PGX Distributed server uses TLS-PSK based secured handshaking, and it needs a keystore which stores a secret. The secret
will be used as a token for symmetric message encryption/decryption. The server requires a keystore in PKCS12
format.
Pre-Shared Key
You need to create your keystore once and copy the keystore into machines of your cluster.
To create a keystore in PKCS12
format, first you need to create any keystore using a program keytool
. For example,
keytool -genkey -alias pgx -keyalg RSA -keystore keystore.jks
In this example, it will create a Java Keystore keystore.jks
as a output.
Convert the Java Keystore into PKCS12
format.
keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -srcalias pgx \
-srcstoretype jks -deststoretype pkcs12
If the password is set on the keystore, the server will ask for the password via prompt during server starts up. PGX distributed server also supports an auto-start option which enables starting the server without asking the password, in case the keystore does not have a password set.
To create a keystore without a password, you need to extract a key and a certificate from keystore.p12
in the PEM
format. For example,
openssl pkcs12 -in keystore_passwd.p12 -nokeys -out cert.pem openssl pkcs12 -in keystore_passwd.p12 -nodes -nocerts -out key.pem
Then you can create a keystore with auto-start by using following commands. You can skip the password setting
by entering empty passphrase on the opnessl
command below.
cat key.pem cert.pem > key_cert.pem openssl pkcs12 -export -in key_cert.pem -out keystore_nopw.p12
Set the absolute path of the keystore (keystore.p12
or keystore_nopw.p12
) to secure_handshake_secret_file
in
pgxd.conf
.