You are here: Configuration > Optional Configuration Tasks > Using Custom Certificates with SPS

Using Custom Certificates with SPS

Beginning with Release 7.5, the SteelEye Protection Suite (SPS) uses SSL/TLS to communicate between different systems. By default, the product is installed with default certificates that provide some assurance of identity between nodes. This document explains how to replace these default certificates with certificates created by your own Certificate Authority (CA).

How Certificates Are Used

Communications between LifeKeeper servers use SSL/TLS to protect the data being transferred. Both systems provide a certificate to identify themselves, and both systems use a CA certificate to verify the certificate that is presented to them over the SSL connection.

Three certificates are involved:

The first two certificates must be signed by the CA certificate to satisfy the verification performed by the servers. Note that the common name of the certificates is not verified, only that the certificates are signed by the CA.

Using Your Own Certificates

In some installations, it may be necessary to replace the default certificates with certificates that are created by an organization's internal or commercial CA. If this is necessary, replace the three certificates listed above with new certificates using the same certificate file names. These certificates are of the PEM type. The LK4LinuxValidNode.pem and LK4LinuxValidClient.pem each contain both their respective key and certificate. The LK4LinuxValidNode.pem certificate is a server type certificate. LK4LinuxValidClient.pem is a client type certificate.

If the default certificates are replaced, LifeKeeper will need to be restarted to reflect the changes. If the certificates are misconfigured, steeleye-lighttpd daemon will not start successfully. Some errors are not recorded via logging. So it may be necessary to run steeleye-lighttpdmanually to debug problems. Look in either /etc/inittab/etc/init.d/steeleye-lighttpd or /etc/init/lklighttpd.conf to see the full command that should be run.

© 2012 SIOS Technology Corp., the industry's leading provider of business continuity solutions, data replication for continuous data protection.