You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/operate/rs/security/encryption/internode-encryption.md
+92-2Lines changed: 92 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -87,7 +87,11 @@ To enable internode encryption for new databases by default, use one of the foll
87
87
{ "data_internode_encryption": true }
88
88
```
89
89
90
-
## Encryption ciphers and settings
90
+
## Self-signed certificates
91
+
92
+
By default, Redis Enterprise Software uses self-signed certificates for internode encryption. These certificates are automatically generated, managed, and rotated by the system.
93
+
94
+
### Encryption ciphers and settings
91
95
92
96
To encrypt internode communications, Redis Enterprise Software uses TLS 1.2 and the following cipher suites:
93
97
@@ -103,7 +107,7 @@ The TLS layer determines which TLS version to use.
103
107
104
108
No configurable settings are exposed; internode encryption is used internally within a cluster and not exposed to any outside service.
105
109
106
-
## Certificate authority and rotation
110
+
### Certificate authority and rotation
107
111
108
112
Starting with v6.2.4, internode communication is managed, in part, by two certificates: one for the control plane and one for the data plane. These certificates are signed by a private certificate authority (CA). The CA is not exposed outside of the cluster, so it cannot be accessed by external processes or services. In addition, each cluster generates a unique CA that is not used anywhere else.
109
113
@@ -118,3 +122,89 @@ You can use the Redis Enterprise Software REST API to rotate certificates manual
118
122
``` rest
119
123
POST /v1/cluster/certificates/rotate
120
124
```
125
+
126
+
## Customer-provided certificates
127
+
128
+
Instead of using Redis Enterprise Software's self-signed certificates for internode encryption, you can provide your own certificates generated by your Certificate Authority (CA).
129
+
130
+
### Certificate requirements
131
+
132
+
Customer-provided internode encryption certificates must meet the following requirements:
133
+
134
+
- Certificates must be in PEM format.
135
+
136
+
- Certificates must contain the certificate chain and the leaf certificate.
137
+
138
+
### Upload customer-provided certificates
139
+
140
+
You can upload either:
141
+
142
+
- One certificate to be used for both data plane internode encryption (DPINE) and control plane internode encryption (CPINE)
143
+
144
+
- Two separate certificates: one for DPINE and one for CPINE
145
+
146
+
147
+
{{< multitabs id="get-module-versions"
148
+
tab1="Cluster Manager UI"
149
+
tab2="rladmin"
150
+
tab3="REST API">}}
151
+
152
+
1. In the Cluster Manager UI, go to **Cluster > Security > Certificates**.
153
+
154
+
1. Expand the **Internode encryption certificates** section.
155
+
156
+
1. Click **Replace certificates**.
157
+
158
+
1. In the **Internode encryption certificates** panel, selectone of the following options:
159
+
160
+
- Use the same certificate for data and control plane internode encryption
161
+
162
+
- Use separate certificates for data and control plane internode encryption
163
+
164
+
1. For each certificate and key, click **Upload** and use the file browser to selectthe relevant PEM file.
165
+
166
+
1. Click **Save & Rotate**.
167
+
168
+
-tab-sep-
169
+
170
+
<!-- TODO: these are placeholder examples, need to confirm real commands-->
171
+
172
+
Run [`rladmin cluster certificate`]({{< relref "/operate/rs/references/cli-utilities/rladmin/cluster/certificate">}}).
173
+
174
+
To upload a single certificate for both CPINE and DPINE:
175
+
176
+
```sh
177
+
rladmin cluster certificate set cpine_dpine certificate_file <cert1>.pem key_file <key1>.pem
178
+
```
179
+
180
+
To upload 2 different certificate and key pairs for CPINE and DPINE:
<!-- TODO: these are placeholder examples, need to confirm real API-->
189
+
190
+
Send a [`PUT /v1/certificates`]({{< relref "/operate/rs/references/rest-api/requests/certificates#put-certificates">}}) request:
191
+
192
+
```sh
193
+
PUT https://<host>:<port>/v1/certificates
194
+
```
195
+
196
+
{{< /multitabs >}}
197
+
198
+
199
+
### Certificate expiration and rotation
200
+
201
+
Customer-provided internode encryption certificates are not rotated automatically.
202
+
203
+
The expiration of internode encryption certificates could lead to unavailability of the cluster and its databases. To prevent this issue, you should monitor the certificates' expiration dates and renew them before they expire.
204
+
205
+
In case the customer-managed certificates are not manually renewed before they expire, Redis Enterprise Software automatically replaces them with self-signed certificates 5 days before expiration. You can upload new customer-provided certificates at any time to replace the automatically generated self-signed certificates.
206
+
207
+
### Performance recommendations
208
+
209
+
For optimal performance with customer-provided certificates, follow the same recommendations as for self-signed certificates detailed in the [Encryption ciphers and settings](#encryption-ciphers-and-settings) section.
0 commit comments