SSL/TLS Cach 2012.

2+
,
InterSystems


SSL TLS?

TLS (. Transport Layer Security ),

SSL (. Secure Socket Layers )
,
.

TLS ?

, TLS
.
, ,
.
Cach .

TLS ?

.
, ,
.
(primary, backup, async) :

X.509 c .
(, .
CA Certificate Authority).
:
RSA
SHA-1 -.

(Thawte, VeriSign, )

.
. ().
,
(VPN)
.
OpenSSL
: AES, DES, 3DES,
RC5, 28147
(RSA, DSA, DH, 34.10)
- (MD*, SHA-*, 34.11)
.
( ) , .

.

, :
OpenSSL (www.openssl.org)
GNU Make (www.gnu.org/software/make/) .
, , ,
POSIX (UNIX Linux)
Windows Cygwin
(www.cygwin.com/)
Makefile OpenSSL .
.

 Cach

, , ,
. . . :
InterSystems Root CA
Intermediate CA 0
CACHE201220A (primary)
CACHE201220B (backup)
CACHE201220C (async 0)
Intermediate CA 1
CACHE201220D (async 1)
CACHE201220E (async 2)

KeyUsage / Extended Key Usage,

, ,
( . Configuring Cach to Use SSL/TLS with
Mirroring):
KeyUsage:
Digital Signature ( )
Key Encipherment ( )
Extended Key Usage:
Client Authentication

 Server Authentication
()

Cach (CACHE201310), *,
(RIGEL/CACHE201310)
Subject (, , DN Distinguished Name) X.509 ,
*, CN (Common Name),
IP- / DNS- (FQDN) / Cach. :
emailAddress=support@intersystems.com,CN=CACHE201310,CN=RIGEL,OU=Co
re Support,OU=Support,O=Russian Branch,O=InterSystems Root
CA,ST=Moscow,C=RU

 ()

Subject (DN) Subject Alt Name, :

 OpenSSL (CA)

openssl-ca.cnf.
[ req ]
prompt
utf8
default_bits
distinguished_name
attributes
x509_extensions
string_mask

=
=
=
=
=
=
=

no
no
1024
req_distinguished_name
req_attributes
v3_ca
nombstr

[ req_distinguished_name ]
C
ST
L
1.O
2.O
1.OU
2.OU
1.CN
emailAddress

=
=
=
=
=
=
=
=
=

[ req_attributes ]
unstructuredName

= InterSystems Root CA

RU
Moscow
Moscow City
InterSystems Root CA
Russian Branch
Support
Core Support
InterSystems Root CA
support@intersystems.com

[ v3_ca ]
basicConstraints = critical, CA:true
keyUsage = critical, cRLSign, keyCertSign

 OpenSSL Cach

openssl-server-a.cnf, openssl-server-b.cnf. IP-

DNS- (1.CN, subjectAltName), Cach (2.CN)
.
[ req ]
prompt
utf8
default_bits
distinguished_name
attributes
x509_extensions
string_mask

=
=
=
=
=
=
=

no
no
1024
req_distinguished_name
req_attributes
v3_ca
nombstr

[ req_distinguished_name ]
C
ST
L
1.O
2.O
1.OU
2.OU
1.CN
2.CN
emailAddress

=
=
=
=
=
=
=
=
=
=

[ req_attributes ]
unstructuredName

= InterSystems Root CA

[ usr_cert ]
basicConstraints
nsCertType
keyUsage
nsComment
subjectAltName

=
=
=
=
=

RU
Moscow
Moscow City
InterSystems Root CA
Russian Branch
Support
Core Support
RIGEL
CACHE201310
support@intersystems.com

CA:FALSE
client, server, objsign
digitalSignature, keyEncipherment
"OpenSSL Generated Certificate"
IP:192.168.89.155,DNS:RIGEL,dirName:req_distinguished_name

openssl req openssl ca.

: UNIX (man-) openssl(1), req(1),
ca(1).
, Makefile,
make
.

 ()

:
intersystems-ca.crt (. self-signed)
ca-privkey.pem ( )
CACHE201310.pem A ( )
CACHE201310.cer ,
CACHE201310-privkey.pem (: 1111)
CACHE201320.pem B ( )
CACHE201320.cer B,
CACHE201320-privkey.pem B (: 1111)
, UNIX,
Windows, ( ).
, Cach.
Cach 3 :

,

 .
SSL/TLS-

SMP: System > Security Management > SSL/TLS Configurations > Edit SSL/TLS
Configurations for Mirror
Password: Enter new password
(1111)
SSL/TLS-: %MirrorClient
%MirrorServer

 SSL/TLS- ()

, %MirrorClient %MirrorServer
SSL/TLS-:

,
. ^MIRROR :
1) Mirror Status
2) Mirror Management
3) Mirror Configuration
Option? 3
This utility is for re-configuring mirror including removing
mirror configuration in order to re-create the mirror configuration.
You will need to run SMP to create/join the mirror configuration.
8) Refresh other failover member's data via agent
9) Manage this member's SSL requirements
10) Add a Failover Member
Option? 9
The mirror is configured to use SSL so SSL is required
regardless of the encryption setting of this member.
This member currently does not require encryption
for the outgoing connections it creates.
Do you want to change this setting (y/n)? y
Changed.
Press <enter> to return to the main menu...
8) Refresh other failover member's data via agent
9) Manage this member's SSL requirements
10) Add a Failover Member
Option? 9
The mirror is configured to use SSL so SSL is required
regardless of the encryption setting of this member.
This member currently requires encryption
for the outgoing connections it creates.

SSL/TLS-
.
DN (Distinguished Name)
(. Authorized Async members).
Mirror Monitor (SMP: System > Mirror Monitor).

...

SSL/TLS,
^SYS("MIRRORSET", "MIRRORNAME", "sslDN")
(), Cach
( async-):
%SYS>zw ^SYS("MIRRORSET", "CACHE2013", "sslDN")
^SYS("MIRRORSET","CACHE2013","sslDN","emailAddress=support@intersys
tems.com,CN=CACHE201310,CN=RIGEL,OU=Core
Support,OU=Support,O=Russian Branch,O=InterSystems Root
CA,ST=Moscow,C=RU")=1
^SYS("MIRRORSET","CACHE2013","sslDN","emailAddress=support@intersys
tems.com,CN=CACHE201320,CN=RIGEL,OU=Core
Support,OU=Support,O=Russian Branch,O=InterSystems Root
CA,ST=Moscow,C=RU")=1
, DN (Distinguished Name) X.509-
.

... ()

DN (Distinguished Name) failover-

^MIRROR (Mirror Configuration (3) > Refresh other failover member's data via agent (8)):
1) Mirror Status
2) Mirror Management
3) Mirror Configuration
Option? 3
This utility is for re-configuring mirror including removing
mirror configuration in order to re-create the mirror configuration.
You will need to run SMP to create/join the mirror configuration.
1)
2)
3)
4)
5)
6)
7)
8)
9)
10)
11)
12)

Edit VIP Address

Remove Other Mirror Member
Remove This Failover Member
Remove Authorized ID for Async member
Display Mirror Configuration
Adjust Trouble Timeout parameter
Modify Network Addresses
Refresh other failover member's data via agent
Manage this member's SSL requirements
Add a Failover Member
Add/Edit Authorized ID for Async member
Remove Authorized ID for Async member

Option? 8
Mirror member data for "RIGEL/CACHE201310"
AgentAddress = "rigel"
AgentPort = 2188
ConnectsTo = ""
ECPAddress = "rigel"
EncryptCommunication = 0
GUID = "EB078BC8-849E-4B74-A09D-21247415B114"
InstanceDirectory = "d:\intersystems\cache-2013.1.0\"
MemberType = 0
MirrorAddress = "rigel"
MirrorSSPort = 56780
SSLComputerName = "emailAddress=support@intersystems.com,CN=CACHE201310,CN=RIGEL,OU=Core
Support,OU=Support,O=Russian Branch,O=InterSystems Root CA,ST=Moscow,C=RU"