Hi all, Pacemaker 3.0.0-rc2, which will be released later today, implements a significant new feature: remote CIB administration and Pacemaker Remote connections may now be encrypted using X.509 (SSL/TLS) certificates.
Previously, remote CIB administration could only be obfuscated, and was subject to man-in-the-middle attacks, so this is a major security improvement for that use case. Pacemaker Remote connections could previously be encrypted only with a shared private key. Both methods are secure, but this gives users a choice, and in particular allows users to reuse host certificates if they're already generating them for other purposes. The public and private keys, certificate authority, and certificate revocation list can be configured in /etc/sysconfig/pacemaker (or /etc/default/pacemaker or wherever your platform keeps environment variables). That file and the Pacemaker Explained document will have details. -- Ken Gaillot <kgail...@redhat.com> _______________________________________________ Manage your subscription: https://lists.clusterlabs.org/mailman/listinfo/users ClusterLabs home: https://www.clusterlabs.org/