Using an SSL Hostname for a MarkLogic cluster

1
votes

I would like to use a single SSL hostname, e.g., Cluster, when configuring an app-server for a 3-node cluster. It is unclear if I need individual node hostname certificates within the cluster. I have 2 app servers that I want to secure using the same certificate, one that sits behind an haproxy load balancer, but the other app-server connects directly to MarkLogic. Requests are made to both app servers via HTTPS. Note that SSL does not terminate at the load balancer because it is in a different zone than the MarkLogic servers.

If the load balancer that is being used by the first app server is set up to distribute requests across the 3 node server by the individual node hostnames (Node1, Node2, Node3), then how does it share the SSL hostname certificate across the 3 nodes?

Meanwhile the second app server is not behind a load balancer. Without a proxy server, is the shared SSL hostname of any value? Will certificates for each node be required?

1
sslcluster-computingmarklogic
You can set Subject Alternative Names (SAN) and/or use wildcards, and decide whether to create host specific certs with alternative names to match whatever DNS names users would connect to when hitting the proxy or directly to hosts. - Mads Hansen
help.marklogic.com/Knowledgebase/Article/View/400/0/… - Mads Hansen
I appreciate that I can use SAN or host-specific certs, but I still don't understand why there is any advantage to creating an SSL hostname for MarkLogic nodes behind a load balancer. The load balancer will make the decision which server to forward a request to, e.g., Node1.domain, Node2.domain or Node3.domain. The request will not be made to the SSL hostname because it will resolve to any of the IP addresses of the three nodes. In my case, SSL is not terminating at the load balancer. - Tim Meagher
The vm or server hostnames need to be distinct otherwise a load balancer does not know how to target them specifically. The names of Hosts inside MarkLogic cluster config are used by MarkLogic hosts themselves to communicate with each other. So, those must be distinct as well, and have meaning on the network too. By using alternative names, you can use the same cert on multiple hosts, and likely on the load balancer as well. - grtjn
Thanks for the update. I think that using the certificate templates in MarkLogic is a show stopper because the hostnames in the database are those of docker containers and not of the server hostname. The load balancer (or any client) will access the MarkLogic instance by the server names and ports that are mapped to by docker. It sounds like you're saying that I can have one certificate which shares the ML cluster server names and perhaps that of the load balancer. How then do I associate that certificate with a certificate template to be reference by a MarkLogic app server? - Tim Meagher

1 Answers

0
votes

Also be sure to read installing-san-or-wild-carded-certificate-with-marklogic-app-server If you define the ssl-hostname and use the subject alternate names in your certificate, MarkLogic generates temporary certificates which will cause problems during the handshake. The solution is to remove these temporary certificates with the XQuery snippet in the link