HTTPS is HTTP communication over SSL/TLS (Secure Sockets Layer/Transport Layer Security). In HTTPS, the communication between client and server is secure using the Public Key Infrastructure (PKI). HTTPS is an industry standard protocol, which is widely used over the Internet for secure communication. Data encrypted using private key of an entity, can only be decrypted by using its public key. A common trusted entity, such as, the Certification Authority (CA) confirms the identities of the client and server by signing their certificates. In a CP server deployment, both the server and the clients have their own private keys, individual certificates signed by the common CA, and CA's certificate. CP server uses the SSL implementation from OpenSSL to implement HTTPS for secure communication.
CP server and VCS cluster (application cluster) node communication involve the following entities:
vxcpserv for the CP server
cpsadm for the VCS cluster node
Communication flow between CP server and VCS cluster nodes with security configured on them is as follows:
Initial setup:
Identities of CP server and VCS cluster nodes are configured on respective nodes by the VCS installer.
Note: |
For secure communication using HTTPS, you do not need to establish trust between the CP server and the application cluster. |
The signed client certificate is used to establish the identity of the client. Once the CP server authenticates the client, the client can issue the operational commands that are limited to its own cluster.
Getting credentials from authentication broker:
The cpsadm command tries to get the existing credentials that are present on the local node. The installer generates these credentials during fencing configuration.
The vxcpserv process tries to get the existing credentials that are present on the local node. The installer generates these credentials when it enables security.
Communication between CP server and VCS cluster nodes:
After the CP server establishes its credential and is up, it becomes ready to receive data from the clients. After the cpsadm command obtains its credentials and authenticates CP server credentials, cpsadm connects to the CP server. Data is passed over to the CP server.
Validation:
On receiving data from a particular VCS cluster node, vxcpserv validates its credentials. If validation fails, then the connection request data is rejected.