Enabling TLS encryption¶
Monitoring components support TLS encryption in two modes.
mode allow Monitoring components to
--------------------------------------------------------------
TLS Client connect to Refinery processes with TLS encryption
TLS Server accept TLS connections from external processes
OpenSSL configuration¶
Only OpenSSL version 1.0.2 is supported. As of kdb+ 3.6, the process only searches for the file libssl.so, which is not present in a default server installation. TLS will therefore not be available.
To enable, run the following as root.
cd /etc/lib64
ln -sv libssl.so.10 libssl.so
[SSL prerequisites]code.kx.com/q/kb/ssl/#prerequisites)
TLS client configuration¶
No further configuration is required for TLS client support.
TLS server configuration¶
Enable TLS encryption between the Monitoring components by setting the following paths as environment variables in the systemd service file.
KX_SSL_CERT_FILE server certificate file
KX_SSL_CA_CERT_FILE certificate file containing the chain to the root certificate
KX_SSL_KEY_FILE key file for the server
Once enabled in the Web API component, it supports HTTP requests over HTTP and HTTPS.
Component initialization checks¶
During process boot, all Monitoring components check that they are able to load the OpenSSL library correctly.
TLS unavailable and unconfigured¶
2020.03.18 16:25:13 INFO kx-refinery-monitoring-daemon TLS support [ Available: false ] [ Configured: false ]
TLS unavailable and configured¶
In this case the process exits with an error.
2020.03.18 16:24:41 ERROR kdb TLS error: Could not initialize openssl. Error was incompatible ssl version
2020.03.18 16:24:41 ERROR TLS configured but is not available on the current server. Check OpenSSL settings or disable TLS
TLS available and unconfigured¶
2020.03.18 16:38:22 INFO kx-refinery-monitoring-daemon TLS support [ Available: true ] [ Configured: false ]
TLS available and configured¶
2020.03.18 16:34:32 INFO kx-refinery-monitoring-daemon TLS support [ Available: true ] [ Configured: true ]