Skip to content
This repository
Browse code

Finish adding SSL crypto for intra-cluster communication: nodetool hacks

Here are the instructions for creating the OpenSSL key files necessary
to use the hackery.  TODO: This stuff should be put somewhere else.

Sources:

    http://www.snookles.com/erlang-docs/R14B02/lib/ssl-4.1.4/doc/html/ssl_distribution.html
    http://www.openssl.org/docs/HOWTO/keys.txt
    http://www.openssl.org/docs/HOWTO/certificates.txt

Step 1: Run this:

    openssl genrsa -out privkey.pem 2048

Step 2: Run this, and enter (more) sensible input when prompted:

    openssl req -new -x509 -key privkey.pem -out erlclient.pem -days 1095

    You are about to be asked to enter information that will be
incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a
DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:MN
    Locality Name (eg, city) []:Minneapolis
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Basho
Technologies, Inc.
    Organizational Unit Name (eg, section) []:Nearly-Canadian office
    Common Name (eg, YOUR name) []:SLF
    Email Address []:scott@basho.com

Step 3: Do the same but substitute "erlserver.pem"

    openssl req -new -x509 -key privkey.pem -out erlserver.pem -days 1095

Step 4: Concatenate the private key with the two certificates

    cat privkey.pem >> erlclient.pem
    cat privkey.pem >> erlserver.pem

Step 5: Copy certificate files to Riak etc dir

    cp /path/to/generated/erl*.pem /etc/riak/directory

... or this path for Solaris users:

    cp /path/to/generated/erl*.pem /opt/riak/etc

Step 6: Add the following to each Riak node's etc/vm.args file:

    -proto_dist inet_ssl
    -ssl_dist_opt client_certfile "/etc/riak/erlclient.pem"
    -ssl_dist_opt server_certfile "/etc/riak/erlserver.pem"

... or these paths for Solaris users:

    -proto_dist inet_ssl
    -ssl_dist_opt client_certfile "/opt/riak/etc/erlclient.pem"
    -ssl_dist_opt server_certfile "/opt/riak/etc/erlserver.pem"
  • Loading branch information...
commit 489c4e14063c0a2a48b277bd8cee8780f9fc9d35 1 parent 75f058b
Scott Lystig Fritchie slfritchie authored
6 rel/files/nodetool
... ... @@ -1,4 +1,6 @@
  1 +#!/usr/bin/env escript
1 2 %% -*- erlang -*-
  3 +%%! -args_file {{platform_data_dir}}/ssl_distribution.args_file
2 4 %% -------------------------------------------------------------------
3 5 %%
4 6 %% nodetool: Helper Script for interacting with live nodes
@@ -9,6 +11,10 @@ main(Args) ->
9 11 %% Extract the args
10 12 {RestArgs, TargetNode} = process_args(Args, [], undefined),
11 13
  14 + %% process_args() has side-effects (e.g. when processing "-name"),
  15 + %% so take care of app-starting business first.
  16 + [application:start(App) || App <- [crypto, public_key, ssl]],
  17 +
12 18 %% See if the node is currently running -- if it's not, we'll bail
13 19 case {net_kernel:hidden_connect_node(TargetNode), net_adm:ping(TargetNode)} of
14 20 {true, pong} ->
6 rel/files/riak
@@ -10,6 +10,7 @@ RUNNER_ETC_DIR={{runner_etc_dir}}
10 10 RUNNER_LOG_DIR={{runner_log_dir}}
11 11 PIPE_DIR={{pipe_dir}}
12 12 RUNNER_USER={{runner_user}}
  13 +SSL_DIST_CONFIG={{platform_data_dir}}/ssl_distribution.args_file
13 14
14 15 # Make sure this script is running as the appropriate user
15 16 if [ "$RUNNER_USER" -a "x$LOGNAME" != "x$RUNNER_USER" ]; then
@@ -64,6 +65,11 @@ ERTS_PATH=$RUNNER_BASE_DIR/erts-$ERTS_VSN/bin
64 65 # Setup command to control the node
65 66 NODETOOL="$ERTS_PATH/escript $ERTS_PATH/nodetool $NAME_ARG $COOKIE_ARG"
66 67
  68 +# Scrape out SSL distribution config info from vm.args into $SSL_DIST_CONFIG
  69 +rm -f $SSL_DIST_CONFIG
  70 +sed -n '/Begin SSL distribution items/,/End SSL distribution items/p' \
  71 + $RUNNER_ETC_DIR/vm.args > $SSL_DIST_CONFIG
  72 +
67 73 # Check the first argument for instructions
68 74 case "$1" in
69 75 start)
13 rel/files/vm.args
... ... @@ -1,4 +1,3 @@
1   -
2 1 ## Name of the riak node
3 2 -name {{node}}
4 3
@@ -19,3 +18,15 @@
19 18 ## Tweak GC to run more often
20 19 -env ERL_FULLSWEEP_AFTER 0
21 20
  21 +## Begin SSL distribution items, DO NOT DELETE OR EDIT THIS COMMENT
  22 +
  23 +## To enable SSL encryption of the Erlang intra-cluster communication,
  24 +## un-comment the three lines below and make certain that the paths
  25 +## point to correct PEM data files. See docs TODO for details.
  26 +
  27 +## -proto_dist inet_ssl
  28 +## -ssl_dist_opt client_certfile "{{platform_etc_dir}}/erlclient.pem"
  29 +## -ssl_dist_opt server_certfile "{{platform_etc_dir}}/erlserver.pem"
  30 +
  31 +## End SSL distribution items, DO NOT DELETE OR EDIT THIS COMMENT
  32 +
6 rel/reltool.config
@@ -57,11 +57,11 @@
57 57 {mkdir, "data/ring"},
58 58 {mkdir, "log/sasl"},
59 59 {copy, "files/erl", "{{erts_vsn}}/bin/erl"},
60   - {copy, "files/nodetool", "{{erts_vsn}}/bin/nodetool"},
61 60 {template, "files/app.config", "etc/app.config"},
62   - {template, "files/vm.args", "etc/vm.args"},
  61 + {template, "files/nodetool", "{{erts_vsn}}/bin/nodetool"},
63 62 {template, "files/riak", "bin/riak"},
64   - {template, "files/riak-admin", "bin/riak-admin"}
  63 + {template, "files/riak-admin", "bin/riak-admin"},
  64 + {template, "files/vm.args", "etc/vm.args"}
65 65 ]}.
66 66
67 67

0 comments on commit 489c4e1

Please sign in to comment.
Something went wrong with that request. Please try again.