Security Design

Procedure for Manually Replacing Certificates

• Create a self-signed certificate.

  For details about how to create a self-signed certificate, see “Database Security Management > Client Access Authentication > Managing SSL Certificates > Generating Certificates in Developer Guide

  To protect the private key password, use the cm encrypt tool. For details, see Introduction to the cm_ctl Tool.

  cm_ctl encrypt [-M MODE] -D DATADIR
  

  1. Generate the server key factors server.key.cipher and server.key.rand.

     cm_ctl encrypt -M server -D DATADIR
     please enter the password: (The password must be the same as the protection password of the server private key.)
     

  2. Generate the client key factors client.key.cipher and client.key.rand.

     cm_ctl encrypt -M client -D DATADIR
     please enter the password: (The password must be the same as the protection password of the client private key.)
     

Certificate Usage Guide

1. To use the certificate, you need to set the cm_server parameter to on (The default value is off).

   cm_ctl set --param --server -k enable_ssl="on"
   

2. The certificate file must exist in $GAUSSHOME/share/sslcert/cm on all nodes. After the certificate is replaced, restart the cluster for the certificate to take effect.

   Required certificate files include server.crt, server.key, client.crt, client.key, cacert.pem, server.key.cipher, server.key.rand, client.key.cipher, and client.key.rand.

   The permission on the root certificate, key, certificate, and encrypted key file should be 400. If the permission does not meet the requirements, SSL cannot be used.

   • chmod 400 cacert.pem
   • chmod 400 server.crt
   • chmod 400 server.key
   • chmod 400 server.key.cipher
   • chmod 400 server.key.rand
   • chmod 400 client.crt
   • chmod 400 client.key
   • chmod 400 client.key.cipher
   • chmod 400 client.key.rand

3. The certificate validity period is checked every day, which can be set through ssl_cert_expire_check_interval. An alarm is generated when the certificate is about to expire in 90 days, which can be set through ssl_cert_expire_alert_threshold. (For details about the parameter, see ssl_cert_expire_alert_threshold.)