Securing communications among SafeLinx Servers in a cluster

For SafeLinx Servers that participate in a cluster, you can use TLS protocols to secure communications between subordinate and principal nodes.

About this task

To enable secure communications within a SafeLinx Server cluster, store the X.509 certificate of the principal SafeLinx Server node in the key database of each subordinate cluster member. The default key database file is cm.trusted.kdb. Each key database is secured by a stash password that is stored in a stash password file. The default password is "trusted", and the default stash password file is cm.trusted.sth.

After certificates are in place, edit the properties on each subordinate node to require the use of TLS protocols for communications with the principal node.

Procedure

  1. On the SafeLinx Server that is configured as the primary node, use the GSKit to request or create a certificate that identifies the node. After you obtain the certificate, add it to the server's key database file.
    For information about obtaining a certificate, see, Managing certificates for HCL SafeLinx.
  2. Transfer the signer certificate from the principal node to the subordinate node.
    • If you obtained a third-party certificate for the principal node, transfer the signer certificate file to the subordinate node.
      Note: The default key database file that is installed with the SafeLinx Server might include a signer certificate for the CA from which you received your personal certificate. However, it is best to use the version of the signer certificate that you receive from the CA.
    • If you created a self-signed certificate, extract the certificate to a file and then copy the file to the subordinate node.
  3. To use the default key database file, from the SafeLinx Server installation directory, open the file cm.trusted.kdb. The default password is trusted.
  4. Type a label for the certificate, then click OK.
  5. From the SafeLinx Administrator open the Resources pane, and expand the subordinate SafeLinx Server node that you want to configure.
  6. Right-click Cluster manager and then click Properties.
  7. From the cluster manager properties, open the Subordinate page, and in the Internode transport protocol, click TCP/SSL, and then click OK.

What to do next

To put certificate changes into effect, you must restart each subordinate and principal node where you modified the key database file by adding or changing certificates. For more information, see Starting and stopping the SafeLinx Server.