Cluster Security

This section describes about the Cluster Security.

Gossip Key

In the cluster, the appliances communicate using the Gossip protocol. The cluster supports encrypting the communication using the gossip key. This key is generated during the creation of the cluster. The gossip key is then shared across all the appliances in the cluster.

SSL Certificates

SSL certificates are used to authenticate the appliances on the cluster. Every appliance contains the following default cluster certificates in the certificate repository:

  • Server certificate and key for Consul
  • Certificate Authorities(CA) certificate and key for Consul

In a cluster, the server certificates of the appliances are validated by the CA certificate of the appliance that initiated the cluster. This CA certificate is shared across all the appliances on the cluster for SSL communication.

You can also upload your custom CA and server certificates to the appliances on the cluster. The CA.key file is not mandatory when you deploy custom certificates for an appliance.

Ensure that you apply a single CA certificate on all the appliances in the cluster.

If the CA.key is available, the appliances that are added to the cluster download the CA certificate and key. The new server certificate for the appliance are generated using the CA key file.

If the CA.key is not available, all the keys and certificates are shared among the appliances in the cluster.

Ensure that the custom certificates match the following requirements:

  • The CN attribute of the server certificate is set in the following format:

    server.<datacenter name>.<domain>

    The domain and datacenter name must be equal to the value mentioned in theconfig.json file. For example, server.ptydatacenter.protegrity.

  • The custom certificates contain the following entries:

    • localhost

      • 127.0.0.1
      • FQDN of the local servers in the cluster
        For example, an SSL Certificate with SAN extension of servers ESA1, ESA2, and ESA3 in a cluster has the following entries:
    • localhost

      • 127.0.0.1
      • ESA1.protegrity.com
      • ESA2.protegrity.com
      • ESA3.protegrity.com

The following figure illustrates the certificates.

Cluster Certificates

Ports

The following ports are used for enabling communication between appliances:

  • TCP port of 8300 – Used by servers to handle incoming request
  • TCP and UDP ports of 8301 – Used by appliances to gossip on LAN
  • TCP and UDP ports of 8302 – Used by appliances to gossip on WAN

Appliance Key Rotation

If you are using cloned machines to join a cluster, it is necessary to rotate the keys on all cloned nodes before joining the cluster. If the cloned machines have proxy authentication, two factor authentication, or TAC enabled, it is recommended to use new machines. This avoids any limitations or conflicts, such as, inconsistent TAC, mismatched node statuses, conflicting nodes, and key rotation failures due to keys in use.

For more information about rotating the keys, refer here.