Setting the secure connection between cluster nodes

The communication between cluster nodes is not secured by default. In order to start encrypted and authenticated communication, all the cluster nodes need to be properly configured to use the same security settings. If one of the sides is set secure and the others are not, the communication doesn't work.

This guide will help you with the configuration of the secured connection between cluster nodes, using CA-signed certificates.

CA-signed certificate requirements

  • The certificate must be signed by a certification authority trusted in your environment.

  • Certificate (fields Common Name and Subject Alternative Name) must contain all network names (i.e. all hostnames, fully qualified domain names and IP addresses) used for connection to the respective server.

  • For importing the certificate you need an appropriate format - Java Keystore (.jks file) containing the private key and whole certificate chain.

  • Both the keystore and key itself need to be protected by a password

  • You will also need a truststore, file containing certificate of the root certification authority, again in the Java Keystore (.jks) format.

In case your key/certificate is in a different format than Java Keystore, convert it following the guide in Conversions between different keystores and certificate types.

In case you do not have key/certificate at all, follow the guide in the Generating key/certificate in Java Keystore format chapter in System communication hardening.

Node settings

Perform the following steps for each one of the Management servers in the cluster.

  1. Stop Dispatcher Paragon Management Service service in Dispatcher Paragon server.

  2. Copy your key/certificate and certificate of the root certification authority, both in the Java Keystore format, to the <install_dir>\Management\conf\ directory on the server with Dispatcher Paragon Management Server.

  3. Go to <install_dir>\Management\conf\ and create there a new file, clusterCommunicator.conf.

    When this file is present in the specified directory, correctly configured and accessible for read, then the settings specified are applied and communication between Management servers in the cluster will start in secure mode.

  4. Set following properties in the clusterCommunicator.conf file:

    # this property sets security in Communicator on/off if set to false then resp of properties are ignored (MANDATORY)
    secureCommunicationEnabled=true
    # name of Java truststore file in current directory (MANDATORY)
    truststoreFile=truststore.jks
    # password to java truststore if not set default value 'changeit' is used (OPTIONAL)
    truststorePassword=changeit
    # name of Java keystore file in current directory (MANDATORY)
    keyStoreFile=keystore.jks
    # password to java keystore if not set default value 'changeit' is used (OPTIONAL)
    keystorePassword=changeit
    # protocol type as defined by Java SSL specification (MANDATORY)
    sslProtocol=TLS
    # this option forces CML to require SPOC authentication (MANDATORY)
    clientAuthenticationRequired=true
    # available protocols as defined by Java SSL specification (OPTIONAL)
    #allowedProtocols =
    # available cipher sutes as defined by Java SSL specification (OPTIONAL)
    #allowedCiphersuites =

    The clusterCommunicator.conf file has to refer to correct Java keystore and truststore files that have to be placed in the same SafeQ conf directory as this configuration file.

  5. Start the Dispatcher Paragon Management Service service.

Example of clusterCommunicator.conf file configuration

secureCommunicationEnabled=true
truststoreFile=truststore.jks
truststorePassword=password
keyStoreFile=dispatcherparagonkeystore.jks
keystorePassword=keystoreprotectingpassword
sslProtocol=TLS
clientAuthenticationRequired=true