Page tree
Skip to end of metadata
Go to start of metadata

This section covers the steps necessary to set up SSL. These settings are optional when you initially create a cluster and can be done at a later point in time.

Configure SSL settings

You have the option to implement SSL for the cluster at any point in time. If the SQL Server requires SSL, check the box to enable SSL for the cluster. You will need to provide a server certificate and Server Key to ScaleArc. The SSL certificate must be generated by a CA-Authority that is already approved by the application hosts for it to be accepted.

If the SSL setting is disabled, ScaleArc negotiates down LOGIN encryption for client connections. Unlike SQL server, ScaleArc does not auto-generate self-signed SSL certificate. This happens in authentication offload ON mode only.

ScaleArc supports TDS over SSL.

Follow these steps:

  1. Click the Clusters tab > Add Cluster button on the ScaleArc dashboard.
  2. Locate SSL Settings on the screen. This is the fourth panel on the Create Cluster screen.



  3. Select the checkbox to show the SSL Settings screen.



  4. Then, configure the fields as follows:

    Field/ButtonDescriptionDefault/User input
    SSL Authentication Offload

    SSL offload allows you to establish secure communication between the client and the server via ScaleArc. 

    Important

    As a prerequisite, if a SQL client needs to initiate full encryption

    with ScaleArc's SSL enabled cluster, ScaleArc's inbound IP should be reverse-resolvable to the hostname entry in the certificate uploaded on the ScaleArc cluster. Any modification to the SSL Authentication Offload requires you to restart the cluster.


    Select the checkbox.
    Server certificateRequires a Server certificate as a prerequisite. The SSL Certificate must be generated by a CA-Authority that is already approved by the application hosts, for it to be accepted by them. All certificates should be in the PEM format.Browse to locate and attach the appropriate Server certificate.
    Server KeyRequires a Server Key as a prerequisite. Key-related files must be in PEM format.Browse to locate and attach the appropriate Server Key.
    Force Data Encryption

    Forces all connections to be fully encrypted. SQL clients that do not support encryption will not be allowed. 

    Select the check box to activate. 
    Validate Server

    Allows ScaleArc to validate the DB server communication and upload the appropriate CA certificate. 

    Select the check box to activate.
    UploadUploads the attachments. Note that re-uploading or replacing an existing SSL cert requires a cluster restart.Click to complete the upload.

SSL and Force Encryption

The following tables show how ScaleArc handles client connections with different encryption requests in both Force Encryption ON and OFF mode. Modifying the Force Data Encryption setting does not require a cluster restart.

Force Encryption switch OFF

Client Encryption request
ScaleArc behaviour

ScaleArc request to server on behalf of client

(same as requested by client)

Encryption not supported.Does not do SSL encryption for this connection.

Requests no encryption.

If server is configured to force full channel encryption, it will fail the connection.

Encrypt Login only

ScaleArc does SSL handshake and does accepts encrypted login

Request Login only encryption.

If server is configured to force full channel encryption, it will fail the connection.

Requests full channel encryptionReplies that it supports it.Request for full channel encryption.

Force Encryption switch ON

Client Encryption request
ScaleArc behaviour

ScaleArc request to server on behalf of client

(same as requested by client)

Encryption not supportedReplies that encryption is required and closes the connection

N/A

Requests full channel encryptionReplies that it supports it and proceeds..Request for full channel encryption.
Encrypt Login only

ScaleArc replies full encryption is required and proceeds to do full

channel encryption.

Request for full channel encryption.

On this page

 

  • No labels