Securing Data Daemon

Introduction

Data Daemon creates a socket on grpc.port. This socket is used for inter-process communications with Smart Connector and Metadata Daemon. By default the socket is not secured with TLS.

Securing Data Daemon is a four-step process documented below:

  1. Generate Certificate

  2. Update Data Daemon Properties File

  3. Update Gluent Data Platform Environment File

  4. Restart Data Daemon

Generate Certificate

For production deployments it is strongly recommended that an existing Certificate Authority is used to generate the certificate and private key in PEM format. For non-production deployments a self-signed certificate can be generated as follows:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365

Important

The Common Name (CN) in the certificate must exactly match the <hostname/IP address> section of DATAD_ADDRESS.

Update Data Daemon Properties File

Configure the grpc.security.cert-chain and grpc.security.private-key properties in $OFFLOAD_HOME/conf/datad.properties (create the file if it does not exist) to point to the certificate chain and private key file generated, e.g.:

grpc.security.cert-chain=file:${OFFLOAD_HOME}/conf/cert.pem
grpc.security.private-key=file:${OFFLOAD_HOME}/conf/key.pem

Important

Any changes made to the Data Daemon properties file (datad.properties) must be propagated across all installations running Data Daemon.

Update Gluent Data Platform Environment File

Configure the DATAD_SSL_ACTIVE and DATAD_SSL_TRUSTED_CERTS parameters in offload.env, e.g.:

export DATAD_SSL_ACTIVE=true
export DATAD_SSL_TRUSTED_CERTS=${OFFLOAD_HOME}/conf/cert.pem

Important

Any changes made to the Gluent Data Platform environment file (offload.env) must be propagated across all installations.

Restart Data Daemon

Data Daemon must be restarted for the changes to take effect. Refer to Stop Gluent Data Platform Daemons and Start Gluent Data Platform Daemons.

Documentation Feedback

Send feedback on this documentation to: feedback@gluent.com