This section covers the steps necessary to set up SSL. These settings are optional when you initially create a cluster and can be done at a later point in time.
Configure SSL settings
You have the option to implement SSL for the cluster at any point in time. If the SQL Server requires SSL, check the box to enable SSL for the cluster. You will need to provide a server certificate and Server Key to ScaleArc. The SSL certificate must be generated by a CA-Authority that is already approved by the application hosts for it to be accepted.
If the SSL setting is disabled, ScaleArc negotiates down LOGIN encryption for client connections. Unlike SQL server, ScaleArc does not auto-generate self-signed SSL certificate. This happens in authentication offload ON mode only.
Follow these steps:
- Click the Clusters tab > Add Cluster button on the ScaleArc dashboard.
- Locate SSL Settings on the screen. This is the fourth panel on the Create Cluster screen.
- Select the checkbox to show the SSL Settings screen.
Then, configure the fields as follows:
Field/Button Description Default/User input SSL Authentication Offload SSL offload allows you to establish secure communication between the client and the server via ScaleArc.
Select the checkbox. Server certificate Requires a Server certificate as a prerequisite. The SSL Certificate must be generated by a CA-Authority that is already approved by the application hosts, for it to be accepted by them. All certificates should be in the PEM format. Browse to locate and attach the appropriate Server certificate. Server Key Requires a Server Key as a prerequisite. Key-related files must be in PEM format. Browse to locate and attach the appropriate Server Key. Force Data Encryption Forces all connections to be fully encrypted. SQL clients that do not support encryption will not be allowed.
Select the check box to activate. Validate Server Allows ScaleArc to validate the DB server communication and upload the appropriate CA certificate.
Select the check box to activate. Upload Uploads the attachments. Note that re-uploading or replacing an existing SSL cert requires a cluster restart. Click to complete the upload.
SSL and Force Encryption
The following tables show how ScaleArc handles client connections with different encryption requests in both Force Encryption ON and OFF mode. Modifying the Force Data Encryption setting does not require a cluster restart.
Force Encryption switch OFF
|
Client Encryption request
|
ScaleArc behaviour
|
ScaleArc request to server on behalf of client (same as requested by client) |
|---|---|---|
| Encryption not supported. | Does not do SSL encryption for this connection. | Requests no encryption. If server is configured to force full channel encryption, it will fail the connection. |
| Encrypt Login only | ScaleArc does SSL handshake and does accepts encrypted login |
Request Login only encryption. If server is configured to force full channel encryption, it will fail the connection. |
| Requests full channel encryption | Replies that it supports it. | Request for full channel encryption. |
Force Encryption switch ON
|
Client Encryption request
|
ScaleArc behaviour
|
ScaleArc request to server on behalf of client (same as requested by client) |
|---|---|---|
| Encryption not supported | Replies that encryption is required and closes the connection | N/A |
| Requests full channel encryption | Replies that it supports it and proceeds.. | Request for full channel encryption. |
| Encrypt Login only | ScaleArc replies full encryption is required and proceeds to do full channel encryption. |
Request for full channel encryption. |
Comments