How to deploy TLS certificates for Aerospike in ramfs/tmpfs

How to deploy TLS certificates for Aerospike in ramfs/tmpfs

Context

When using certificate manager software, it may be required to deploy certificates from the manager to Aerospike without storing them on the node hard drives. Storing certificates in this way may be necessary when security protocols disallow storage of certificates on permanent storage. This can be achieved using the linux ramfs/tmpfs functionality. This will create a temporary, RAM-based disk in which the certificate can be stored prior to Aerospike starting. This certificate will be removed, together with the ramfs/tmpfs drive when the machine is either rebooted or powered off.

Method

Using systemd

Create the following systemd file in order to ensure the script responsible for certificate copying runs before Aerospike:

$ cat <<EOF > /etc/systemd/systemd/certificates.service
[Unit]
Description=Copy Certificates to tmpfs
After=network.target
RequiredBy=aerospike.service

[Service]
Type=oneshot
ExecStart=/usr/local/bin/certs.sh

[Install]
WantedBy=multi-user.target
EOF

Enable the systemd script:

$ chmod 755 /etc/systemd/systemd/certificates.service
$ systemctl enable certificates.service

Now create the certs.sh file, which will do the actual work. The SizeOfMount may be adjusted for the requirements of the particular system in question:

cat <<EOF > /usr/local/bin/certs.sh
#!/bin/bash
SizeOfMount="100m"
mkdir /mnt/certs
mount -t tmpfs -o size=${SizeOfMount} certs /mnt/certs
### put the code handling for the certificate manager here
### the code should store certificates in /mnt/certs created in the previous step

Make the script executable:

$ chmod 755 /ust/local/bin/certs.sh

When configuring Aerospike for TLS, use the certificates from the /mnt/certs path as created previously.

Using sysvinit

Create the following startup script in /etc/init.d/ with order allowing it to run before Aerospike starts:

$ cat <<EOF > /etc/init.d/certificates
#!/bin/bash
### BEGIN INIT INFO
# Provides:          certificates
# Required-Start:    $local_fs
# Required-Stop:
# X-Start-Before:    aerospike
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Mount certificates for Aerospike
# Description:       Mount certificate storage for Aerospike
### END INIT INFO

case $1 in
  start)
    SizeOfMount="100m"
    mkdir /mnt/certs
    mount -t tmpfs -o size=${SizeOfMount} certs /mnt/certs
    ### put the code handling for your certificate manager here
    ### the code should store certificates in /mnt/certs we just created
    unset SizeOfMount
    ;;
esac
EOF

Make the file executable:

$ chmod +x /etc/init.d/certificates

Enable the startup script:

# on debian/ubuntu
update-rc.d certificates defaults
# on RHEL/centos
chkconfig --add certificates

It is important to check that the correct startup order has been preserved. For this, check that the links in /etc/rc*.d with SXXcertificates have the XX number lower than the SXXaerospike ones. This means that the certificates script will start before Aerospike. If this is not the case, adjust manually as necessary (or using the relevant chkconfig/update-rc.d).

Notes

Do not unmount the ramfs drive after Aerospike has started. For proper functioning of certificate handling, Aerospike requires access to the certificate files at all times while it is running.

Keywords

TLS RAMFS TMPFS CERTIFICATE MANAGER

Timestamp

September 2019

© 2015 Copyright Aerospike, Inc. | All rights reserved. Creators of the Aerospike Database.