I have a requirement to encrypt traffic between cluster nodes, specifically between the nodes of a CRX shared-nothing cluster. Is it possible to configure SSL or some other encryption for that traffic? Bonus points if it's also possible to implement certificate based mutual authentication between the cluster nodes....
If it's not possible out of the box, is there an interface I can implement to provide my own transport for the replication?
Thanks in advance,
Steve Sedlmeyer
Solved! Go to Solution.
Views
Replies
Total Likes
Hi Steve,
no, the cluster communication is not encrypted by default; also I am not aware of any possibility to encrypt it on a repository level. You also cannot code it yourself. Normally this shouldn't be necessary, because the cluster is suppossed to run in a secured network. But you can route the cluster communication through a VPN channel you build between the cluster nodes.
Just as a side note: Do not confuse this cluster communication with "replication". These concepts are totally different.
regards,
Jörg
Views
Replies
Total Likes
Hi Steve,
no, the cluster communication is not encrypted by default; also I am not aware of any possibility to encrypt it on a repository level. You also cannot code it yourself. Normally this shouldn't be necessary, because the cluster is suppossed to run in a secured network. But you can route the cluster communication through a VPN channel you build between the cluster nodes.
Just as a side note: Do not confuse this cluster communication with "replication". These concepts are totally different.
regards,
Jörg
Views
Replies
Total Likes
Thanks Jörg,
It looks like there's a VPN in my future because, as my customer would tell you, "secure network" is a lot like "political integrity" in that there pretty much is no such thing.
Also thanks for the reminder on Replication vs. cluster communications, we're pretty clear on the topic. I've already implemented SSL for that communications channel.
Thanks again,
Steve
Views
Replies
Total Likes
Anyway, be aware that encryption adds an additional layer of complexity and potential problems on top. Also you might have an impact on latency. And when you talk about VPN and stuff like that: I hope that you are aware that the TarPM cluster really likes low latency? I haven't make good experience with cluster nodes being distributed over multiple datacenters.
Jörg
Views
Replies
Total Likes