Configuring SSL between Liberty Nodes and Redis Cluster

[oleksandr...@gmail.com]

please assist me with my environment - there are:
2 hosts with 1 WebSphere Liberty Profile on each, working on 1 cluster;
3 hosts with 3 redis nodes each (master, slave, slave2), which work in 1 cluster;

We write all caches and other information (ductionary, etc) to our redis cluster, but without any security.

Could you please help me with configuration ssl on redis cluster. Or do I have to use stunnel? and how to configure this stunnel to my environment?

Thanks in advance

[Mark Paluch]

Redis has no SSL support built in, therefore you need an SSL tunnel to secure the transport layer. 

Stunnel is a good choice because it's quite flexible in what it supports. 

Redis Cluster knows about its topology – because an SSL tunnel impacts the ports you're going 

to connect, you need to configure each Redis node accordingly. 

Each node must report the SSL port bound to your SSL tunnel instead of the Redis port that Redis binds. 

You do that by setting cluster-announce-ip/-port/-bus-port in your configuration [0].

From your client, you just enable SSL and connect to the SSL ports and everything else

just works.

These settings are available as of Redis 4.0 as part of the Docker/NAT support but they

work also for SSL tunneling.

Cheers, 

Mark

* [0] https://github.com/antirez/redis/blob/unstable/redis.conf#L920-L922

[oleksandr...@gmail.com]

Dear Mark,

thank you for your respond. But, could you please describe this process more detail? 

1 host                    2 host               3 host

master node       master node      master node

slave node          slave node         slave node

slave2 node        slave2 node       slave2 node

Do I have to install one stunnel on each hosts? or one stunnel by one node on each hosts?

How (after this configurations) my clients hosts (Websphere Liberty) should call Redis? using Redis ports or stunnel ones?

maybe you have any examples of redis/stunnel configs. I will be very appreciate if you show me them

Thanks in advance 

середа, 19 липня 2017 р. 16:48:40 UTC+3 користувач oleksandr...@gmail.com написав:

[Mark Paluch]

You have multiple options that come:

1. Run a dedicated proxy server in front of all your nodes (a single machine with one stunnel process running). Encryption between client and the proxy host, unencrypted between proxy and Redis nodes.
2. Run the proxy along on each host (install stunnel on each host and run a single process for all Redis processes). End-to-end encryption with no unencrypted traffic on the network.

Running an stunnel server on your client nodes is somewhat pointless because you would encrypt only traffic between the client and the tunnel. All network traffic remains plain text and you didn't win anything.

You can check out the Makefile [0] of Lettuce which sets up a stunnel.conf with multiple mappings.

Cheers, 

Mark

[0] https://github.com/lettuce-io/lettuce-core/blob/master/Makefile#L252