Security Design

Procedure for Manually Replacing Certificates

To use the certificate, you need to set the cm_server parameter to on (default value).
```
cm_ctl set --param --server -k enable_ssl="on"
```
The certificate file must exist in $GAUSSHOME**/share/sslcert/cm** on all nodes. After the certificate is replaced, restart the cluster for the certificate to take effect.
Required certificate files include server.crt, server.key, client.crt, client.key, cacert.pem, server.key.cipher, server.key.rand, client.key.cipher, and client.key.rand.
The permission on the root certificate, key, certificate, and encrypted key file should be 400. If the permission does not meet the requirements, SSL cannot be used.
- chmod 400 cacert.pem
- chmod 400 server.crt
- chmod 400 server.key
- chmod 400 server.key.cipher
- chmod 400 server.key.rand
- chmod 400 client.crt
- chmod 400 client.key
- chmod 400 client.key.cipher
- chmod 400 client.key.rand
The certificate validity period is checked every day, which can be set by running the ssl_cert_expire_check_interval command. An alarm is generated when the certificate is about to expire in 90 days, which can be set by running the ssl_cert_expire_alert_threshold command.
The CRLs of the client and server are client.crl and server.crl, respectively.