[ClusterLabs] Coming in Pacemaker 3.0.0: TLS certificate support
Ken Gaillot
kgaillot at redhat.com
Wed Dec 11 20:35:47 UTC 2024
Hi all,
Pacemaker 3.0.0-rc2, which will be released later today, implements a
significant new feature: remote CIB administration and Pacemaker Remote
connections may now be encrypted using X.509 (SSL/TLS) certificates.
Previously, remote CIB administration could only be obfuscated, and was
subject to man-in-the-middle attacks, so this is a major security
improvement for that use case.
Pacemaker Remote connections could previously be encrypted only with a
shared private key. Both methods are secure, but this gives users a
choice, and in particular allows users to reuse host certificates if
they're already generating them for other purposes.
The public and private keys, certificate authority, and certificate
revocation list can be configured in /etc/sysconfig/pacemaker (or
/etc/default/pacemaker or wherever your platform keeps environment
variables). That file and the Pacemaker Explained document will have
details.
--
Ken Gaillot <kgaillot at redhat.com>
More information about the Users
mailing list