FedFsInstallNsdbCertificates0.10

From Linux NFS

Jump to: navigation, search

Contents

Project: fedfs-utils

[ Project Home | News | Downloads | Docs | Mailing Lists | Source Control | Issues ]


Introduction

A Namespace Database, or NSDB, is the repository for fileset location information in a FedFS domain. At its core, an NSDB is simply an LDAP server with an NSDB Container Entry, or NCE, for short. FedFS data is stored as children of this entry.

In this article, we show how to create and distribute x.509 LDAP server certificates. With these certificates, NSDB clients (fileservers or NSDB administrative tools) can use TLS when communicating with NSDBs.

LDAP server configuration

A self-signed x.509 certificate is created when an NSDB is created using the nsdb-jumpstart tool:

# nsdb-jumpstart install --security=tls

Passing out the server's x.509 certificate

The CA cert created above (in the file /etc/openldap/nsdb-cert.pem) can now be distributed to fileservers that participate in your FedFS domain. The fileservers then use this certificate to authenticate your NSDB when performing junction resolution.

Suppose the name of your LDAP server is nsdb.example.net. After copying the file containing the certificate to /tmp/cert.pem on your fileserver, use this command on the fileserver to install the certificate:

# nsdbparams update -f /tmp/cert.pem nsdb.example.net

This operation copies the certificate material to a private directory, and saves the location of the copy in the fileserver's NSDB connection parameter database. Now, whenever the fileserver resolves a FedFS junction, it will use this certificate to establish a secure connection to nsdb.example.net.

To complete this task, copy the certificate and run the nsdbparams on each fileserver that will contain FedFS junctions.

If your fileserver is running rpc.fedfsd and Kerberos has been enabled on the server, you can use the fedfs-set-nsdb-params command to distribute the certificate. Be sure to kinit before running fedfs-set-nsdb-params, and specify "--security=krb5p".

Personal tools