Configuring an NFS Server with TLS

This task shows how to set up the NFS server to use TLS encryption to secure data in transit and enable secure connections from trusted clients.

Ensure that the following are true:

  • The system is running Oracle Linux 9 or later.
  • You have configured the Oracle Linux system as an NFSv4 server.
  • You can use an existing CA certificate or generate a self-signed certificate.
    • In production environments, obtain a TLS certificate and private key pair from the Certificate Authority (CA).
    • For testing and development only, you can use a self-signed certificate. First, follow the instructions in Generating a Self-Signed Certificate for TLS Authentication and then begin with the step to configure the NFS server for TLS by editing /etc/tlshd.conf that follows.
  • You have installed the ktls-utils package.
  1. Create a server private key and certificate signing request (CSR).

    Run the following command, replacing the Common Name (CN), DNS, and IP address with the server's actual host information.

    openssl req -new -newkey rsa:4096 -noenc \
   -keyout /etc/pki/tls/private/server.example.com.key \
   -out /etc/pki/tls/private/server.example.com.csr \
   -subj "/C=US/ST=State/L=City/O=Organization/CN=hostname" \
   -addext "subjectAltName=DNS:hostname,IP:host-ip-address"
  2. Obtain a server certificate.
    • Send the generated CSR to the CA and request a signed certificate.
    • Store the returned CA certificate (ca.crt) and server certificate (server.example.com.crt) on the server.
  3. Import the CA certificate into the system trust store.

    Move the certificate into the required location and update the trust store as follows:

    sudo cp ca.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust
  4. Install the server certificate.

    Install the server certificate by moving it to the appropriate location in the file system:

    sudo mv server.example.com.crt /etc/pki/tls/certs/
  5. Restore SELinux contents.

    When you move or copy files such as certificates for NFS with TLS into security-sensitive directories, their SELinux labels might not match what's required for those locations. Run restorecon to ensure that the certificate files have the appropriate SELinux labels so that SELinux lets services access them. 

    sudo restorecon -Rv /etc/pki/tls/certs/
  6. Configure the NFS server for TLS.

    Edit /etc/tlshd.conf and add the following to the [authenticate.server] section: 

    x509.certificate = /etc/pki/tls/certs/server.example.com.crt
x509.private_key = /etc/pki/tls/private/server.example.com.key

    Note:

    Leave the x509.truststore parameter unset. The server doesn't need to verify client certificates unless mutual TLS authentication is being used.

  7. Enable and start the TLS daemon.

    Run the following command to enable tlshd immediately and whenever the system reboots: 

    sudo systemctl enable --now tlshd.service

The NFS server is now configured to work with TLS connections.

Generating a Self-Signed Certificate for TLS Authentication

For testing and development purposes only, you can use a self-signed certificate to configure NFS with TLS authentication.

This task shows how to generate a self-signed certificate.

Complete these steps on the NFS server.

  1. Create the certificate and key.

    If the fully qualified domain name (FQDN) of the NFS server is 64 characters or shorter, run the following command:

    openssl req -noenc -x509 -newkey rsa:4096 -days 365 \
-keyout nfsd.key -out nfsd.crt

    The command prompts you to enter values for several fields. Enter the FQDN as the Common Name (CN). You can leave all the other fields blank, or accept the defaults.

    If the FQDN of the NFS server is longer than 64 characters, specify the FQDN as a Subject Alternative Name (SAN) at the command line, using the following syntax:

    openssl req -noenc -x509 -copy_extensions copy \
-addext "subjectAltName = DNS:<FQDN of server>" \
-newkey rsa:4096 -days 365 -keyout nfsd.key -out nfsd.crt

    Then, enter a shorter name (such as the plain, unqualified hostname) as the certificate CN when prompted.

    Important:

    You can't use wildcards in the Common Name (CN) field.

  2. Verify that the certificate is generated successfully.

    Run the following command to inspect the certificate and check that the output includes the correct CN, and SAN if specified:

    openssl x509 -in nfsd.crt -text -noout
  3. Secure the generated certificate and key.

    Run the following command to change the ownership of the certificate and key to root: 

    chown root:root nfsd.key nfsd.crt