VAST Cluster supports securing of the replication connection with mutual TLS (mTLS) encryption, in which each side of the replication authenticates the other side. mTLS encryption requires certificates installed on each of the peer clusters and is used for replication peer configurations that have secure mode enabled.
To configure mTLS encryption, do the following:
When you create a replication peer configuration, set the secure mode setting to Secure.
Obtain an RSA type TLS certificate from a Certification Authority (CA) for each of the peers in the replication peer configuration. This will consist of a certificate file and a private key file. Obtain the files in PEM format.
Obtain a copy of the CA's root certificate, which will be used to make sure each peer can trust certificates presented by other peers. This should be the same root certificate for each peer.
From the Certificate for dropdown, select replication.
Either paste the certificate file contents into the Certificate field or use the Upload button to upload the file, and paste or upload the key file content into the Key field and the root Certificate file contents in the Root Certificate field.
When pasting the file content, include the BEGIN CERTIFICATE / BEGIN PRIVATE KEY and END CERTIFICATE / END PRIVATE KEY lines, like this:
-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
To install the certificates using the VAST CLI, use the cluster modify command with the following parameters: