Secure Global Desktop 4.40 Administration Guide > Security > Securing Connections Between SGD Servers

Securing Connections Between SGD Servers

In a standard installation, the data transmitted between the SGD servers in an array (including data sent from the SGD administration tools) is not encrypted. Secure Global Desktop Administrators can secure the connections between array members using the Secure Sockets Layer (SSL). Using SSL for these connections ensures the integrity of the data as follows:

Communication only takes place between servers that have authenticated to each other
Data is encrypted before transmission
Data can be checked to ensure that it has not changed during transmission

Using SSL in this way is known as secure intra-array communication.

How Secure Intra-array Communication Works

Using secure intra-array communication means that each SGD server in the array has to have a valid X.509 certificate that has been signed by a trusted certificate authority (CA).

As the X.509 certificates used for secure intra-array communication are used only internally by SGD, the primary SGD server in the array acts as the CA. The primary has a self-signed CA certificate and a private key. All servers in the array have a copy of the primary's CA certificate in a trusted certificate store (the truststore).

All servers in the array (including the primary) have an X.509 certificate and a private key. The X.509 certificate is signed with the primary's CA certificate and contains a common name (CN) which is the peer DNS name of the SGD server. As these certificates are created using a self-signed CA certificate, they cannot be used to secure any other SGD-related connection. These certificates are referred to as server peer certificates to distinguish them from other types of X.509 certificates.

When one SGD server in the array connects to another (including when using an administration tool), the SGD server being connected to presents its server peer certificate as part of the SSL negotiation. The connecting server evaluates the certificate and checks the following:

The CN of the certificate matches the peer DNS name of the connecting server
The expiry date of the certificate
The issuer of the certificate, which must be the CA certificate of the primary

If the certificate is valid, a secure connection is established.

Managing CA and Server Peer Certificates

When you enable secure intra-array communication, SGD automatically generates and distributes the CA and server peer certificates to the members of the array. Whenever there is a change in the array structure, SGD automatically updates the CA and server peer certificates. The following table summarizes what happens:

Array Change	Action
Server joins the array	The primary CA certificate is installed on the new server. The new server obtains a new server peer certificate signed with the primary CA certificate.
Server leaves the array	The detached server becomes the primary server in an array containing one server. The detached server creates a new CA certificate for itself. The detached server creates a new server peer certificate for itself.
New primary server appointed	The new primary generates a new CA certificate. The new primary CA certificate is installed on all SGD servers. All servers obtain a new server peer certificate signed with the new primary CA certificate.

Administrators can use the tarantella security peerca --show command to view certificates in the truststore. The truststore contains the primary CA certificate.

Enabling Secure Intra-array Communication

You must enable secure intra-array communication from the command line.

Make sure there are no user sessions and application sessions running in the array, including suspended sessions.
Dismantle the array.
1. Log in as superuser (root) on the primary SGD server.
2. Dismantle the array by detaching all the secondary servers.
  Only detach one server at a time, using the following command:
```
# tarantella  array detach --secondary server
```
3. Wait for the array change to be copied to all members of the array before detaching any more servers.
  You can tell that this has happened when the tarantella status command returns the same result when you run it on each SGD server in the array.
Stop all the the SGD servers in the array.
Enable secure intra-array communication.
Use the following command on each server:
```
# tarantella config edit --tarantella-config-security-peerssl-enabled 1
```
Start all the the SGD servers in the array.
Rebuild the array.
Only add one server at a time. When you add a sever you are prompted to trust the primary server's CA certificate.
1. On the server joining the array, use the following command to add the server.
```
# tarantella  array join --primary primary_server
```
  You are prompted to trust the primary server's CA certificate and the fingerprint of the certificate displays.
2. Check that the fingerprint is correct.
  On the primary server, use the following command to display the fingerprint for the primary server's CA certificate.
```
# tarantella security peerca --show
```
  Check that the certificate fingerprints match. This is important as it verifies that the secondary is communicating with the genuine primary server.
3. If the fingerprints match, complete the array join by accepting the primary server's CA certificate.
Wait for the array change to be copied to all members of the array before adding any more servers. You can tell that this has happened when the tarantella status command returns the same result when you run it on each SGD server in the array.

Related Topics
Security and SGD Introducing SGD Security Services SGD and DNS Names