Configure TLS Network Encryption

This procedure explains how to specify the TLS certificates your AIStor deployment requires and configure your deployment to work with the certificates. See also Enable Network Encryption for explanations of how AIStor requires TLS and which cipher suites AIStor supports.

Prerequisites

  • The appropriate X.509 certificates for your environment.

  • Read and write permissions to the appropriate directories for the user to add certificates.

Procedure

  1. Create the certificates and Certificate Authorities (CAs) your environment requires.

  2. Create the appropriate directories for your certificates and CAs.

    # example certificates path
/opt/minio/certs

# example CAs path
/opt/minio/certs/CAs

  3. Set the ownership of these directories to minio-user:

    sudo chown -R minio-user:minio-user /opt/minio/certs

  4. Add the default certificates to the /certs directory. At least one private.key and public.crt must be placed at the root of the certs directory, to provide the default certificate.

    /certs
  private.key
  public.crt

  5. (optional) Add more certificates per domain as your environment requires. Create a sub-directory in the /certs directory for each hostname or group a certificate supports with its DNS or IP SAN list. See Multiple TLS Certificates.

    /certs
  private.key
  public.cert # default certificate
  /object-store.example.net
    private.key
    public.cert # wildcard certificate for *.object-store.example.net
  /s3.example.net
    private.key
    public.cert # wildcard certificate for *.s3.example.net

  6. (optional) Add CAs for trusting remote hosts. Place the CA files in the /certs/CAs directory. See Certificate Authorities.

  7. Modify the environment file at /etc/default/minio. Open the file and modify the MINIO_OPTS and MINIO_VOLUMES values as follows:

    • MINIO_OPTS - add the certs-dir parameter pointing at the directory you created for storing certificates.

    • MINIO_VOLUMES - change the http:// protocol to https://.

    MINIO_OPTS="--certs-dir /opt/minio/certs"

# specify https for all nodes
MINIO_VOLUMES="https://..."

  8. Restart AIStor and monitor the server logs to make sure that all nodes restart and resume operations. You must update your clients to connect to AIStor with the TLS protocol.

    mc admin service restart

# update the alias with the new hostname
mc alias set https://minio.example.net:9000 USERNAME PASSWORD

mc admin info --debug

    The --debug output should show a successful TLS handshake between the client and AIStor server.