we have a customer that wants to add another DMA to their existing DMS.
The new DMA will be in another network behind a NAT and in another domain. Security is very important and all protocols need to be encrypted.
https is already set up with certificates and from my understanding it is possible to use the same certificates to enable TLS on NAS/NATS.
Also connection strings for the DMAs are already configured and I have created local Users for the Communication, but the existing DMS is IP based and I can not add the hostname of the new DMA. I guess I will need to switch the whole DMS to a hostname based one.
What is the recommended way (step by step if possible) to encrypt all communication and add the new DMA to the DMS without breaking the existing DMS?
Also: Is this possible with 10.1, or is an upgrade beforehand a necessity?
I can't help you with the question about a DMA in a different network behind a NAT, but I can help you with your question about encrypting all communication in a DMS.
I will start by recommending the DataMiner Hardening guide. Specifically for encryption, there are 3 things to consider:
- Client to DMS communication
- The client (cube, webpage) <-> DMS communication can be secured by configuring the DMS to use https.
- inter DMS communication
- Part of the communication between agents in a cluster is secured when the DMS is configured to use https.
- Part of the communication between agents in a cluster happens over NATS. We have noticed that DataMiner currently does not support TLS encryption for NATS, but this aimed to be fixed with the upcoming release (10.4.3).
- DMS to DB communication
- For STaaS, all communication is secure by default, but if you are using self hosted storage, securing the communication between the DMS and the databases requires some configuration. The hardening guide points to the relevant parts of the documentation.
I hope this helps. If you would have any more questions, feel free to reach out to me.