book

Learning MCollective

by Jo Rhett

August 2014

Intermediate to advanced

284 pages

5h 24m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Who This Book Is ForWhat to Expect from MeWhat You Will NeedWhat You’ll Find in This BookHow to Use This BookIPv6 ReadyConventions Used in This BookUsing Code ExamplesSafari® Books OnlineHow to Contact UsAcknowledgments
What Is MCollective?Why Parallel Execution?How MCollective WorksWhy Use MCollectiveHow to Fail with MCollectiveTime to Get Started
RequirementsOperating SystemMiddleware BrokerWhere to InstallPasswords and KeysPuppet Labs RepositorySupported PlatformsConfiguring ActiveMQInstall the SoftwareTune the Configuration FileStart the ServiceFirewall ChangeInstalling ServersInstall the SoftwareServer Configuration FileStart the ServiceCreating a ClientInstall the SoftwareClient Configuration FileSecurity ConsiderationsInstalling from SourceUsing the InstallerCreating an Init ScriptCreating a PackageTesting Your InstallationTroubleshootingPasswordsNetworkingConnector Names
Configuration FileConnectorFactsInventoryInventory ReportsDiscoveryFiltersCombination FiltersLimitsOutputClassesPuppetChefBash Completion
Puppet Enterprisemcomaster
Connector PluginsInstalling Agents from PackagesInstalling Agents from SourceCopy to Plugins DirectoryNotify mcollectivedDisabling AgentsUsing Client PluginsFinding Community PluginsRecommended Plugins
Time SyncKeeping Sessions AliveActivating ChangesServer StatisticsLoggingMonitoring Servers
PuppetInstalling the Puppet ModuleUsing r10kStraight from GitHubConfiguring MCollective Using PuppetHiera Configuration DataSharing Facts with PuppetInstalling Agents with PuppetValidating the InstallationDebuggingChefConfiguring MCollective using ChefSharing Ohai Data with ChefSharing Chef Roles and Recipes as ClassesInstalling Agents with ChefTLS Security LimitationsValidating the InstallationDebugging
Install the Puppet AgentChecking Puppet StatusControlling the Puppet DaemonInvoking Ad Hoc Puppet RunsManipulating Puppet Resource TypesRestricting Which Resources Can Be ControlledBlock MCollective from Puppet Resources

Install the Chef AgentChecking Chef StatusInvoking Ad Hoc Chef Client Runs
Messaging BrokersNetwork SecurityTransport ConnectorsFirewall ConfigurationsIPv6 Dual-Stack EnvironmentsActiveMQ Config StructureDetailed Configuration ReviewBroker DefinitionTopic and Queue TuningAuthentication and AuthorizationTransport ConnectorsManagement InterfacesConclusionActiveMQ ClustersNetwork of BrokersMaster/Slave RedundancyEncrypted Broker LinksConclusionLarge-Scale Broker ConfigurationsUnderstanding MCollective’s NeedsRecommendations for Baseline TuningSupporting Thousands of ServersReaching Globally Diverse ServersUpgrading to ActiveMQ 5.9.1Checking for Known ProblemsConclusion
Anonymous TLSAdvantagesDisadvantagesPuppet Module SetupManual SetupTestingCA-Verified TLS ServersAdvantagesDisadvantagesSetup PathsTLS using Puppet CATLS using Another CAValidate keyStore and trustStoreCA-Verified TLS ClientsClients of the Puppet CAClients Using Another CAChange the Client ConfigurationConclusion
Deciding When to Create MoreCollectives != ClusteringConfiguration TrafficLocalizing TrafficLimiting AccessConclusion
How Authentication WorksPre-Shared Key AuthenticationPuppet SetupSSL AuthenticationServer ConfigurationClient ConfigurationKey SynchronizationRSA Authentication AES EncryptionServer ConfigurationClient ConfigurationKey SynchronizationSSHKey AuthenticationPuppetAuthorizationRule FormatCaller IDsDefining ActionPolicy with PuppetDefining ActionPolicy ManuallyAuditingConclusion
SimpleRPC FrameworkStart with a BaselineValidate InputSend RepliesDefine an Agent DDLRead Config FilesInstall Your AgentTesting the Agent
Executing ScriptsExecuting CommandsAccessing Facts, Agents, and ClassesResults and ExceptionsLogging
Baseline ClientClient FiltersResults and ExceptionsInstall Your Client
Baseline Client ProgramRunning Your Program
Authorization PluginsFacts Plugins
Registration AgentRegistration CollectorRegistration and SSL Security
Create a ListenerSubmit reply-toProcess Responses
Make Use of Configuration ManagementChoose the Best Discovery MethodAuthorize and Audit Each Request
Consider the Strings AnalogyUtilize Support ResourcesRead Blogs
Useful Commands ReferenceUsing r10k to install Puppet ModulesUsing the PuppetLabs MCollective ModuleUsing RabbitMQInstalling RabbitMQConfiguring RabbitMQ with PuppetConfiguring RabbitMQ ManuallyUsing an Exchange with a RabbitMQ Federation
Configuring Debian and Ubuntu FirewallsFreeBSDUsing the Next Generation Package ManagerConfiguring ActiveMQConfiguring the FirewallInstalling AgentsMac OS XInstalling RubyInstalling MCollectiveSolarisInstalling on Solaris 11Installing on Solaris 10 and BeforeWindowsAcquiring RubyAdding the RubyGem DependenciesInstalling MCollectiveManaging Ruby Versions with RVM

Content preview from Learning MCollective

Chapter 11. Middleware Security

In this chapter, we will discuss two different ways to enhance security of your middleware connection. Both of these options use Transport Layer Security (TLS), which is an enhanced version of Secure Sockets Layer (SSL).

Note

Middleware security options control the ability to connect to the broker. Which queues and topics a node can read and write from is controlled by the authorizationEntry configuration documented in “Authentication and Authorization”.

MCollective has its own authorization system that controls whether or not a given MCollective request is allowed on a server, described in “Authorization”.

This layer of security only controls whether or not a node can connect to the broker and whether or not the communication is encrypted.

TLS protects traffic by encrypting it with a pre-arranged symmetric key. This key is used to encrypt the traffic flowing between the two sides. Each side of the TLS connection can (optionally) validate the far side’s X.509 certificate. This asymmetric cryptography can assure that the far side with whom they are communicating is valid prior to sending any data.

Tip

When you connect to your bank’s website, the browser does a cryptographic validation that the website is really your bank’s site. It does this by ensuring that the bank’s public key was signed (in an X.509 certificate) by an authority that the browser recognizes and trusts.

The bank does not usually require your browser to provide a certificate back ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Publisher Resources

ISBN: 9781491945681Errata

Learning MCollective

by Jo Rhett

Chapter 11. Middleware Security

Note

Tip

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Russell Rules

What Employees Want Most in Uncertain Times

How to Become a Game-Changing Leader

How You Play the Game

Publisher Resources

Chapter 11. Middleware Security

Note

Tip

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,and much more.

You might also like

Russell Rules

What Employees Want Most in Uncertain Times

How to Become a Game-Changing Leader

How You Play the Game

Publisher Resources

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.