Secure Global Desktop 4.31 Administration Guide > Security > Securing connections between Secure Global Desktop servers

Securing connections between Secure Global Desktop servers

In a standard installation, the data transmitted between Secure Global Desktop servers in an array (including data sent from the Secure Global Desktop administration tools) is not encrypted. Secure Global Desktop Administrators can secure the connections between array members with SSL/TLS. Using SSL/TLS for these connections ensures that communication only takes place between servers that have authenticated to each other and ensures the integrity of the data.

How secure intra-array communication works

Using SSL/TLS to secure intra-array communication means that each member of the array has to have a valid server peer certificate that has been signed by a trusted certificate authority (CA).

As the server peer certificates are only used internally by Secure Global Desktop, the primary server in the array acts as the CA. The primary has a self-signed CA certificate and a private key. All servers in the array have a copy of the primary's CA certificate in a trusted certificate store (the truststore).

All servers in the array (including the primary) have a server peer certificate and a private key. The server peer certificate is signed with the primary's CA certificate and contains a common name (CN) which is the peer DNS name of the Secure Global Desktop server.

When one member of the array connects to another (or an administration tool connects to an array member), the Secure Global Desktop server being connected to presents its server peer certificate as part of the SSL negotiation. The connecting server evaluates the certificate and checks:

the CN of the certificate matches the peer DNS name of the connecting server;
the expiry date of the certificate; and
the issuer of the certificate, which must be the CA certificate of the primary.

If the certificate is valid, the SSL/TLS connection is established.

Managing CA and server peer certificates

When you enable secure intra-array communication, Secure Global Desktop automatically generates and distributes the CA and server peer certificates to the members of the array. Whenever there is a change in the array structure, Secure Global Desktop automatically updates the CA and server peer certificates as needed:

server joins the array - the primary CA certificate is installed on the new server and the new server obtains a new server peer certificate signed with the primary CA certificate.
server leaves the array - the detached server becomes the primary server in an array containing one server. The detached server creates a new CA certificate and a new server peer certificate for itself.
new primary server - the primary generates a new CA certificate and installs it on all array members. All secondary servers obtain a new server peer certificate signed with the new primary CA certificate.

Administrators can use the tarantella security peerca --show command to view certificates in the truststore. The truststore contains the primary CA certificate.

Enabling secure intra-array communication

Make sure there are no webtop and emulator sessions running in the array, including suspended sessions.
Dismantle the array.
- On the primary server, use the tarantella array detach --secondary server command (or use Array Manager) to detach the secondary servers.
- Only detach one server at a time.
- Wait for the array change to be copied to all members of the array before detaching any more servers. You can tell that this has happened when the tarantella status command returns the same result when you run it on each array member.
Use the tarantella stop command to stop all servers.
Enable secure intra-array communication by running the following command on each server:
```
tarantella config edit --tarantella-config-security-peerssl-enabled 1
```
Use the tarantella start command to start all servers.
Rebuild the array.
- Only add one server at a time.
- On the server joining the array, use the tarantella array join --primary primary_server command to add the server.
- You will be prompted to trust the primary server's CA certificate and the fingerprint of the certificate displays.
- On the primary server, use the tarantella security peerca --show command to display the fingerprint for the primary server's CA certificate.
- Check that the certificate fingerprints match. This is important as it verifies that the secondary is communicating with the genuine primary server.
- If the fingerprints match, complete the array join by accepting the primary server's CA certificate.
- Wait for the array change to be copied to all members of the array before adding any more servers. You can tell that this has happened when the tarantella status command returns the same result when you run it on each array member.

Related topics
Security and Secure Global Desktop Securing client connections with Secure Global Desktop security services The tarantella security peerca command What are peer DNS names and external DNS names?