Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-7600

[RFE] Implement certificate based authentication for pacemaker_remote

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • pacemaker-3.0.0-3.el10
    • None
    • FutureFeature
    • Customer Facing
    • rhel-ha
    • 17
    • 26
    • 8
    • QE ack, Dev ack
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • Feature
    • Hide
      .Support for encryption of Pacemaker remote connections using SSL certificates

      You can now encrypt Pacemaker remote connections by using X.509 (SSL/TLS) certificates. Previously, only pre-shared keys (PSK) were supported for encryption. With support for SSL certificates, you can use existing host certificates for Pacemaker remote connections.

      To configure SSL/TLS certificates for Pacemaker remote connections:

      . Create a remote connection with the `pcs cluster node add-guest` command or the `pcs cluster node add-remote command`. When you create a remote connection, the connection uses PSK encryption.

      . Convert the remote connection to use certificates by updating the `PCMK_ca_file`, `PCMK_cert_file`, `PCMK_key_file`, and, optionally, the `PCMK_crl_file` variables on all cluster nodes and Pacemaker remote nodes.

      For information on configuring encryption with SSL certificates, see link:https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html-single/configuring_and_managing_high_availability_clusters/index#ref_host-and-guest-authentication-of-remote-nodes-remote-node-management[Host and guest authentication of `pacemaker_remote` nodes].
      Show
      .Support for encryption of Pacemaker remote connections using SSL certificates You can now encrypt Pacemaker remote connections by using X.509 (SSL/TLS) certificates. Previously, only pre-shared keys (PSK) were supported for encryption. With support for SSL certificates, you can use existing host certificates for Pacemaker remote connections. To configure SSL/TLS certificates for Pacemaker remote connections: . Create a remote connection with the `pcs cluster node add-guest` command or the `pcs cluster node add-remote command`. When you create a remote connection, the connection uses PSK encryption. . Convert the remote connection to use certificates by updating the `PCMK_ca_file`, `PCMK_cert_file`, `PCMK_key_file`, and, optionally, the `PCMK_crl_file` variables on all cluster nodes and Pacemaker remote nodes. For information on configuring encryption with SSL certificates, see link: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html-single/configuring_and_managing_high_availability_clusters/index#ref_host-and-guest-authentication-of-remote-nodes-remote-node-management [Host and guest authentication of `pacemaker_remote` nodes].
    • Done
    • None
    • 57,005

      Description of problem:
      Pacemaker Remote previously supported only private shared keys (PSK) for encryption (KCS 4484841). Now, it supports X.509 (SSL/TLS) certificates.

      Version-Release number of selected component (if applicable): 10.0-beta

              rhn-support-clumens Christopher Lumens
              akaris@redhat.com Andreas Karis
              Christopher Lumens Christopher Lumens
              Marketa Smazova Marketa Smazova
              Steven Levine Steven Levine (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: