NAS/NATS encryption and adding a DMA in another network

Solved839 viewsDMS NAS nat NATS
2
0 Comments

Hello everyone,

we have a customer that wants to add another DMA to their existing DMS.

The new DMA will be in another network behind a NAT and in another domain. Security is very important and all protocols need to be encrypted.

https is already set up with certificates and from my understanding it is possible to use the same certificates to enable TLS on NAS/NATS.

Also connection strings for the DMAs are already configured and I have created local Users for the Communication, but the existing DMS is IP based and I can not add the hostname of the new DMA. I guess I will need to switch the whole DMS to a hostname based one.

What is the recommended way (step by step if possible) to encrypt all communication and add the new DMA to the DMS without breaking the existing DMS?

Also: Is this possible with 10.1, or is an upgrade beforehand a necessity?

Best Regards,

Robert

Marieke Goethals [SLC] [DevOps Catalyst] Selected answer as best 22nd April 2024

1 Answer

0
2.24K 2 Comments

Hi,

I can’t help you with the question about a DMA in a different network behind a NAT, but I can help you with your question about encrypting all communication in a DMS.

I will start by recommending the DataMiner Hardening guide. Specifically for encryption, there are 3 things to consider:

  1. Client to DMS communication
    • The client (cube, webpage) <-> DMS communication can be secured by configuring the DMS to use https.
  2. inter DMS communication
    • Part of the communication between agents in a cluster is secured when the DMS is configured to use https.
    • Part of the communication between agents in a cluster happens over NATS. We have noticed that DataMiner currently does not support TLS encryption for NATS, but this aimed to be fixed with the upcoming release (10.4.3).
  3. DMS to DB communication
    • For STaaS, all communication is secure by default, but if you are using self hosted storage, securing the communication between the DMS and the databases requires some configuration. The hardening guide points to the relevant parts of the documentation.

I hope this helps. If you would have any more questions, feel free to reach out to me.

Marieke Goethals [SLC] [DevOps Catalyst] Selected answer as best 22nd April 2024
Robert Thevis commented

Hello Seppe,
was the TLS encryption implemented with 10.4.3?
If so, what do I need to do to activate it?

Best Regards,
Robert
Seppe Dejonckheere [SLC] [DevOps Advocate] commented

Hi Robert,
We currently have a pull request open to add this information to the docs.
Once this pull request has been accepted, the hardening guide will point you to the right information, but you can already find a (draft) version using the following URL: https://github.com/SkylineCommunications/dataminer-docs/pull/2751

Kind regards,
Seppe