Configuring TLS Encryption with NFSv4.1

TLS is an encryption option that you can use for NFSv4.1 traffic. TLS provides an alternative to encrypting NFSv4.1 traffic with Kerberos. It is suitable for environments where Active Directory is not used as an authorization provider. No authorization provider is required for TLS encryption in transit of NFS4.1.

The feature supports TLS v1.2 based connections run over the standard NFS4.1 TCP port 2049.

In order to enforce TLS encryption on NFS4.1 connections, you need to install a TLS certificate on the client and on the cluster, through VMS, and set the relevant view policy to enforce TLS encryption for NFSv4.1. In order to connect to views that use such a view policy, the client must have the same certificate installed locally, and must open a TLS tunnel to the cluster's NFS4.1 server before mounting the view.

Limitations

This feature is not supported for NFSv.4.1 over RDMA.
When mounting NFSv4.1 with nconnect, client kernel version 5.3 or higher is required.

How to Configure TLS Encryption over NFS4.1

Obtain or Generate TLS Certificate and Key

Obtain an SSL certificate from a Certificate Authority (CA). The CA will provide you with two files: a certificate file and a key file. Choose an X.509 output file format containing ASCII (Base64) encoded data.

Configure the Client to Connect with TLS Encryption

On each client machine that needs to be able to connect via NFS4.1 to a view on the cluster:

Install the TLS certificate on the client machine.
Install stunnel:
```
yum install stunnel
```
Create a configuration file for stunnel at /etc/stunnel/stunnel.conf.
For documentation of stunnel options, see https://www.stunnel.org/static/stunnel.html.
The content should include the following:
```
pid = /var/run/stunnel/stunnel.pid
cert = ${CERT_FOLDER}/stunnel.pem
socket = r:TCP_NODELAY=1

[nfs4]
client=yes
accept=<local host IP>:<port number between 49152 and 65565>
connect=<VIP>:2049
ciphers = <cipher list>
sslVersion =TLSv1.2
```
The following options are included:
- pid. The file location in which to create the stunnel pid file, in which stunnel saves its process ID.
- cert. The path to the TLS certificate.
- socket. Sets an option on the remote socket disable to improve network latency.
- client. Specifies client mode.
- accept. The port to listen on. (optional)
- connect. The port to connect to, the standard NFS4.1 TCP port 2049, on one of the VIPs in a VIP pool on the cluster, with the protocols role.
- ciphers. Specifies a list of ciphers. You can enter ALL or a list in OpenSSL cipher list format (see https://www.openssl.org/docs/man1.0.2/man1/ciphers.html).
  VAST supports the openSSL ciphers library ciphers. To display the full list of openSSL ciphers, run openssl ciphers -v "AES:\!AECDH" on a Linux host.
  Note
  To restrict the server-side supported cipher list, consult VAST Support.
- sslVersion. Specifies the supported version of TLS (TLSv1.3).
Run an stunnel process to open a TLS tunnel the cluster's NFSv4.1 server, before mounting the view.
For example, to manually start stunnel:
```
sudo stunnel /etc/stunnel/stunnel.conf
```
Mount the view as follows:
```
sudo mount -t nfs -o port=<port_number>,vers=nfs4.1 <localhost IP>:/<view_name> <directory_to_mount_to>
```
In which:
- <port_number> is the port number specified by the accept option in the stunnel configuration file. stunnel listens on this port and redirects incoming packets to the VIP specified in the stunnel configuration file.
- <view_name> is the name of the view on the cluster that you want to mount.
- <localhost IP> is the IP of the local client host.
- <directory_to_mount_to> is the directory on the client host to which you want to mount the view.

Enable TLS Encryption on VAST Cluster

To enable clients to connect with TLS encryption over NFSv4.1:

Enable the Use TLS to encrypt traffic in flight setting in the relevant view policy, andCreating View Policies
Upload the TLS certificate and key to VMS.

Managing TLS Certificates for NFSv4.1

Installing a TLS Certificate for NFSv4.1

VAST Web UI

From the left navigation menu, select Settings and then Certificates.
From the Certificate for dropdown, select NFS4.1.
Enter the certificate file contents in the Certificate field and the key file content into the Key field.
When pasting the certificate file content, include the BEGIN CERTIFICATE and END CERTIFICATE lines, like this:
```
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE----- 
```
When pasting the private key file content, include the BEGIN PRIVATE KEY and END PRIVATE KEY lines, like this:
```
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY----- 
```
Click Update.
Your certificate is installed.

Removing a TLS Certificate for NFSv4.1

VAST Web UI

From the left navigation menu, select Settings and then Certificates.
From the Certificate for dropdown, select NFS4.1.
Click Remove.
The certificate is removed.

VAST CLI

To remove an NFSv4.1 TLS certificate from the VAST CLI, use the cluster modify command with the --remove_nfs4_certificate parameter.

vcli: admin>  cluster modify --remove_nfs4_certificate