# Using Memurai 3 with TLS support If you need to ensure a secure channel of communication between your Memurai clients and servers you'll want to configure Memurai 3's TLS support. Since version 3, Memurai comes with OpenSSL and TLS support built-in. All you have to do is provide your certificate file to Memurai's executable. ## Creating your certificate file on Windows The first thing to do is to install the tool that will generate the certificate file. If you already have one of these tools and know how to use it, you can skip the following section. ### Installing OpenSSL on your Windows box Since Window's native tools will not make it easy for you to generate and have access to the required files, you're better off using OpenSSL for this. If you don't already have it installed on your system, you'll want to download one of the [existing binaries](https://wiki.openssl.org/index.php/Binaries). However, chances are you might already have it installed as part of another software. For instance, if you've installed Git on your computer, then you probably have it already there, just not in a location that's part of your PATH. So you have two options: 1. Just add the location to the PATH (by default the binary should be under C:\Program Files\Git\usr\bin\). 2. And you can also create a Powershell alias by editing the `$PROFILE` variable (this variable stores the path to scripts loaded at the beginning of each session). With the following line, any future Powershell instance will have access to the `openssl` executable: ```shell Add-Content -Path $PROFILE -Value 'Set-Alias -Name openssl -Value "C:\Program Files\Git\usr\bin\openssl.exe"' ``` ### Creating the actual certificate file Let's assume we have a `tls` folder to store all generated files. First, we need to create a configuration file called `openssl.cnf` inside it, with the following content: ``` [ server_cert ] keyUsage = digitalSignature, keyEncipherment nsCertType = server [ client_cert ] keyUsage = digitalSignature, keyEncipherment nsCertType = client ``` Then we can run the following commands in Powershell #### 1. Create a CA key and certificate ``` openssl genrsa -out tls/ca.key 4096 openssl req -x509 -new -nodes -sha256 -key tls/ca.key -days 3650 -subj '/O=Memurai Test/CN=Certificate Authority' -out tls/ca.crt ``` #### 2. Create the server files ``` openssl genrsa -out tls/server.key 2048 openssl req -new -sha256 -subj "/O=Memurai Test/CN=Server-only" -key tls/server.key | openssl x509 -req -sha256 -CA tls/ca.crt -CAkey tls/ca.key -CAserial tls/ca.txt -CAcreateserial -days 365 -extfile tls/openssl.cnf -extensions server_cert -out tls/server.crt ``` #### 3. Now create the client files ``` openssl genrsa -out tls/client.key 2048 openssl req -new -sha256 -subj "/O=Memurai Test/CN=Client-only" -key tls/client.key | openssl x509 -req -sha256 -CA tls/ca.crt -CAkey tls/ca.key -CAserial tls/ca.txt -CAcreateserial -days 365 -extfile tls/openssl.cnf -extensions client_cert -out tls/client.crt ``` With the files created, the next thing is to understand how to let Memurai know where they're located. ## Running Memurai with TLS support There are two ways for you to execute Memurai, as a standalone process or as a service (if you're coming from Linux, this would be the daemon option). **Note:** Unless you're making tests with a Memurai instance, the recommended way to execute Memurai is as a service. To run Memurai as a standalone process, you can specify the TLS file paths with the following command line attributes: ``` memurai.exe --tls-cert-file tls/server.crt ` --tls-key-file tls/server.key ` --tls-ca-cert-file tls/ca.crt ``` Keep in mind that doing this way will make Memurai's process a child of the current terminal instance, so the moment you close it, the Memurai process will be killed with it. If you want to make sure Memurai runs even when you're not there, go with the service alternative. ### Running Memurai as a service with TLS support The first thing to do is to install the service, you'll do that with the `--service-install` flag: ``` memurai.exe --service-install --service-name "memurai-with-tls" memurai-tls.conf ``` The above command also specifies a service name (this will become relevant in a minute) and a configuration file. Make sure your configuration file contains all the TLS details, something like this: ``` tls-cert-file tls/server.crt tls-key-file tls/server.key tls-ca-cert-file tls/ca.crt ``` Once you've installed the service, you can start it or stop it like this: ``` #start it with memurai.exe --service-start --service-name "memurai-with-tls" #stop it with memurai.exe --service-stop --service-name "memurai-with-tls" ``` If you want more details on how to run Memurai, visit the [Windows Service](https://docs.memurai.com/en/windows-service) section of our docs. ### More configuration options #### Overwriting the default TLS listening port If your company's security policy requires it, you can change the default TLS port for Memurai to whatever you need. You can even disable the default non-secure port to enable only connections through your secured entry point. To do this, you can specify (both inside the config file and as part of your Powershell line) the TLS listening port: ``` port 0 tls-port 443 ``` The first option disables the non-TLS port so you only have a secured entry point enabled. The second option overwrites the default TLS port (6379). #### Disabling client authentication Out of the box, Memurai will require mutual TLS authentication. This means clients will have to authenticate with a valid certificate. You can disable this with the following option: ``` tls-auth-clients no ``` **Warning** Make sure you understand the security implications for your infrastructure before you disable this verification. ## Special considerations If you're using TLS and have Memurai configured with Replication, Cluster mode, or Sentinel, there are certain considerations to keep in mind. ### Memurai + TLS + Replication The Memurai master server will handle connecting clients and replicas the same way. This means that the above configuration options (including the `tls-port` and `tls-auth-clients`) apply to replicas as well. Keep in mind though, that on the replica servers, you'll have to specify `tls-replication yes` to use TLS for outgoing connections to the master. ### Memurai + TLS + Cluster mode When Memurai Cluster is used, make sure to use `tls-cluster yes` to enable TLS for the cluster bus and cross-node connections. ### Memurai + TLS + Sentinel Sentinel inherits its networking configuration from the common Memurai configuration, so all of the above applies to Sentinel as well. When connecting to master servers, Sentinel will use the `tls-replication` option to determine if a TLS or non-TLS connection is required. Also, the same `tls-replication` directive will determine whether Sentinel's port (the port that accepts connections from other Sentinels) will support TLS as well. This means that Sentinel will be configured with `tls-port` if `tls-replication` is enabled.