Configuring TLS Encryption with NFSv4.1

TLS is an encryption method that you can choose to enable for NFS traffic on the cluster. If you want to ensure that NFS traffic to a particular view is only accessible via encryption, you can choose to enforce TLS encryption. Additionally, you can further restrict which minimum TLS version you require and which ciphers you allow.

For NFSv4, TLS provides an alternative to encrypting traffic with Kerberos. While Kerberos is supported only if Active Directory is used as an authorization provider, TLS encryption does not require an authorization provider.

TLS encryption for NFSv4 runs over the standard NFS4 TCP port 2049.

In order to enforce TLS encryption on NFS connections, you need to install a TLS certificate on the client and on the cluster, through VMS, and set the relevant view policy to enforce TLS encryption for NFS. In order to connect to views that use such a view policy, the client must have a certificate installed that trusts the cluster's certificate.

The cluster supports encryption of in-transit Remote Procedure Call (RPC) transactions for NFSv3 and NFSv4 clients where the clients establish RPC-over-TLS sessions against the VAST NFS server. Alternatively, clients can open a TLS tunnel to the cluster's NFS server before mounting the view.

Limitations

This feature is not supported for NFSv.4.1 over RDMA.
When mounting NFSv4.1 with nconnect, client kernel version 5.3 or higher is required.

How to Configure TLS Encryption over NFS

Obtain or Generate TLS Certificate and Key

Obtain an SSL certificate from a Certificate Authority (CA). The CA will provide you with two files: a certificate file and a key file. Choose an X.509 output file format containing ASCII (Base64) encoded data.

Configure the Client to Connect with TLS Encryption

You can configure the client to connect with TLS encryption either of the following ways:

Using RPC over TLS

Notice
This feature requires enablement. Contact VAST Support for assistance enabling this feature.

On each client machine that needs to be able to connect via NFS to a view on the cluster:

Ensure that the client machine trusts the cluster's TLS certificate (an appropriate certificate is installed).
Ensure that the tlshd service is installed and running on the machine.
Use the xprtsec=tls NFS mount option to ensure that the client establishes an RPC-over-TLS session against the cluster's NFS server.

Using a TLS Tunnel

On each client machine that needs to be able to connect via NFS4 to a view on the cluster:

Install the TLS certificate on the client machine.
Install stunnel:
```
yum install stunnel
```
Create a configuration file for stunnel at /etc/stunnel/stunnel.conf.
For documentation of stunnel options, see https://www.stunnel.org/static/stunnel.html.
The content should include the following:
```
pid = /var/run/stunnel/stunnel.pid
cert = ${CERT_FOLDER}/stunnel.pem
socket = r:TCP_NODELAY=1

[nfs4]
client=yes
accept=<local host IP>:<port number between 49152 and 65565>
connect=<VIP>:2049
ciphers = <cipher list>
sslVersion =TLSv1.3
```
The following options are included:
- pid. The file location in which to create the stunnel pid file, in which stunnel saves its process ID.
- cert. The path to the TLS certificate.
- socket. Sets an option on the remote socket disable to improve network latency.
- client. Specifies client mode.
- accept. The port to listen on. (optional)
- connect. The port to connect to, the standard NFS4.1 TCP port 2049, on one of the VIPs in a VIP pool on the cluster, with the protocols role.
- ciphers. Specifies a list of ciphers. You can enter ALL or a list in OpenSSL cipher list format (see https://www.openssl.org/docs/man1.0.2/man1/ciphers.html).
  VAST supports the openSSL ciphers library ciphers. To display the full list of openSSL ciphers, run openssl ciphers -v "AES:\!AECDH" on a Linux host.
  Note
  To restrict the server-side supported cipher list, see Restricting Minimum TLS Versionand Limiting Ciphers.
- sslVersion. Specifies the supported version of TLS (TLSv1.3 in the example).
Run an stunnel process to open a TLS tunnel the cluster's NFSv4 server, before mounting the view.
For example, to manually start stunnel:
```
sudo stunnel /etc/stunnel/stunnel.conf
```
Mount the view as follows:
```
sudo mount -t nfs -o port=<port_number>,vers=nfs4.1 <localhost IP>:/<view_name> <directory_to_mount_to>
```
In which:
- <port_number> is the port number specified by the accept option in the stunnel configuration file. stunnel listens on this port and redirects incoming packets to the VIP specified in the stunnel configuration file.
- <view_name> is the name of the view on the cluster that you want to mount.
- <localhost IP> is the IP of the local client host.
- <directory_to_mount_to> is the directory on the client host to which you want to mount the view.

Configuring TLS Encryption of NFS on VAST Cluster

To configure TLS encryption for NFS client connections, do the following:

Per your security requirements, restrict TLS version support and also further restrict the server-side supported cipher list. This affects all TLS connections to the cluster. See Restricting Minimum TLS Version.
Where relevant, if you want to block non-TLS client connection access to any views, make sure the view policy of each such view is set to enforce usage of TLS encryption by the client. To do this, in the relevant view policy, enable the Enforce TLS to encrypt traffic setting.
You can additionally and optionally choose the Relaxed TLS Enforcement option. This setting modifies the enforcement to allow non-TLS connections on auxiliary NFSv3 subprotocols such as MOUNT, NLM, NSM and RQUOTA.
Upload the TLS certificate and key to VMS.
If you wish to use the xprtsec=tls client mount option to establish RPC-over-TLS sessions against the cluster's NFS server, contact VAST Support to enable the feature.

Restricting Minimum TLS Version

The cluster's default minimum TLS version for TLS encrypted client connections is TLS v1.2. You can change it to v1.3 (required for RPC over TLS). Changing the minimum TLS version to v1.3 restricts the ciphers to TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256.

To set the minimum TLS version to TLS v1.3, run the following VAST CLI command:

vcli: admin> vms modify --min-tls-version 1.3

Note
The change takes affect for NFS connections only after the TLS certificate for NFS is subsequently uploaded. If a certificate is already uploaded to the cluster, the upload needs to be done again in order to effect a change in cipher limits.

Limiting Ciphers

When the minimum TLS level is set to v1.3, you can request further restriction to enable only TLS_AKE_WITH_AES_256_GCM_SHA384 ciphers. If this is required, please contact the VAST Customer Success team for assistance.

Note
The change takes affect for NFS connections only after the TLS certificate for NFS is subsequently uploaded. If a certificate is already uploaded to the cluster, the upload needs to be done again in order to effect a change in cipher limits.

Managing TLS Certificates for NFSv4.1

Installing a TLS Certificate for NFS

VAST Web UI

From the left navigation menu, select Settings and then Certificates.
From the Certificate for dropdown, select NFS.
Enter the certificate file contents in the Certificate field and the key file content into the Key field.
When pasting the certificate file content, include the BEGIN CERTIFICATE and END CERTIFICATE lines, like this:
```
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE----- 
```
When pasting the private key file content, include the BEGIN PRIVATE KEY and END PRIVATE KEY lines, like this:
```
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY----- 
```
Click Update.
Your certificate is installed.

Removing a TLS Certificate for NFS

VAST Web UI

From the left navigation menu, select Settings and then Certificates.
From the Certificate for dropdown, select NFS.
Click Remove.
The certificate is removed.

VAST CLI

To remove an NFS TLS certificate from the VAST CLI, use the cluster modify command with the --remove_nfs4_certificate parameter.

vcli: admin>  cluster modify --remove_nfs4_certificate