Securing Data Daemon¶
Table of Contents
Introduction¶
Data Daemon creates a socket on grpc.port
. This socket is used for inter-process communications with Smart Connector and Metadata Daemon. By default the socket is not secured with TLS.
Securing Data Daemon is a four-step process documented below:
Generate Certificate¶
For production deployments it is strongly recommended that an existing Certificate Authority is used to generate the certificate and private key in PEM format. For non-production deployments a self-signed certificate can be generated as follows:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
Important
The Common Name (CN) in the certificate must exactly match the <hostname/IP address>
section of DATAD_ADDRESS
.
Update Data Daemon Properties File¶
Configure the grpc.security.cert-chain
and grpc.security.private-key
properties in $OFFLOAD_HOME/conf/datad.properties
(create the file if it does not exist) to point to the certificate chain and private key file generated, e.g.:
grpc.security.cert-chain=file:${OFFLOAD_HOME}/conf/cert.pem
grpc.security.private-key=file:${OFFLOAD_HOME}/conf/key.pem
Important
Any changes made to the Data Daemon properties file (datad.properties
) must be propagated across all installations running Data Daemon.
Update Gluent Data Platform Environment File¶
Configure the DATAD_SSL_ACTIVE
and DATAD_SSL_TRUSTED_CERTS
parameters in offload.env
, e.g.:
export DATAD_SSL_ACTIVE=true
export DATAD_SSL_TRUSTED_CERTS=${OFFLOAD_HOME}/conf/cert.pem
Important
Any changes made to the Gluent Data Platform environment file (offload.env
) must be propagated across all installations.
Restart Data Daemon¶
Data Daemon must be restarted for the changes to take effect. Refer to Stop Gluent Data Platform Daemons and Start Gluent Data Platform Daemons.