How to establish secure connection between Remote client and the server

[nithin]

Hi All,
I would like to know what is required to establish secure communcation between remote client and the server?

Few things that I know is we need to make configuration changes in the soss_params.txt as follows:

• Setting "accept_secure" to "1"
• Setting "use_secure_conn" to "1"
• Configuring to make use of the "secure_svr_port" and "secure_mgt_port" at the client end.

I would like to know do we need to create any certificates for the communication between client and the server? If yes, how to provide certificate location to the cleint and server to make use of the same? Please advise.

 

[admin]

Hi nithin,
The ScaleOut service will automatically generate a self-signed certificate (generated by OpenSSL) when it starts up if accept_secure is set to 1 and there isn't already a key pair in the product's installation folder. The generated certificate is then automatically deployed to the other hosts in the cluster.

When you look in the folder you should find soss_key.pem (private key) and soss_cert.pem (public certificate). You're welcome to manually replace these two files on all the hosts with your own key pair if you'd like--restart the services for the change to take effect.

 

[nithin]

Thank you for answering the query. It really helps. Can I know folder location where the certificates soss_key.pem and soss_cert.pem will be present?

 

[admin]

You should find them in C:\Program Files\ScaleOut_Software\StateServer on Windows and /usr/local/soss on Linux.

 

[nithin]

Thank you for the information.
I have another question: Can I make use of the SSL connection between the client and the server residing on the same machine? I mean to ask not a remote client, but the client and server residing on the same machine.

 

[nithin]

Thank you for the information.
I have another question: Can I make use of the SSL connection between the client and the server residing on the same machine? I mean to ask not a remote client, but the client and server residing on the same machine.

 

[admin]

Yes, it's possible to make local clients use a secure connection. This is an unusual configuration, though, so you'll have to manually edit the soss_client_params.txt file to make local client processes think that they're running as remote clients. Add the runas_remcli field (set to 1) as shown below, and add your local host's IP address as a rem_gw (substituing 10.0.0.42 with your own local IP):

update_time       0
max_lcl_retries   30
max_rem_retries   2
max_access_time   0
max_svr_conn      4
br_timeout        60
stats_interval    6
runas_remcli      1
rem_gw            __SOSS_remote_client_access, 723, 10.0.0.42, 724
use_secure_conn   __SOSS_remote_client_access, 1

Do not use 127.0.0.1 as your rem_gw IP.
Also, note that this configuration will require using a license key in the server that allows one or more remote client connections.