Home
%3CLINGO-SUB%20id%3D%22lingo-sub-385586%22%20slang%3D%22en-US%22%3EEncrypting%20Communication%20between%20Web%20Node%20and%20Compute%20Node%20in%20Linux%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-385586%22%20slang%3D%22en-US%22%3E%0A%20%26lt%3Bmeta%20http-equiv%3D%22Content-Type%22%20content%3D%22text%2Fhtml%3B%20charset%3DUTF-8%22%20%2F%26gt%3B%3CSTRONG%3EFirst%20published%20on%20MSDN%20on%20Aug%2021%2C%202017%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%20This%20article%20walks%20you%20through%20the%20steps%20for%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fr-server%2Foperationalize%2Fconfigure-https%23encrypt-communication-between-the-web-node-and-compute-node%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%20encrypting%20the%20traffic%20between%20web%20nodes%20and%20compute%20nodes%20%3C%2FA%3E%20in%20Linux%20using%20self-signed%20certificates.%20If%20a%20compute%20node%20is%20inside%20the%20web%20node's%20trust%20boundary%2C%20then%20encryption%20of%20this%20piece%20isn't%20needed.%20However%2C%20if%20the%20compute%20node%20resides%20outside%20of%20the%20trust%20boundary%2C%20consider%20using%20the%20compute%20node%20certificate%20to%20encrypt%20the%20traffic%20between%20the%20web%20node%20and%20compute%20node.%26nbsp%3BAs%20a%20prerequisite%2C%20you%20can%20spin%20a%201-webnode-1-computenode%20enterprise%20configuration%20using%20ARM%20Template%20from%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoft%2Fmicrosoft-r%2Ftree%2Fmaster%2Frserver-arm-templates%2Fenterprise-configuration%2Flinux%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%20here%20%3C%2FA%3E%20.%20%3CBR%20%2F%3E%3CH2%20id%3D%22toc-hId-1680756296%22%20id%3D%22toc-hId-1732531969%22%3EOn%20each%20Linux%20machine%20hosting%20a%20compute%20node%3A%3C%2FH2%3E%3CBR%20%2F%3E%3CH3%20id%3D%22toc-hId--1067914170%22%20id%3D%22toc-hId--1016138497%22%3EGenerate%20and%20Install%20self-signed%20certificates%20using%20the%20following%20commands%3A%3C%2FH3%3E%3CBR%20%2F%3E%20For%20Single%20Compute%20Node%2C%20use%20IP%20Address%20as%20Certificate%20Subject%20Name.%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20For%20multiple%20compute%20nodes%2C%20use%20DNS%20Suffix%20as%20Certificate%20Subject%20Name.%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20Example%3A%20say%20you%20have%202%20compute%20nodes%20CN1.contoso.microsoft.com%2C%20CN2.contoso.microsoft.com%2C%20certificate%20subject%20name%20will%20be%20CN%3Dcontoso.microsoft.com.%20%3CBR%20%2F%3E%20cd%20%2Fetc%2Fssl%2Fcerts%20%3CBR%20%2F%3E%20openssl%20genrsa%20-out%20privateKey.pem%202048%20%3CBR%20%2F%3E%20openssl%20req%20-new%20-x509%20-key%20privateKey.pem%20-out%20publicCert.pem%20-days%203650%20-nodes%20-subj%20%22%2FCN%3D10.0.1.4%22%20%3CBR%20%2F%3E%20openssl%20x509%20-noout%20-hash%20-in%20publicCert.pem%20%3CBR%20%2F%3E%20ln%20-s%20publicCert.pem%200c73457b.0%20%3CBR%20%2F%3E%3CH3%20id%3D%22toc-hId-674896165%22%20id%3D%22toc-hId-726671838%22%3EInstall%20nginx%3C%2FH3%3E%3CBR%20%2F%3E%20Ubuntu%3A%20%3CBR%20%2F%3E%20apt-get%20install%20-y%20nginx%20%3CBR%20%2F%3E%20RedHat%3A%20%3CBR%20%2F%3E%20yum%20clean%20all%20%3CBR%20%2F%3E%20yum%20makecache%20fast%20%3CBR%20%2F%3E%20yum%20-y%20install%20%3CA%20href%3D%22https%3A%2F%2Fdl.fedoraproject.org%2Fpub%2Fepel%2Fepel-release-latest-7.noarch.rpm%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdl.fedoraproject.org%2Fpub%2Fepel%2Fepel-release-latest-7.noarch.rpm%3C%2FA%3E%20%3CBR%20%2F%3E%20yum%20install%20-y%20nginx%20%3CBR%20%2F%3E%20CentOS%3A%20%3CBR%20%2F%3E%20yum%20install%20-y%20epel-release%20%3CBR%20%2F%3E%20yum%20install%20-y%20nginx%20%3CBR%20%2F%3E%3CH3%20id%3D%22toc-hId--1877260796%22%20id%3D%22toc-hId--1825485123%22%3EModify%20nginx.conf%3C%2FH3%3E%3CBR%20%2F%3E%20Location%20of%20nginx.conf%20%3CBR%20%2F%3E%20%3CSTRONG%3E%20Ubuntu%20%3C%2FSTRONG%3E%20%3A%20%2Fetc%2Fnginx%2Fsites-enabled%2Fdefault%20%3CBR%20%2F%3E%20%3CSTRONG%3E%20RedHat%20and%20CentOS%20%3C%2FSTRONG%3E%20%3A%20%2Fetc%2Fnginx%2Fnginx.conf%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20Modify%20the%20file%20in%20above%20location%20to%20the%20following%20contents%20%3A%20%3CBR%20%2F%3E%20server%20%7B%20%3CBR%20%2F%3E%20listen%20443%20ssl%3B%20%3CBR%20%2F%3E%20ssl_certificate%20%2Fetc%2Fssl%2Fcerts%2FpublicCert.pem%3B%20%3CBR%20%2F%3E%20ssl_certificate_key%20%2Fetc%2Fssl%2Fprivate%2FprivateKey.pem%3B%20%3CBR%20%2F%3E%20server_name%20_%3B%20%3CBR%20%2F%3E%20location%20%2F%20%7B%20%3CBR%20%2F%3E%20proxy_pass%20%3CA%20href%3D%22http%3A%2F%2F127.0.0.1%3A12805%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2F127.0.0.1%3A12805%2F%3C%2FA%3E%3B%20%3CBR%20%2F%3E%20%7D%20%3CBR%20%2F%3E%20%7D%20%3CBR%20%2F%3E%3CH3%20id%3D%22toc-hId--134450461%22%20id%3D%22toc-hId--82674788%22%3ERestart%20nginx%3C%2FH3%3E%3CBR%20%2F%3E%20Ubuntu%3A%20%3CBR%20%2F%3E%20service%20nginx%20start%20%3CBR%20%2F%3E%20update-rc.d%20nginx%20defaults%20%3CBR%20%2F%3E%20RedHat%3A%20%3CBR%20%2F%3E%20systemctl%20start%20nginx%20%3CBR%20%2F%3E%20systemctl%20enable%20nginx%20%3CBR%20%2F%3E%20iptables%20%E2%80%93flush%20%3CBR%20%2F%3E%20CentOS%3A%20%3CBR%20%2F%3E%20systemctl%20start%20nginx%20%3CBR%20%2F%3E%20systemctl%20enable%20nginx%20%3CBR%20%2F%3E%20Launch%20the%20administrator's%20utility%20and%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fr-server%2Foperationalize%2Fconfigure-use-admin-utility%23startstop%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%20restart%20the%20compute%20node%3C%2FA%3E%20%3CBR%20%2F%3E%3CH3%20id%3D%22toc-hId-1608359874%22%20id%3D%22toc-hId-1660135547%22%3ECheck%20Compute%20Node%20status%20using%20curl%3C%2FH3%3E%3CBR%20%2F%3E%20curl%20%3CA%20href%3D%22https%3A%2F%2F10.0.1.4%2Fstatus%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2F10.0.1.4%2Fstatus%3C%2FA%3E%20%3CBR%20%2F%3E%20Should%20give%20a%20response%20like%20this%3A%20%3CBR%20%2F%3E%20%7B%20%3CBR%20%2F%3E%20%22statusCode%22%3A%200%2C%20%3CBR%20%2F%3E%20%22components%22%3A%20null%2C%20%3CBR%20%2F%3E%20%22details%22%3A%20%7B%20%3CBR%20%2F%3E%20%22rMaxPoolSize%22%3A%20500%2C%20%3CBR%20%2F%3E%20%22rActiveShellCount%22%3A%200%2C%20%3CBR%20%2F%3E%20%22rCurrentPoolSize%22%3A%205%2C%20%3CBR%20%2F%3E%20%22rCanOpenShell%22%3A%20%22True%22%2C%20%3CBR%20%2F%3E%20%22apiVersion%22%3A%20%221.0%22%2C%20%3CBR%20%2F%3E%20%22logPath%22%3A%20%22%2Fusr%2Flib64%2Fmicrosoft-r%2Frserver%2Fo16n%2F9.1.0%2FMicrosoft.RServer.ComputeNode%2Flogs%22%20%3CBR%20%2F%3E%20%7D%20%3CBR%20%2F%3E%20%7D%20%3CBR%20%2F%3E%3CH2%20id%3D%22toc-hId--747283582%22%20id%3D%22toc-hId--695507909%22%3EOn%20each%20Linux%20machine%20hosting%20a%20web%20node%3A%3C%2FH2%3E%3CBR%20%2F%3E%20Copy%20paste%20the%20publicCert.pem%20and%20certificate%20authority%20into%20%2Fetc%2Fssl%2Fcerts%20%3CBR%20%2F%3E%20scp%20root%4010.0.1.4%3A%2Fetc%2Fssl%2Fcerts%2FpublicCert.pem%20%2Fetc%2Fssl%2Fcerts%20%3CBR%20%2F%3E%20scp%20root%4010.0.1.4%3A%2Fetc%2Fssl%2Fcerts%2F0c73457b.0%20%2Fetc%2Fssl%2Fcerts%20%3CBR%20%2F%3E%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fr-server%2Foperationalize%2Fconfigure-find-admin-configuration-file%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%20Open%20appsettings.json%20%3C%2FA%3E%20and%20modify%20the%20URIs%20%3A%20%3CBR%20%2F%3E%20%22Uris%22%3A%20%7B%20%3CBR%20%2F%3E%20%22Values%22%3A%20%5B%20%22%3CA%20href%3D%22https%3A%2F%2F10.0.1.4%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2F10.0.1.4%3C%2FA%3E%22%20%5D%20%3CBR%20%2F%3E%20%7D%20%3CBR%20%2F%3E%20%3CSTRONG%3E%20NOTE%3A%20%3C%2FSTRONG%3E%20If%20you%20have%20multiple%20compute%20nodes%2C%20make%20sure%20to%20enter%20all%20compute%20nodes%20information%20in%20the%20URI%20values.%20For%20example%3A%20%3CBR%20%2F%3E%20%22Uris%22%3A%20%7B%20%3CBR%20%2F%3E%20%22Values%22%3A%20%5B%20%22%3CA%20href%3D%22https%3A%2F%2FCN1.contoso.microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2FCN1.contoso.microsoft.com%3C%2FA%3E%22%2C%20%22%3CA%20href%3D%22https%3A%2F%2FCN2.contoso.microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2FCN2.contoso.microsoft.com%3C%2FA%3E%22%20%5D%20%3CBR%20%2F%3E%20%7D%20%3CBR%20%2F%3E%20Launch%20the%20administrator's%20utility%20and%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fr-server%2Foperationalize%2Fconfigure-use-admin-utility%23startstop%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%20restart%20the%20web%20node%20%3C%2FA%3E%20.%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20Verify%20the%20configuration%20by%20running%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fr-server%2Foperationalize%2Fconfigure-run-diagnostics%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%20diagnostic%20test%20%3C%2FA%3E%20on%20the%20web%20node.%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%3CSTRONG%3ENOTE%3A%20%3C%2FSTRONG%3E%20Self-Signed%20Certificates%20are%20NOT%20recommended%20for%20production%20usage.%20Please%20obtain%20certificate%20from%20Trusted%20Certificate%20Authorities%20for%20production%20usage.%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-385586%22%20slang%3D%22en-US%22%3EFirst%20published%20on%20MSDN%20on%20Aug%2021%2C%202017%20This%20article%20walks%20you%20through%20the%20steps%20for%20encrypting%20the%20traffic%20between%20web%20nodes%20and%20compute%20nodes%20in%20Linux%20using%20self-signed%20certificates.%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-385586%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESQLServerMachineLearning%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft
First published on MSDN on Aug 21, 2017
This article walks you through the steps for encrypting the traffic between web nodes and compute nodes in Linux using self-signed certificates. If a compute node is inside the web node's trust boundary, then encryption of this piece isn't needed. However, if the compute node resides outside of the trust boundary, consider using the compute node certificate to encrypt the traffic between the web node and compute node. As a prerequisite, you can spin a 1-webnode-1-computenode enterprise configuration using ARM Template from here .

On each Linux machine hosting a compute node:


Generate and Install self-signed certificates using the following commands:


For Single Compute Node, use IP Address as Certificate Subject Name.

For multiple compute nodes, use DNS Suffix as Certificate Subject Name.

Example: say you have 2 compute nodes CN1.contoso.microsoft.com, CN2.contoso.microsoft.com, certificate subject name will be CN=contoso.microsoft.com.
cd /etc/ssl/certs
openssl genrsa -out privateKey.pem 2048
openssl req -new -x509 -key privateKey.pem -out publicCert.pem -days 3650 -nodes -subj "/CN=10.0.1.4"
openssl x509 -noout -hash -in publicCert.pem
ln -s publicCert.pem 0c73457b.0

Install nginx


Ubuntu:
apt-get install -y nginx
RedHat:
yum clean all
yum makecache fast
yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum install -y nginx
CentOS:
yum install -y epel-release
yum install -y nginx

Modify nginx.conf


Location of nginx.conf
Ubuntu : /etc/nginx/sites-enabled/default
RedHat and CentOS : /etc/nginx/nginx.conf

Modify the file in above location to the following contents :
server {
listen 443 ssl;
ssl_certificate /etc/ssl/certs/publicCert.pem;
ssl_certificate_key /etc/ssl/private/privateKey.pem;
server_name _;
location / {
proxy_pass http://127.0.0.1:12805/;
}
}

Restart nginx


Ubuntu:
service nginx start
update-rc.d nginx defaults
RedHat:
systemctl start nginx
systemctl enable nginx
iptables –flush
CentOS:
systemctl start nginx
systemctl enable nginx
Launch the administrator's utility and restart the compute node

Check Compute Node status using curl


curl https://10.0.1.4/status
Should give a response like this:
{
"statusCode": 0,
"components": null,
"details": {
"rMaxPoolSize": 500,
"rActiveShellCount": 0,
"rCurrentPoolSize": 5,
"rCanOpenShell": "True",
"apiVersion": "1.0",
"logPath": "/usr/lib64/microsoft-r/rserver/o16n/9.1.0/Microsoft.RServer.ComputeNode/logs"
}
}

On each Linux machine hosting a web node:


Copy paste the publicCert.pem and certificate authority into /etc/ssl/certs
scp root@10.0.1.4:/etc/ssl/certs/publicCert.pem /etc/ssl/certs
scp root@10.0.1.4:/etc/ssl/certs/0c73457b.0 /etc/ssl/certs
Open appsettings.json and modify the URIs :
"Uris": {
"Values": [ "https://10.0.1.4" ]
}
NOTE: If you have multiple compute nodes, make sure to enter all compute nodes information in the URI values. For example:
"Uris": {
"Values": [ "https://CN1.contoso.microsoft.com", "https://CN2.contoso.microsoft.com" ]
}
Launch the administrator's utility and restart the web node .

Verify the configuration by running diagnostic test on the web node.

NOTE: Self-Signed Certificates are NOT recommended for production usage. Please obtain certificate from Trusted Certificate Authorities for production usage.