed:
1 Create a folder for server and client certificates and keys:
cd estar/tpe/dynamic/mc2/
mkdir -p redis
cd redis
2 Create the server self-signed key and certificate:
openssl req -x509 -newkey rsa:4096 -keyout redis-server-key.pem -out redis-server-cert.pem -days 365 –nodes
3 Create the client self-signed key and certificate:
openssl req -x509 -newkey rsa:4096 -keyout redis-cli-key.pem -out redis-cli-cert.pem -days 365 –nodes
4 Add the server certificate to the client certificate, to create a common trusted certificate store:
cat redis-server-cert.pem >> redis-cli-cert.pem
5 Add the client key to the client certificate, to create a file which will be used to create the PKCS12 keystore for Extract Service Java service:
cat redis-cli-key.pem redis-cli-cert.pem > redis-cli-keycert.pem
6 Create the Java PKCS12 keystore:
openssl pkcs12 -export -in redis-cli-keycert.pem -out redis-cli-keystore.pkcs12 -name redis -noiter –nomaciter
Enter a password for the keystore at the prompt. Note this password, we will refer to it as keystore_password
7 Create the Java trustrstore:
keytool -import -keystore redis-cli-truststore.ks -file redis-server-cert.pem
Enter a password for the truststore at the prompt. Save this password, we will refer to it as truststore_password
NOTE: The steps above create certificates with a validity of 1 year (365 days). After 1 year the self-signed server and client certificates will have to be regenerated by repeating the above steps.
8 Stop redis and extractservice:
cd eaglemgr
./stop starweb redisserver redissentinel
./stop starweb extractservicelb extractserviceworker
9 On each node in the region edit estar/tpe/cfg/eaglemc2s/redis/redis.conf files:
a. Change the port parameter to 0 (save the old value):
port 0
b. Use the port parameter value for the new parameter tls-port, add this parameter right after port. In default MC2 installations this will be 20438:
tls-port 20438
c. Set the following parameters in the redis.conf file:
tls-cert-file /apps/eagle/estar/tpe/dynamic/mc2/redis/redis-server-cert.pem
tls-key-file /apps/eagle/estar/tpe/dynamic/mc2/redis/redis-server-key.pem
tls-ca-cert-file /apps/eagle/estar/tpe/dynamic/mc2/redis/redis-cli-cert.pem
tls-auth-clients yes
tls-replication yes
The tls-cert-file, tls-key-file, tls-ca-cert-file should be the full path to the certificate files.
10 On each node in the region edit estar/tpe/cfg/eaglemc2s/redis/sentinel.conf. If the region has only one app server, the sentinel.conf will not be there, and will not have to be changed.
a. Change port parameter to 0. Note down the old value.
port 0
b. Add a tls-port parameter with the old value of port parameter. Usually it is 20439:
tls-port 20439
c. Add the following parameters to the sentinel.conf, right after tls-port:
tls-cert-file /apps/eagle/estar/tpe/dynamic/mc2/redis/redis-server-cert.pem
tls-key-file /apps/eagle/estar/tpe/dynamic/mc2/redis/redis-server-key.pem
tls-ca-cert-file /apps/eagle/estar/tpe/dynamic/mc2/redis/redis-cli-cert.pem
tls-auth-clients yes
tls-replication yes
11 Create a configuration file for extractservice in estart/tpe/dynamic/mc2/cfg/extractservice.yml. If the file is there add the following parameters to the configuration files in the corresponding sections (extractservice-lb and extractservice-worker):
The truststore_password and keystore_password can be specified as dbconnini – in this case the passwords will be encrypted using emshell and configured in db_connection.ini configuration file. Otherwise the clear text passwords can be specified in this configuration file.
The paths should be full paths. The file:/// prefix should have three slash symbols.
12 Encrypt the passwords using emshell. Do this on all app server nodes in the region on which MC2 is running:
a. Change current working folder to eagle/cfg
b. Edit db_connection.ini and add the following sections:
[mc2rediskeystore]
DBType=
DBName=mc2rediskeystore
EstarName=mc2rediskeystore
Credfile=estar/tpe/dynamic/mc2/redis/epasswd
[mc2redistruststore]
DBType=
DBName=mc2redistruststore
EstarName=mc2redistruststore
Credfile=estar/tpe/dynamic/mc2/redis/epasswd
c. Encrypt and store the keystore password:
./cmdmgr.bin credentials --type=aes --action=add --name=mc2rediskeystore --user=mc2rediskeystore --pass=redis --file=../estar/tpe/dynamic/mc2/redis/epasswd
d. Encrypt and store the truststore password:
./cmdmgr.bin credentials --type=aes --action=add --name=mc2redistruststore --user=mc2redistruststore --pass=redispassword --file=../estar/tpe/dynamic/mc2/redis/epasswd
13 Start redis:
cd eaglemgr
./start starweb redisserver redissentinel
If there are any problems with the configuration the logs/stdstreams/redisserver* and logs/stdstreams/redissentinel* logs will have error messages.
14 Start extractservice:
./start starweb extractservicelb extractserviceworker