Using Memurai 3 with TLS support
If you need to ensure a secure channel of communication between your Memurai clients and servers you'll want to configure Memurai 3's TLS support.
Since version 3, Memurai comes with OpenSSL and TLS support built-in. All you have to do is provide your certificate file to Memurai.
Creating your certificate file on Windows
The first thing to do is to install the tool that will generate the certificate file. If you already have one of these tools and know how to use it, you can skip the following section.
Installing OpenSSL on your Windows box
Since Windows native tools will not make it easy for you to generate and have access to the required files, you are better off using OpenSSL for this.
If you don't already have OpenSSL installed on your system, you'll want to download one of the existing binaries.
However, chances are you might already have it installed as part of another piece of software. For instance, if you have installed Git on your computer, then you probably already have it, just not in a location that's part of your PATH.
So you have two options:
- Just add the location to the
PATH(by default the binary should be underC:\Program Files\Git\usr\bin). - You can also create a Powershell alias by editing the
$PROFILEvariable (this variable stores the path to scripts loaded at the beginning of each session). With the following line, any future Powershell instance will have access to theopensslexecutable:
Add-Content -Path $PROFILE -Value `
'Set-Alias -Name openssl -Value "C:\Program Files\Git\usr\bin\openssl.exe"'
Creating the actual certificate file
Let's assume we have a tls folder to store all generated files. First, we need to create a configuration file called openssl.cnf inside it, with the following content:
[ server_cert ]
keyUsage = digitalSignature, keyEncipherment
nsCertType = server
[ client_cert ]
keyUsage = digitalSignature, keyEncipherment
nsCertType = client
Then we can run the following commands in Powershell
1. Create a CA key and certificate
openssl genrsa -out tls/ca.key 4096
openssl req -x509 -new -nodes -sha256 -key tls/ca.key -days 3650 `
-subj '/O=Memurai Test/CN=Certificate Authority' -out tls/ca.crt
2. Create the server files
openssl genrsa -out tls/server.key 2048
openssl req -new -sha256 -subj "/O=Memurai Test/CN=Server-only" `
-key tls/server.key | openssl x509 -req -sha256 -CA tls/ca.crt `
-CAkey tls/ca.key -CAserial tls/ca.txt -CAcreateserial -days 365 `
-extfile tls/openssl.cnf -extensions server_cert -out tls/server.crt
3. Now create the client files
openssl genrsa -out tls/client.key 2048
openssl req -new -sha256 -subj "/O=Memurai Test/CN=Client-only" `
-key tls/client.key | openssl x509 -req -sha256 `
-CA tls/ca.crt -CAkey tls/ca.key -CAserial tls/ca.txt `
-CAcreateserial -days 365 -extfile tls/openssl.cnf `
-extensions client_cert -out tls/client.crt
With the files created, the next thing is to understand how to let Memurai know where they're located.
Running Memurai with TLS support
There are two ways for you to execute Memurai, as a standalone process or as a service.
Note: Unless you're making tests with a Memurai instance, the recommended way to execute Memurai is as a service.
To run Memurai as a standalone process, you can specify the TLS file paths with the following command line attributes:
memurai.exe --tls-cert-file tls/server.crt `
--tls-key-file tls/server.key `
--tls-ca-cert-file tls/ca.crt
Keep in mind that doing this way will make Memurai's process a child of the current terminal instance, so the moment you close it, the Memurai process will be killed with it.
If you want to make sure Memurai runs even when you're not there, go with the service alternative.
Running Memurai as a service with TLS support
The first thing to do is to install the service, you'll do that with the --service-install flag:
memurai.exe --service-install --service-name "memurai" memurai-tls.conf
The above command also specifies a service name (this will become relevant in a minute) and a configuration file. Make sure your configuration file contains all the TLS details, something like this:
tls-cert-file tls/server.crt
tls-key-file tls/server.key
tls-ca-cert-file tls/ca.crt
Once you've installed the service, you can start it or stop it like this:
# Start it with
memurai.exe --service-start --service-name "memurai"
# Stop it with
memurai.exe --service-stop --service-name "memurai"
If you want more details on how to run Memurai, visit the Windows Service section of our docs.
More configuration options
Overwriting the default TLS listening port
If your company's security policy requires it, you can change the default TLS port for Memurai to whatever you need.
You can even disable the default non-secure port to enable only connections through your secured entry point.
To do this, you can specify (both inside the config file and as part of your Powershell line) the TLS listening port:
port 0
tls-port 443
The first option disables the non-TLS port so you only have a secured entry point enabled.
The second option overwrites the default TLS port (6379).
Disabling client authentication
Out of the box, Memurai will require mutual TLS authentication. This means clients will have to authenticate with a valid certificate.
You can disable this with the following option:
tls-auth-clients no
Warning
Make sure you understand the security implications for your infrastructure before you disable this verification.
Special considerations
If you're using TLS and have Memurai configured with Replication, Cluster mode, or Sentinel, there are certain considerations to keep in mind.
Memurai + TLS + Replication
The Memurai master server will handle connecting clients and replicas the same way. This means that the above configuration options (including the tls-port and tls-auth-clients) apply to replicas as well.
Keep in mind though, that on the replica servers, you'll have to specify tls-replication yes to use TLS for outgoing connections to the master.
Memurai + TLS + Cluster mode
When Memurai Cluster is used, make sure to use tls-cluster yes to enable TLS for the cluster bus and cross-node connections.
Memurai + TLS + Sentinel
Sentinel inherits its networking configuration from the common Memurai configuration, so all of the above applies to Sentinel as well.
When connecting to master servers, Sentinel will use the tls-replication option to determine if a TLS or non-TLS connection is required.
Also, the same tls-replication directive will determine whether Sentinel's port (the port that accepts connections from other Sentinels) will support TLS as well. This means that Sentinel will be configured with tls-port if tls-replication is enabled.