MC2 Redis TLS Configuration
Starting with April 2021 release MC2 supports connecting to REDIS using TLS. This is not enabled by default and requires additional configuration.
This document describes a sample on how to configure REDIS and MC2 to use TLS to communicate.
The following steps should be performed:
- Create a folder for server and client certificates and keys:
cd estar/tpe/dynamic/mc2/
mkdir -p redis
cd redis
- Create the server self-signed key and certificate:
openssl req -x509 -newkey rsa:4096 -keyout redis-server-key.pem -out redis-server-cert.pem -days 365 –nodes
- Create the client self-signed key and certificate:
openssl req -x509 -newkey rsa:4096 -keyout redis-cli-key.pem -out redis-cli-cert.pem -days 365 –nodes
- Add the server certificate to the client certificate, to create a common trusted certificate store:
cat redis-server-cert.pem >> redis-cli-cert.pem
- Add the client key to the client certificate, to create a file which will be used to create the PKCS12 keystore for Extract Service Java service:
cat redis-cli-key.pem redis-cli-cert.pem > redis-cli-keycert.pem
- Create the Java PKCS12 keystore:
openssl pkcs12 -export -in redis-cli-keycert.pem -out redis-cli-keystore.pkcs12 -name redis -noiter –nomaciter
Enter a password for the keystore at the prompt. Note this password, we will refer to it as keystore_password
- Create the Java trustrstore:
keytool -import -keystore redis-cli-truststore.ks -file redis-server-cert.pem
Enter a password for the truststore at the prompt. Save this password, we will refer to it as truststore_password
Note: The steps above create certificates with a validity of 1 year (365 days). After 1 year the self-signed server and client certificates will have to be regenerated by repeating the above steps.
- Stop redis and extractservice:
cd eaglemgr
./stop starweb redisserver redissentinel
./stop starweb extractservicelb extractserviceworker
- On each node in the region edit estar/tpe/cfg/eaglemc2s/redis/redis.conf files:
- Change the port parameter to 0 (save the old value):
port 0
-
- Use the port parameter value for the new parameter tls-port, add this parameter right after port. In default MC2 installations this will be 20438:
tls-port 20438
-
- Set the following parameters in the redis.conf file:
tls-cert-file /apps/eagle/estar/tpe/dynamic/mc2/redis/redis-server-cert.pem
tls-key-file /apps/eagle/estar/tpe/dynamic/mc2/redis/redis-server-key.pem
tls-ca-cert-file /apps/eagle/estar/tpe/dynamic/mc2/redis/redis-cli-cert.pem
tls-auth-clients yes
tls-replication yes
The tls-cert-file, tls-key-file, tls-ca-cert-file should be the full path to the certificate files.
- On each node in the region edit estar/tpe/cfg/eaglemc2s/redis/sentinel.conf. If the region has only one app server, the sentinel.conf will not be there, and will not have to be changed.
- Change port parameter to 0. Note down the old value.
port 0
-
- Add a tls-port parameter with the old value of port parameter. Usually it is 20439:
tls-port 20439
-
- Add the following parameter to the sentinel.conf, right after tls-port:
tls-cert-file /apps/eagle/estar/tpe/dynamic/mc2/redis/redis-server-cert.pem
tls-key-file /apps/eagle/estar/tpe/dynamic/mc2/redis/redis-server-key.pem
tls-ca-cert-file /apps/eagle/estar/tpe/dynamic/mc2/redis/redis-cli-cert.pem
tls-auth-clients yes
tls-replication yes
- Create a configuration file for extractservice in estart/tpe/dynamic/mc2/cfg/extractservice.yml. If the file is there add the following parameters to the configuration files in the corresponding sections (extractservice-lb and extractservice-worker):
—
spring:
profiles: extractservice-lb
application:
name: extractservice-lb
eagle:
redis:
tlsenabled: true
tlsendpointverification: true
tlstruststore: file:///apps/eagle/estar/tpe/dynamic/mc2/redis/redis-cli-truststore.ks
tlstruststorepassword: dbconnini
tlskeystore: file:///apps/eagle/estar/tpe/dynamic/mc2/redis/redis-cli-keystore.pkcs12
tlskeystorepassword: dbconnini
edsparams:
ssl: True
ssl_keyfile: /apps/eagle/estar/tpe/dynamic/mc2/redis/redis-cli-key.pem
ssl_certfile: /apps/eagle/estar/tpe/dynamic/mc2/redis/redis-cli-cert.pem
ssl_ca_certs: /apps/eagle/estar/tpe/dynamic/mc2/redis/redis-cli-cert.pem
—
spring:
profiles: extractservice-worker
application:
name: extractservice-worker
eagle:
redis:
tlsenabled: true
tlsendpointverification: true
tlstruststore: file:///apps/eagle/estar/tpe/dynamic/mc2/redis/redis-cli-truststore.ks
tlstruststorepassword: dbconnini
tlskeystore: file:///apps/eagle/estar/tpe/dynamic/mc2/redis/redis-cli-keystore.pkcs12
tlskeystorepassword: dbconnini
The truststore_password and keystore_password can be specified as dbconnini – in this case the passwords will be encrypted using emshell and configured in db_connection.ini configuration file. Otherwise the clear text passwords can be specified in this configuration file.
The paths should be full paths. The [{*}file:///*|] prefix should have three slash symbols.
- Encrypt the passwords using emshell. Do this on all app server nodes in the region on which MC2 is running:
- Change current working folder to eagle/cfg
- Edit db_connection.ini and add the following sections:
[mc2rediskeystore]
DBType=
DBName=mc2rediskeystore
EstarName=mc2rediskeystore
Credfile=estar/tpe/dynamic/mc2/redis/epasswd
[mc2redistruststore]
DBType=
DBName=mc2redistruststore
EstarName=mc2redistruststore
Credfile=estar/tpe/dynamic/mc2/redis/epasswd
-
- Encrypt and store the keystore password:
./cmdmgr.bin credentials --type=aes --action=add --name=mc2rediskeystore --user=mc2rediskeystore --pass=redis --file=../estar/tpe/dynamic/mc2/redis/epasswd
-
- Encrypt and store the truststore password:
./cmdmgr.bin credentials --type=aes --action=add --name=mc2redistruststore --user=mc2redistruststore --pass=redispassword --file=../estar/tpe/dynamic/mc2/redis/epasswd
- Start redis:
cd eaglemgr
./start starweb redisserver redissentinel
If there are any problems with the configuration the logs/stdstreams/redisserver* and logs/stdstreams/redissentinel* logs will have error messages.
- Start extractservice:
./start starweb extractservicelb extractserviceworker