Securing an EFM cluster

Learn how to secure intra-cluster communication between Edge Flow Manager (EFM) instances in a clustered mode. To do so, you need to install Stunnel and configure EFM to install Stunnel.

By default, intra-cluster communication is through unsecure TCP. It is assumed that all EFM instances must be running in a Virtual Private Cloud and the cluster communication port must not be open to public networks.

To secure intra-cluster communication, EFM supports an external, third-party utility for TCP TLS tunneling called Stunnel. The following section is an example configuration for enabling Stunnel communication.

Install Stunnel

Stunnel is available on most major Linux distributions, including those supported for EFM.

Stunnel version 5.x is required. EFM is tested with Stunnel 5.56 specifically.

To install Stunnel, run yum install stunnel or apt-get update && apt-get install stunnel.

Configure EFM to use Stunnel

Following is an example of configuring EFM to use Stunnel:
# Cluster TLS/SSL Tunnel Properties
#  enabled: enable secure communication within the cluster via a stunnel proxy
#  command: the command or path to executable for stunnel, which must be installed, e.g., /usr/bin/stunnel
#  logLevel: the level of stunnel debug output: emerg|alert|crit|err|warning|notice|info|debug
#  logFile: (optional) if specified, the file to use for stunnel logs. if not specified, output is to EFM App Log
#  caFile: The file containing Certificate Authority certificates. Must be PEM format.
#  cert: The file containing this cluster node's public certificate. Must be PEM format.
#  key: The file containing this cluster node's private key. Must be PEM format. Can be encrypted or unencrypted
#  keyPassword: (optional) If the key file is encrypted with a password, the password to decrypt the key file.
#  proxyServerPort: the port that will receive the TLS traffic and redirect to Hazelcast (default 10090)
#  proxyClientPortStart: starting with the given port, the ports used to proxy communication with other cluster members
#  over the secure TLS tunnel (default 10091). The number of ports used is one fewer than the number of cluster members.
#  For additional Stunnel configuration options, see https://www.stunnel.org/static/stunnel.html
#  global options, service level options, or client-/server-specific server options can be specified as
#  key-value pairs with the appropriate prefix efm.cluster.stunnel.[global|service|clientService|serverService].*
efm.cluster.stunnel.enabled=true
efm.cluster.stunnel.command=/usr/bin/stunnel
efm.cluster.stunnel.caFile=/path/to/keys/ca-cert.pem
efm.cluster.stunnel.cert=/path/to/keys/efm-node-cert.pem
efm.cluster.stunnel.key=/path/to/keys/efm-nod-key.pem
efm.cluster.stunnel.keyPassword=keyPemFilePassword
# The proxy server port that will receive the TLS traffic and redirect to local hazelcast instance (default is 9000)
efm.cluster.stunnel.proxyServerPort=9000
# Starting with the given port,the ports are used to proxy the TLS traffic to other cluster members (default is 9001)
# the number of ports used will be equal to cluster members -1
efm.cluster.stunnel.proxyClientPortStart=9001