documents >
User's Manual >
TLS Authentication
TLS Authentication
English | Japanese
This document describes the settings required for TLS authentication in Gfarm.
Gfarm requires TLS 1.3. OpenSSL 1.1.1 or later is required.
There are two types of TLS authentication:
tls_sharedsecret authentication,
in which the server and client share a private key,
and tls_client_certificate authentication, which uses a client certificate.
The following settings are common to the two TLS authentication methods,
sasl authentication method and sasl_auth authentication method.
- directory containing the Certificate Authority's certificate files
Required by all of clients, gfmd, and gfsd.
This can be set with the tls_ca_certificate_path directive
and defaults to /etc/pki/tls/certs/gfarm.
This directory format is the same as /etc/grid-security/certificates
for GSI authentication methods,
so if your site has already been configured for GSI authentication, simply create a symbolic link with the following command to complete the configuration.
# mkdir -p /etc/pki/tls/certs
# ln -s /etc/grid-security/certificates /etc/pki/tls/certs/gfarm
- directory where CRL files provided by the CA are located
Required by all of clients, gfmd, and gfsd.
The default directory is /etc/pki/tls/certs/gfarm,
which is same with tls_ca_certificate_path.
This directory format is also common with /etc/grid-security/certificates
for GSI authentication,
so sites that have already completed the GSI authentication settings
can complete the settings by creating the symbolic link described above.
- the host certificate and the private key for gfmd
These files are required only on the hosts running gfmd.
These can be set by tls_certificate_file and tls_key_file in gfmd.conf,
and the default file name is as follows:
host certificate | /etc/pki/tls/certs/gfmd.crt |
private key | /etc/pki/tls/private/gfmd.key |
For sites that have already been configured for GSI authentication,
simply use the following command to create a symbolic link
to complete the configuration.
# mkdir -p /etc/pki/tls/certs /etc/pki/tls/private
# ln -s /etc/grid-security/hostcert.pem /etc/pki/tls/certs/gfmd.crt
# ln -s /etc/grid-security/hostkey.pem /etc/pki/tls/private/gfmd.key
- the service certificate and the private key for gfsd
The following file names can be set by
tls_certificate_file and tls_key_file directives in gfarm2.conf,
which is referred to by gfsd, and is the default setting.
service certificate | /etc/pki/tls/certs/gfsd.crt |
private key | /etc/pki/tls/private/gfsd.key |
However, the X509_USER_CERT and X509_USER_KEY environment variables
take precedence over the tls_certificate_file and tls_key_file settings,
respectively.
When gfsd is initially configured using the config-gfsd command,
the tls_certificate_file and tls_key_file directives have no effect
because the following locations are set via these environment variables:
service certificate | /etc/grid-security/gfsd/gfsdcert.pem |
private key | /etc/grid-security/gfsd/gfsdkey.pem |
Since these path names are the same as those for GSI authentication,
additional settings are not necessary
for sites that have already completed GSI authentication settings.
In order to use a service certificate in gfsd,
the following additional settings are required
for gfarm2.conf of the client, gfarm2.conf of gfsd, and gfmd.conf of gfmd.
spool_server_cred_type host
spool_server_cred_service gfsd
These setting are also common to GSI,
so sites that have already completed GSI certification
do not need to make any additional settings.
settings specific to tls_sharedsecret authentication
For all client, gfmd, and gfsd hosts,
a common key must be placed in the .gfarm_shared_key file
directly under each user's home directory.
The configuration of this file is the same
as that of sharedsecret authentication,
so please refer to the description of sharedsecret authentication.
settings specific to tls_client_certificate
settings by the administrator
For each user,
set the Subject DN of the client certificate
in the fourth field of the gfuser command
in the format "/O=Company/OU=Division/CN=UserName".
This setting is also common to GSI, so additional settings are not required
for sites that have already been configured for GSI authentication.
settings by each user
SEE ALSO
gfarm2.conf(5)
Gfarm File System <gfarmfs at gmail.com>