Configure TLS Network Encryption

This procedure explains how to specify the TLS certificates your AIStor deployment requires and configure your deployment to work with the certificates. See also Enable Network Encryption for explanations of how AIStor requires TLS and which cipher suites AIStor supports.

Prerequisites

  • The appropriate X.509 certificates for your environment.

  • Read and write permissions to the appropriate directories for the user to add certificates.

Procedure

  1. Create the certificates and Certificate Authorities (CAs) your environment requires.

  2. Create the appropriate directories for your certificates and CAs.

    # example certificates path
    /opt/minio/certs
    
    # example CAs path
    /opt/minio/certs/CAs
    
  3. Set the ownership of these directories to minio-user:

    sudo chown -R minio-user:minio-user /opt/minio/certs
    
  4. Add the default certificates to the /certs directory. At least one private.key and public.crt must be placed at the root of the certs directory, to provide the default certificate.

    /certs
      private.key
      public.crt
    
  5. (optional) Add more certificates per domain as your environment requires. Create a sub-directory in the /certs directory for each hostname or group a certificate supports with its DNS or IP SAN list. See Multiple TLS Certificates.

    /certs
      private.key
      public.cert # default certificate
      /object-store.example.net
        private.key
        public.cert # wildcard certificate for *.object-store.example.net
      /s3.example.net
        private.key
        public.cert # wildcard certificate for *.s3.example.net
    
  6. (optional) Add CAs for trusting remote hosts. Place the CA files in the /certs/CAs directory. See Certificate Authorities.

  7. Modify the environment file at /etc/default/minio. Open the file and modify the MINIO_OPTS and MINIO_VOLUMES values as follows:

    • MINIO_OPTS - add the certs-dir parameter pointing at the directory you created for storing certificates.

    • MINIO_VOLUMES - change the http:// protocol to https://.

    MINIO_OPTS="--certs-dir /opt/minio/certs"
    
    # specify https for all nodes
    MINIO_VOLUMES="https://..."
    
  8. Restart AIStor and monitor the server logs to make sure that all nodes restart and resume operations. You must update your clients to connect to AIStor with the TLS protocol.

    mc admin service restart
    
    # update the alias with the new hostname
    mc alias set https://minio.example.net:9000 USERNAME PASSWORD
    
    mc admin info --debug
    

    The --debug output should show a successful TLS handshake between the client and AIStor server.