Documentation - Redise Cloud

A guide to Redise Cloud operation and administration

open all | close all

Securing Connections with SSL/TLS

This document describes the steps required to install and configure stunnel – an open-source, secure proxy – to connect to an SSL-enabled Redis Labs resource, such as Redise Cloud.

To use SSL/TLS with your Redise Cloud database, please first contact support to get this configured. Using SSL requires setup of both your Redise Cloud database and your application, as described below.

Setting Up Your Database

  1. Login to your account and navigate to the Database page in the top right menu.
  2. Select the database you wish to connect to and click the Edit button.
  3. Under the Access Control & Security section, make sure SSL Client Authentication is selected.
  4. Set the resource’s client certificate using one of the following ways.
    1. Bring Your Own Key:
      1. If you have your own X.509-compliant certificate, simply paste it to the textbox with the “Enter Client Certificate” comment.
      2. Click the Download Redis Labs’ Certification Authority link to obtain the service certification authority.
    2. Generate a Certificate:
      1. Use the Generate Client Certificate button to generate a client certificate.
      2. The generated certificate’s public key will be displayed in the textbox.
      3. This will also trigger an automatic download of a zip archive with the following contents:
        1. garantia_user.crt – the certificate’s public key.
        2. garantia_user_private.key – the certificate’s private key.
        3. garantia_ca.pem – the service’s certification authority.
  5. Click the Update button to apply the changes to your resource.

Important: Once SSL is enabled, your database will no longer accept regular, non-SSL connections.

Setting Up Your Application

Connect to your client, set up and start stunnel as described in the section below that’s relevant to your client’s OS. Once done, configure your client to connect to stunnel (i.e. 127.0.0.1:6379 in the examples below) instead of your resource’s endpoint.

Testing Secure Connectivity to a Redis Cloud Resource

You can test the connection from your client using redis-cli, for example::

$ redis-cli PING

OS-Specific Instructions for Setting Up stunnel

Ubuntu 12.04

  1. Install stunnel:

$ apt-get install stunnel

  1. Copy all certificate files to /etc/stunnel.
  2. Change the permissions of the private key:

$ chown root:root /etc/stunnel/garantia_user_private.key
$ chmod 0600 /etc/stunnel/garantia_user_private.key

  1. Create a configuration file named /etc/stunnel/redislabs.conf as shown in the sample below – make sure that you replace host and port in the last line with your resource’s respective attributes.
  2. Enable the stunnel service by editing /etc/default/stunnel4 and changing the line that says ENABLED=0 to ENABLED=1.
  3. Start the stunnel service:

$ service stunnel4 start

CentOS 6.5

  1. Install stunnel:

$ yum install stunnel

  1. Copy all certificate files to /etc/stunnel.
  2. Change the permissions of the private key:

$ chown root:root /etc/stunnel/garantia_user_private.key
$ chmod 0600 /etc/stunnel/garantia_user_private.key

  1. Create a configuration file named /etc/stunnel/stunnel.conf as shown in the sample below – make sure that you replace host and port in the last line with your resource’s respective attributes.
  2. Configure stunnel to run as a daemon by creating the following /etc/init.d/stunnel file:

#!/bin/bash
#
# stunnel Starts/stop the "at" daemon
#
# chkconfig:   345 95 5
# description: Provides SSL client/server tunneling
### BEGIN INIT INFO
# Provides: stunnel
# Required-Start: $local_fs
# Required-Stop: $local_fs
# Default-Start: 345
# Default-Stop: 95
# Short-Description: Starts/stop the "stunnel" daemon
# Description:       Provides SSL client/server tunneling
### END INIT INFO
. /etc/init.d/functions
test -x /usr/bin/stunnel || exit 0
RETVAL=0
prog="stunnel"
start() {
if [ ! -f /var/lock/subsys/stunnel ]; then
echo -n $"Starting $prog: "
daemon /usr/bin/stunnel
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/stunnel
echo
fi
return $RETVAL
}
stop() {
echo -n $"Stopping $prog: "
killproc /usr/bin/stunnel
RETVAL=$?
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/stunnel
echo
return $RETVAL
}
restart() {
stop
start
}
case "$1" in
start)
start
;;
stop)
stop
;;
reload|restart)
restart
;;
condrestart)
if [ -f /var/lock/subsys/stunnel ]; then
restart
fi
;;
status)
status /usr/sbin/stunnel
;;
*)
echo $"Usage: $0 {start|stop|restart|condrestart|status}"
exit 1
esac
exit $RETVAL

Then run the following commands to set file permissions and starting the service correctly:


chown root:root /etc/init.d/stunnel
chmod 0755 /etc/init.d/stunnel
chkconfig --add /etc/init.d/stunnel
stunnel /etc/stunnel/redislabs.conf
service stunnel start

Sample stunnel Configuration File

Use the following stunnel configuration file to have your client open secure connections to your Redis Labs resources via port 6379 of your localhost:

cert = /etc/stunnel/garantia_user.crt
key = /etc/stunnel/garantia_user_private.key
cafile = /etc/stunnel/garantia_ca.pem
verify = 2
delay = yes

[redislabs]
client = yes
accept = 127.0.0.1:6379
connect = host:port